berbew | 51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
Size

89KB
MD5

3ae0199c690ac9f5acb4815a38a2d22a
SHA1

d1572051a4829f5747030f5130e4d7d4f95fae27
SHA256

51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77
SHA512

f66cd05d428665c7410fcbc2706299f2fa7090c0ed9d90ee2b7a9ad98290a9b1edd82b3ccc74c96c352643a2a5c138682a99e60bc214a0d2f5381923386e3380
SSDEEP

1536:oVY5TDJ9bWE/XXljU3mTI/okTVMgz2tG/DpcllExkg8F:yY5/J5WENjraocMFMFcllakgw

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bieopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

pid	Process
2360	Bieopm32.exe
2292	Bbmcibjp.exe
2704	Bjdkjpkb.exe
2720	Cmedlk32.exe
2588	Cileqlmg.exe
2836	Cinafkkd.exe
2632	Cnkjnb32.exe
3044	Cgcnghpl.exe
1324	Calcpm32.exe
1988	Ccjoli32.exe
1720	Dpapaj32.exe

Loads dropped DLL 25 IoCs

pid	Process
2336	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
2336	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
2360	Bieopm32.exe
2360	Bieopm32.exe
2292	Bbmcibjp.exe
2292	Bbmcibjp.exe
2704	Bjdkjpkb.exe
2704	Bjdkjpkb.exe
2720	Cmedlk32.exe
2720	Cmedlk32.exe
2588	Cileqlmg.exe
2588	Cileqlmg.exe
2836	Cinafkkd.exe
2836	Cinafkkd.exe
2632	Cnkjnb32.exe
2632	Cnkjnb32.exe
3044	Cgcnghpl.exe
3044	Cgcnghpl.exe
1324	Calcpm32.exe
1324	Calcpm32.exe
1988	Ccjoli32.exe
1988	Ccjoli32.exe
1876	WerFault.exe
1876	WerFault.exe
1876	WerFault.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mfakaoam.dll	Bieopm32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Jpebhied.dll	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Bieopm32.exe	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bieopm32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Bieopm32.exe	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Bjdkjpkb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1876	1720	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bieopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll"	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bieopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cileqlmg.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2360	2336	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe	31
PID 2336 wrote to memory of 2360	2336	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe	31
PID 2336 wrote to memory of 2360	2336	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe	31
PID 2336 wrote to memory of 2360	2336	51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe	31
PID 2360 wrote to memory of 2292	2360	Bieopm32.exe	32
PID 2360 wrote to memory of 2292	2360	Bieopm32.exe	32
PID 2360 wrote to memory of 2292	2360	Bieopm32.exe	32
PID 2360 wrote to memory of 2292	2360	Bieopm32.exe	32
PID 2292 wrote to memory of 2704	2292	Bbmcibjp.exe	33
PID 2292 wrote to memory of 2704	2292	Bbmcibjp.exe	33
PID 2292 wrote to memory of 2704	2292	Bbmcibjp.exe	33
PID 2292 wrote to memory of 2704	2292	Bbmcibjp.exe	33
PID 2704 wrote to memory of 2720	2704	Bjdkjpkb.exe	34
PID 2704 wrote to memory of 2720	2704	Bjdkjpkb.exe	34
PID 2704 wrote to memory of 2720	2704	Bjdkjpkb.exe	34
PID 2704 wrote to memory of 2720	2704	Bjdkjpkb.exe	34
PID 2720 wrote to memory of 2588	2720	Cmedlk32.exe	35
PID 2720 wrote to memory of 2588	2720	Cmedlk32.exe	35
PID 2720 wrote to memory of 2588	2720	Cmedlk32.exe	35
PID 2720 wrote to memory of 2588	2720	Cmedlk32.exe	35
PID 2588 wrote to memory of 2836	2588	Cileqlmg.exe	36
PID 2588 wrote to memory of 2836	2588	Cileqlmg.exe	36
PID 2588 wrote to memory of 2836	2588	Cileqlmg.exe	36
PID 2588 wrote to memory of 2836	2588	Cileqlmg.exe	36
PID 2836 wrote to memory of 2632	2836	Cinafkkd.exe	37
PID 2836 wrote to memory of 2632	2836	Cinafkkd.exe	37
PID 2836 wrote to memory of 2632	2836	Cinafkkd.exe	37
PID 2836 wrote to memory of 2632	2836	Cinafkkd.exe	37
PID 2632 wrote to memory of 3044	2632	Cnkjnb32.exe	38
PID 2632 wrote to memory of 3044	2632	Cnkjnb32.exe	38
PID 2632 wrote to memory of 3044	2632	Cnkjnb32.exe	38
PID 2632 wrote to memory of 3044	2632	Cnkjnb32.exe	38
PID 3044 wrote to memory of 1324	3044	Cgcnghpl.exe	39
PID 3044 wrote to memory of 1324	3044	Cgcnghpl.exe	39
PID 3044 wrote to memory of 1324	3044	Cgcnghpl.exe	39
PID 3044 wrote to memory of 1324	3044	Cgcnghpl.exe	39
PID 1324 wrote to memory of 1988	1324	Calcpm32.exe	40
PID 1324 wrote to memory of 1988	1324	Calcpm32.exe	40
PID 1324 wrote to memory of 1988	1324	Calcpm32.exe	40
PID 1324 wrote to memory of 1988	1324	Calcpm32.exe	40
PID 1988 wrote to memory of 1720	1988	Ccjoli32.exe	41
PID 1988 wrote to memory of 1720	1988	Ccjoli32.exe	41
PID 1988 wrote to memory of 1720	1988	Ccjoli32.exe	41
PID 1988 wrote to memory of 1720	1988	Ccjoli32.exe	41
PID 1720 wrote to memory of 1876	1720	Dpapaj32.exe	42
PID 1720 wrote to memory of 1876	1720	Dpapaj32.exe	42
PID 1720 wrote to memory of 1876	1720	Dpapaj32.exe	42
PID 1720 wrote to memory of 1876	1720	Dpapaj32.exe	42

C:\Users\Admin\AppData\Local\Temp\51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe
"C:\Users\Admin\AppData\Local\Temp\51205e4df7c1f18165db3788f9953a655a7b507c32d8479471ed33f10241aa77.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\Bieopm32.exe
  C:\Windows\system32\Bieopm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\Bbmcibjp.exe
    C:\Windows\system32\Bbmcibjp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\Bjdkjpkb.exe
      C:\Windows\system32\Bjdkjpkb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 144
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
89KB

MD5
de80b4d9da6bd8fe0bd413a139e771b0

SHA1
4598d30f5a21dd1b49147d643b727d7f9bb58d5f

SHA256
826010e726af7071c4206576f79ea5288fda57e5fdcbc1f41a74844e099b8521

SHA512
0250fa86f7e0d4e8da997f0d2bd46ea7ce619b7be63a8ae48ff283ab6112bfe051a9de677ce010048b7d44ada347a23c69101fdb98bb546de1d15edcd2ddb28e

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
89KB

MD5
1cf88a7da2a3ed934c88f710b005e14f

SHA1
f92d2211b48a89504ba4500d5648f5d0d4520d6d

SHA256
937b5366e9f8a88dd7391e65c6a1b3ea060737a0b4c77aa4af86e6e1488cbfc9

SHA512
f584ba8af4098d5d78a286483474d2c52902a04122a5cbcc8dcdcf67fc26f8e791e7aba4b7184709b159d29f3724e0e6e4ecc2053c6a210d1f908d9820a9b9c6

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
89KB

MD5
c2acffc2fc16ae0f7b9f2fcfa69d0df0

SHA1
c8a95be29ed396e1b53222dd32f3165b55f5dcdc

SHA256
9515d963b2eea0af40df9451e4e11698a5f9c5cf45c7fe9a6f5818ea4f2e0ec3

SHA512
67f76e163fc9817bbd341053b0b62f9c43b393aa851237b6b6b0dd0a4f52bb962067646ab5d711f01d5085e26de84996e4f148372de306429e41dc246bacee9d

Download Submit
C:\Windows\SysWOW64\Cmbfdl32.dll

Filesize
7KB

MD5
dd960e5b1a6efbffd5c19cfd3b1b9dcc

SHA1
ac49d4178a98dd08a1f51a8cd174d1d7a2bade20

SHA256
fa5efa67e522b6b71a42b4fbae60bbe46e61d346ecc0094f60bcb5bf4865b8bc

SHA512
60630ff56e30af0184acca523801e8f1382d948d672aae03b5c1f2748fee87e2554cfbd6ae73a8d304967b10b152104b7792bd3f21126c00903dc7dee1ebf822

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
89KB

MD5
eef5152be2d93e85e9e9994b76945d3c

SHA1
3e2b2771dddc627216f889651004063641b33e02

SHA256
ae55bf9347ae45e292ba6eafbbcd549073c9d7ec167b607460453694746cd91c

SHA512
719889d3f42b0348fef770488386634e5d9a8f608eec1da94cef7de163f8edb330e3022ccf880e9db7b5e5d7130d192f4808fbd79ce001e8e0fae8004c589de9

Download Submit
\Windows\SysWOW64\Bieopm32.exe

Filesize
89KB

MD5
dd55bdf67e0dfeef6a3e231726217c42

SHA1
ce2525537079ad51020d2723e40e2784d19411d6

SHA256
20c28475b006b2afa0c4b8b643deb3e482e14d426fea191538e8ecab67fade13

SHA512
c18fd9e6b553a96cdbdab4c13e7f7a9cd26470638c5d90b3fa4acd2a6edf1cf9a50ead4c4ee521815c92ae1fbe697ef03a665d3b740ec3597d7aab5400d2958b

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
89KB

MD5
183e135fe6ec7c1b6eb059147e0906ea

SHA1
79c12f426dd618c4569780007faf9422a6bc54da

SHA256
b949cadff1865ca5b6be0ac86664200f988b4552e70e3c3e6405ee0268eec6e4

SHA512
e3b58705e4aaac5f0c8eebf10748e15791b34dadb62dec89631a0c2f96af6d7458051c22b7ea74cefdc6c53668bdad49342dc3089ea54a6a825e50473272526d

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
89KB

MD5
138d35ebaef2c96bf6e9fcca3161335d

SHA1
5ba7cf61a6643a1bc5c8418959e97f071ac4e49e

SHA256
b179b9c589fb0a405f83f70a9d229297f8e51cf35c572a34326a5deb42083304

SHA512
934d1cdfc5283d1c36a8cbae54df989e2a154c3e7732d4822529631de63c66baa01f49fe8393ed0b1d38f9e0ff187bd86a48da9efd5820263bf9bb47fca296e4

Download Submit
\Windows\SysWOW64\Cgcnghpl.exe

Filesize
89KB

MD5
e92ff8213fae2923d7d3c14783bc140a

SHA1
c89390eacb9065590ac84485fabfc5d6c835e760

SHA256
86d8d2ef46939dcf48ca220ea2439aad049d66519c2eaf92dc314a7d462bfc65

SHA512
e90e751d40d2f10da5a67cc59605e1f3afcb43688ac037cf3b1fa5db0f2f19fe2b8c3f8912f81cf7aa92318d50f653742a945d8b653b51c9afb0fa14906d7571

Download Submit
\Windows\SysWOW64\Cileqlmg.exe

Filesize
89KB

MD5
d32fed2e4c93adc9379952fda4a92ba6

SHA1
2877aaa59c2e8d40313cabccf4a109957df501c7

SHA256
eb819080ef4e28123c07be8e0ade18fdaeed30c5c2f922db03bcbb1dded51c5a

SHA512
bc728c19bebcd61af0fc6c6770192e4bdacd0215751f9d4583caf122a7621945946ffb8aad516eed490ec2151c563c451e036ae8e2e0048235118cb03711ae37

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
89KB

MD5
c0974140cef71bb5c6b74cd586ba8777

SHA1
a1d6afab87dac8ee85202aab1c91157305dd8883

SHA256
2cb1f1f94d748fe9765aec3bc32289d7ff6a854c4dd80bffdf4d3892a660abc5

SHA512
8a508248f8cb75ce17dfd1eeaf4644f68ebe06a41ab94fcb4eab53438261d2deb11c3bcf6a4fb6384bb3d0796e7d49d57d5bb9133faf109f596359151d97fccf

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
89KB

MD5
f38ce7b8ef094c9a56b86ee380ebab98

SHA1
cb327979b76c8d24d122874798aca7640806f578

SHA256
2901cb0cae29c1eef683f5c748e5cbc0c2d2f8063dc6cc5d57bc199b80a45907

SHA512
96e386fec0162d7b8e69b7530618dd6dcdefdfa9873cc8974c407a867253d8aac765163fbf5719d63a21606aae67dcb147cfe4fa346a846d06f5b95956fc0eff

Download Submit
memory/1324-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1324-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1720-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-34-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2292-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2292-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2336-12-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2336-7-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2360-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-46-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2720-66-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2720-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-88-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2836-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-120-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3044-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads