berbew | e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51

General

Target

e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
Size

192KB
MD5

fa0e7e50fa69c8c1c5c5cfbd9c825610
SHA1

6d10711f3e58ba1b53e982c9d5584e0c319cd529
SHA256

e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51
SHA512

029e248211d076c63657c28f703b93d6887ee88bbfaf0e228167082a8f93cbc76c0f4420aa6228d598a8f4502409c0e4ec8d7e2fb56a6464ff82386efe55b7a8
SSDEEP

3072:vtZbgtgt8G4OAN2B1xdLm102VZjuajDMyap9jCyFsWtex:vtatgmOAN2B1xBm102VQltex

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 8 IoCs

pid	Process
4816	Ddmaok32.exe
4216	Daqbip32.exe
4148	Ddonekbl.exe
3204	Dfnjafap.exe
5008	Dfpgffpm.exe
3520	Daekdooc.exe
964	Dddhpjof.exe
5056	Dmllipeg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
632	5056	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 4816	2272	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe	83
PID 2272 wrote to memory of 4816	2272	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe	83
PID 2272 wrote to memory of 4816	2272	e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe	83
PID 4816 wrote to memory of 4216	4816	Ddmaok32.exe	84
PID 4816 wrote to memory of 4216	4816	Ddmaok32.exe	84
PID 4816 wrote to memory of 4216	4816	Ddmaok32.exe	84
PID 4216 wrote to memory of 4148	4216	Daqbip32.exe	85
PID 4216 wrote to memory of 4148	4216	Daqbip32.exe	85
PID 4216 wrote to memory of 4148	4216	Daqbip32.exe	85
PID 4148 wrote to memory of 3204	4148	Ddonekbl.exe	86
PID 4148 wrote to memory of 3204	4148	Ddonekbl.exe	86
PID 4148 wrote to memory of 3204	4148	Ddonekbl.exe	86
PID 3204 wrote to memory of 5008	3204	Dfnjafap.exe	87
PID 3204 wrote to memory of 5008	3204	Dfnjafap.exe	87
PID 3204 wrote to memory of 5008	3204	Dfnjafap.exe	87
PID 5008 wrote to memory of 3520	5008	Dfpgffpm.exe	88
PID 5008 wrote to memory of 3520	5008	Dfpgffpm.exe	88
PID 5008 wrote to memory of 3520	5008	Dfpgffpm.exe	88
PID 3520 wrote to memory of 964	3520	Daekdooc.exe	89
PID 3520 wrote to memory of 964	3520	Daekdooc.exe	89
PID 3520 wrote to memory of 964	3520	Daekdooc.exe	89
PID 964 wrote to memory of 5056	964	Dddhpjof.exe	90
PID 964 wrote to memory of 5056	964	Dddhpjof.exe	90
PID 964 wrote to memory of 5056	964	Dddhpjof.exe	90

C:\Users\Admin\AppData\Local\Temp\e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe
"C:\Users\Admin\AppData\Local\Temp\e398be865447f1e550b88c1c148e253a4a4e08aa039f96313ac6ea5f65f93a51N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\Ddmaok32.exe
  C:\Windows\system32\Ddmaok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\Daqbip32.exe
    C:\Windows\system32\Daqbip32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\SysWOW64\Ddonekbl.exe
      C:\Windows\system32\Ddonekbl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 404
        10⤵
        Program crash
        
        PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5056 -ip 5056
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
192KB

MD5
a4fb974c2aec8d8e98960d5cc8e6c53f

SHA1
52c770338045a652699bbcb1af70053b850a7a5c

SHA256
72efd32538e472b686be33bf28087de7afd52f5b4ad66fc0cd2156b81e655a3e

SHA512
eb4b52ef1288fb746bbe8b67136196e3ff58cdcac75b826b54b7f986d6009411355fcf4d2082eee51c7fc7fca1a56b49448d7565108d7fa6e0f175d5db4b467a

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
192KB

MD5
aa1c7c40846a1552f850015c6915dd00

SHA1
abe1d6977695579716f9cd917d981373950295fc

SHA256
41095b76ab31b05c88729ed198867d253d5d7990d9db2d62f9ab2744d1a117ff

SHA512
f0166d666a4513bea2643720f8e0cebf917201e9432d009b9abea4aef30a6b995712855762bc2382a1eec890bb5952690747825c58dea5d5c439c47193303686

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
192KB

MD5
9751b4154daa1428562c61fd31a2d296

SHA1
020ee765464b9daf49099fe89b9acbb9bccbc9c6

SHA256
af24a3dbfde701b38d056ec2c20b9f9c17d0ad228dfe8d22db8a2bf1bf626b88

SHA512
1cae4f739dbf6fcc2ec038018a23c9b157f32b8943a38aa77d605a5386a1e73b9c250e0a24cc662720aafb70548046531197437c09e7de46d6d5d9ccb7a1f298

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
192KB

MD5
44d0363893a99cd09eb1b9d5dd3bac74

SHA1
6d31ea928c92d5ed770ebb6047a86a7e1514e636

SHA256
7e648d3ee37a2175429e3f9c8f7ae4c3259ba8d77ababd36c2f8a87d2dcb2b01

SHA512
0d5c7474fd9aad8fc93c58833641ecf03c9eb35fdba2e0e96ec0b89e0cbf3eda31cea61aeff7f460d58d314ce768b2c83aaec65902b1c84f96f266b1efb03b24

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
192KB

MD5
a7053311399c47b3e660d54bfddace64

SHA1
92627b58e657e1c1e430692060adfb38716631f6

SHA256
6371ac8573132b66829b5c86a65a585883dc39bc9caefea6ccc3d4709212902a

SHA512
c3c3c3d984de3adc50602fd8d380c9b9aa60519f2e5a2cd8cb89797f8be2b7ba77256c184f0118e5263fb1db72459b8ce0340eef66dd5ea5209782219ecd1de7

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
192KB

MD5
6ae225728324536993aab270dfc77ebd

SHA1
90bd0c3123f6db5faea5d1d9350b671b59b8e08e

SHA256
113ad968e74ae11a7b43c98ab5df83cb5aaf337eea01c6c19dfca28cf36dcaf8

SHA512
8383b963b36ac3fba53003a150bc04d43b4949f18659d0a6159a501efbee830ca41d82d9bf68319f7b678b5badab567dc97ab6a666e4804cb5c7f845f5345a5d

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
192KB

MD5
f183beb6236ca81e9b1d5228fdd919a8

SHA1
671af6143416b0bc1d1620ee0d8ca61bb52f60d5

SHA256
15a8dbe019016c0d4a08d476e1ad086eed0992a5141d2c9389f479aa4fcb8cd9

SHA512
263e7931d7c7841b817fbc6ec1d37202883e408631f9ba6b477caf3799f9bd2ebb55fb81e48d412bb7e6e7c4315f7392e8711a90bd7a1b3824f9049d92d80ade

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
192KB

MD5
c6e6489017dde47a7f11c13b57aded88

SHA1
33020d0760ce1d7eaa126deedca03a22fef11531

SHA256
43c777bcfeff8357333e34a0d9ba5e47631d82802618727274d9c5a46fc6b21d

SHA512
54f2591755c837a342fc71d3c4bbc55b13f9615a2e67f06b7b170baa46295c4fde2b432f7b8845dab20ac816f07b243dd33d769581d5f1e4cba03ea060559f0a

Download Submit
memory/964-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3204-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4216-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4816-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5008-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5056-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads