berbew | 177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07/12/2024, 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
Size

64KB
MD5

f265d231fea1eedf5a4a694790a7d7ad
SHA1

6dc677f8c717aff34ca8daceca2ad0623b8daf68
SHA256

177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8
SHA512

8ac2e8a28fb69f652f864e99353c17fad519096ae20f2e0ebdf18a3f03bc1b973dea1cbf1eaccba416da493655daec94084a88aede61ec4ff5f2ca7bdf1402a5
SSDEEP

1536:zFKcYqQ4sF4TXLsbNXTCyHZKPat1TZuYDP9:zFHI4LQBDCyHVTZuY79

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 8 IoCs

pid	Process
2812	Bejdiffp.exe
2944	Bkglameg.exe
2708	Chkmkacq.exe
112	Ckiigmcd.exe
2520	Cbdnko32.exe
1556	Cmjbhh32.exe
2200	Cbgjqo32.exe
1872	Ceegmj32.exe

Loads dropped DLL 20 IoCs

pid	Process
2940	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
2940	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
2812	Bejdiffp.exe
2812	Bejdiffp.exe
2944	Bkglameg.exe
2944	Bkglameg.exe
2708	Chkmkacq.exe
2708	Chkmkacq.exe
112	Ckiigmcd.exe
112	Ckiigmcd.exe
2520	Cbdnko32.exe
2520	Cbdnko32.exe
1556	Cmjbhh32.exe
1556	Cmjbhh32.exe
2200	Cbgjqo32.exe
2200	Cbgjqo32.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe
1620	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Llaemaih.dll	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Cbdnko32.exe	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cbdnko32.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Cbdnko32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Gfpifm32.dll	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cbdnko32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1620	1872	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdnko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdnko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpifm32.dll"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdnko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbgjqo32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2812	2940	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe	30
PID 2940 wrote to memory of 2812	2940	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe	30
PID 2940 wrote to memory of 2812	2940	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe	30
PID 2940 wrote to memory of 2812	2940	177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe	30
PID 2812 wrote to memory of 2944	2812	Bejdiffp.exe	31
PID 2812 wrote to memory of 2944	2812	Bejdiffp.exe	31
PID 2812 wrote to memory of 2944	2812	Bejdiffp.exe	31
PID 2812 wrote to memory of 2944	2812	Bejdiffp.exe	31
PID 2944 wrote to memory of 2708	2944	Bkglameg.exe	32
PID 2944 wrote to memory of 2708	2944	Bkglameg.exe	32
PID 2944 wrote to memory of 2708	2944	Bkglameg.exe	32
PID 2944 wrote to memory of 2708	2944	Bkglameg.exe	32
PID 2708 wrote to memory of 112	2708	Chkmkacq.exe	33
PID 2708 wrote to memory of 112	2708	Chkmkacq.exe	33
PID 2708 wrote to memory of 112	2708	Chkmkacq.exe	33
PID 2708 wrote to memory of 112	2708	Chkmkacq.exe	33
PID 112 wrote to memory of 2520	112	Ckiigmcd.exe	34
PID 112 wrote to memory of 2520	112	Ckiigmcd.exe	34
PID 112 wrote to memory of 2520	112	Ckiigmcd.exe	34
PID 112 wrote to memory of 2520	112	Ckiigmcd.exe	34
PID 2520 wrote to memory of 1556	2520	Cbdnko32.exe	35
PID 2520 wrote to memory of 1556	2520	Cbdnko32.exe	35
PID 2520 wrote to memory of 1556	2520	Cbdnko32.exe	35
PID 2520 wrote to memory of 1556	2520	Cbdnko32.exe	35
PID 1556 wrote to memory of 2200	1556	Cmjbhh32.exe	36
PID 1556 wrote to memory of 2200	1556	Cmjbhh32.exe	36
PID 1556 wrote to memory of 2200	1556	Cmjbhh32.exe	36
PID 1556 wrote to memory of 2200	1556	Cmjbhh32.exe	36
PID 2200 wrote to memory of 1872	2200	Cbgjqo32.exe	37
PID 2200 wrote to memory of 1872	2200	Cbgjqo32.exe	37
PID 2200 wrote to memory of 1872	2200	Cbgjqo32.exe	37
PID 2200 wrote to memory of 1872	2200	Cbgjqo32.exe	37
PID 1872 wrote to memory of 1620	1872	Ceegmj32.exe	38
PID 1872 wrote to memory of 1620	1872	Ceegmj32.exe	38
PID 1872 wrote to memory of 1620	1872	Ceegmj32.exe	38
PID 1872 wrote to memory of 1620	1872	Ceegmj32.exe	38

C:\Users\Admin\AppData\Local\Temp\177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe
"C:\Users\Admin\AppData\Local\Temp\177184d308bb6edcad8292f27e07712b56866ee5e77c538f4448f1b7134b78b8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\Bejdiffp.exe
  C:\Windows\system32\Bejdiffp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\Bkglameg.exe
    C:\Windows\system32\Bkglameg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\Chkmkacq.exe
      C:\Windows\system32\Chkmkacq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
      - C:\Windows\SysWOW64\Cbdnko32.exe
        
        C:\Windows\system32\Cbdnko32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Bejdiffp.exe

Filesize
64KB

MD5
ac66a76ccbcf73f634d4b25de93d6866

SHA1
cb741ad07bc20acbd8a785ebd3817c4aef24a080

SHA256
89847ac9933f1e6c096a15ff4ab901dfdca54d094fb757741e5e213b386c1bf8

SHA512
9469b25ebada3e450bbadf785077fd1dfaa1ad3001be7a7c431e18c64f088c2558f607115a9e99888d940ae162596283bc4e834bf53bb95d5557d731358aa66e

Download Submit
\Windows\SysWOW64\Bkglameg.exe

Filesize
64KB

MD5
9ebe87d9ba865f720b076148ea4397c8

SHA1
370fa532b9b42a68508e0a9c2cc19d68d403c0d7

SHA256
07d8d759e50b3a536e68635b1793cdfaa8357659620e8d39650906ec34a9b619

SHA512
1ebc1de68afa7af8a35df520322948802cd975e13b6c8c77a761b917dd78ed012bc8b15c7eea00e8de355f64c9e485b1f765269339a215f2bd89007128880aa7

Download Submit
\Windows\SysWOW64\Cbdnko32.exe

Filesize
64KB

MD5
241b1884e41aff8a12032ea1335a54da

SHA1
176d5934a26068c36408cb5b2f972a7aab7b5891

SHA256
8f8b9316c2f254d42cf67270fdff10d0928f157f8cf23285c722955205a5840a

SHA512
0f885855986016844c3f891dc0c791195c0bf4a12327c4fa103673a43751de35932b518a22b4c9d07037c2a45b91fb23a12c714b1479aa263c8105b5975777d4

Download Submit
\Windows\SysWOW64\Cbgjqo32.exe

Filesize
64KB

MD5
0c19a17d100a1c35ae518d81f535183f

SHA1
95caeff0f565008c259546a19b3efda4563cc268

SHA256
46ac499447f8cfcbcd77718dd9d2f60c0f17a76a222d246a0c7fc47a8325b8b9

SHA512
38e5ba4383b99589fe881ff1197a94a4d74c827e8c67949b692c7e25c9c98405c77565ae7c846c5f6e8f0497850e73a137ae548af7b9cfd9ae05800487e2ca9c

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
64KB

MD5
c49e17aad8f73f0571f1aa074a859320

SHA1
9fbea74a9069ce03208b43d48ce2c20f234c898a

SHA256
870c406eb22cddf2ef428de9c3fd1cc97a6cf02d3604961022ee276b4ba5e69a

SHA512
c0830972c941609d3728faedb05611c2a0ceecbc3b96b4fa677ce7673d69fcc9440f825703f6eb318048e007701cac3ef15ce84b1115839572e4ef8fb7b3c785

Download Submit
\Windows\SysWOW64\Chkmkacq.exe

Filesize
64KB

MD5
1051a7d01d8bd364f41cc42e9a7a1457

SHA1
3f05e2383531fcb57169e722f987bc35ea5986fe

SHA256
5e4e3f5f3418b51a925424083e196d2a44930482a2b0f327d70e0d11bbef0aa4

SHA512
201890006618e4d3eaf576aec7330ee9a3485562b7913faa034619f0b79157c91d5c209ca8666b53383ff127a8625c896fdc368df8910f94951ae44f9d6cbed2

Download Submit
\Windows\SysWOW64\Ckiigmcd.exe

Filesize
64KB

MD5
3f3cc06bf6711ebf7783bdaee7cc23b5

SHA1
c343597dda85dbedf593f9a1d48ec50b7dc86786

SHA256
841440f59c1b25712d97fca3db7ce1a79506a36d89ac0109638eb3ab6c13aed4

SHA512
e0fb67509800b7248296d16ff97a2fd6eb6e1dd8e125754862713dd02946b344aa34daef212151c318942a3025496417a006d069af0bb7de7f4a8e2f075041f9

Download Submit
\Windows\SysWOW64\Cmjbhh32.exe

Filesize
64KB

MD5
b7791784ba526af0c74f056d2c6b2da0

SHA1
06c353f83d1e2293418252133f8b38ab0a59fc27

SHA256
289f9687f6125c6be12ba862b87090df48353502c9e6c903d11efc0ce84ab845

SHA512
9ed0994bf0c0347497705b76320613a21dcf5431222c92a1c9a420714c5f6b036a151ad8aa45eb040fc78a6219767ee952953f8e73e340cd3f095ec9f9ea675c

Download Submit
memory/112-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/112-60-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1556-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-99-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2520-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2940-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2940-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-34-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads