berbew | 98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7ca

Analysis

max time kernel
23s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
Size

92KB
MD5

5e0f012cb06ab6a0f792f04b51841720
SHA1

96fb5893d886fa5d82a48756dcd43d1c11313a13
SHA256

98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7ca
SHA512

d1c9c089cca456de25dde5fdeea804493cea7a148e425b6f340d958a3a5704e79d97ba644280eb9f21a32d77e6700fbb73fb56af3e9c1c9de730804477aaa6a7
SSDEEP

1536:MYBIusr7tKUz0rP+imsgXAjy1sjZcqqqqqqdHon1EzseNIY0p2YYxL:MYv+P0qi2Qvqon1reS5pAt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 7 IoCs

pid	Process
2972	Bnkbam32.exe
2828	Bhdgjb32.exe
2836	Bdkgocpm.exe
2744	Bejdiffp.exe
320	Bobhal32.exe
1504	Chkmkacq.exe
2908	Cacacg32.exe

Loads dropped DLL 18 IoCs

pid	Process
2824	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
2824	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
2972	Bnkbam32.exe
2972	Bnkbam32.exe
2828	Bhdgjb32.exe
2828	Bhdgjb32.exe
2836	Bdkgocpm.exe
2836	Bdkgocpm.exe
2744	Bejdiffp.exe
2744	Bejdiffp.exe
320	Bobhal32.exe
320	Bobhal32.exe
1504	Chkmkacq.exe
1504	Chkmkacq.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bnkbam32.exe	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Bnkbam32.exe	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
File created	C:\Windows\SysWOW64\Nodmbemj.dll	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Bhdgjb32.exe	Bnkbam32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Bobhal32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2544	2908	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbodgd32.dll"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2972	2824	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe	30
PID 2824 wrote to memory of 2972	2824	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe	30
PID 2824 wrote to memory of 2972	2824	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe	30
PID 2824 wrote to memory of 2972	2824	98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe	30
PID 2972 wrote to memory of 2828	2972	Bnkbam32.exe	31
PID 2972 wrote to memory of 2828	2972	Bnkbam32.exe	31
PID 2972 wrote to memory of 2828	2972	Bnkbam32.exe	31
PID 2972 wrote to memory of 2828	2972	Bnkbam32.exe	31
PID 2828 wrote to memory of 2836	2828	Bhdgjb32.exe	32
PID 2828 wrote to memory of 2836	2828	Bhdgjb32.exe	32
PID 2828 wrote to memory of 2836	2828	Bhdgjb32.exe	32
PID 2828 wrote to memory of 2836	2828	Bhdgjb32.exe	32
PID 2836 wrote to memory of 2744	2836	Bdkgocpm.exe	33
PID 2836 wrote to memory of 2744	2836	Bdkgocpm.exe	33
PID 2836 wrote to memory of 2744	2836	Bdkgocpm.exe	33
PID 2836 wrote to memory of 2744	2836	Bdkgocpm.exe	33
PID 2744 wrote to memory of 320	2744	Bejdiffp.exe	34
PID 2744 wrote to memory of 320	2744	Bejdiffp.exe	34
PID 2744 wrote to memory of 320	2744	Bejdiffp.exe	34
PID 2744 wrote to memory of 320	2744	Bejdiffp.exe	34
PID 320 wrote to memory of 1504	320	Bobhal32.exe	35
PID 320 wrote to memory of 1504	320	Bobhal32.exe	35
PID 320 wrote to memory of 1504	320	Bobhal32.exe	35
PID 320 wrote to memory of 1504	320	Bobhal32.exe	35
PID 1504 wrote to memory of 2908	1504	Chkmkacq.exe	36
PID 1504 wrote to memory of 2908	1504	Chkmkacq.exe	36
PID 1504 wrote to memory of 2908	1504	Chkmkacq.exe	36
PID 1504 wrote to memory of 2908	1504	Chkmkacq.exe	36
PID 2908 wrote to memory of 2544	2908	Cacacg32.exe	37
PID 2908 wrote to memory of 2544	2908	Cacacg32.exe	37
PID 2908 wrote to memory of 2544	2908	Cacacg32.exe	37
PID 2908 wrote to memory of 2544	2908	Cacacg32.exe	37

C:\Users\Admin\AppData\Local\Temp\98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe
"C:\Users\Admin\AppData\Local\Temp\98422b874439339b3e34c98f33c956e76c069f20b45217a085a7aed482c3c7caN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\Bnkbam32.exe
  C:\Windows\system32\Bnkbam32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\Bhdgjb32.exe
    C:\Windows\system32\Bhdgjb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\Bdkgocpm.exe
      C:\Windows\system32\Bdkgocpm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Chkmkacq.exe
        
        C:\Windows\system32\Chkmkacq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 140
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Imklkg32.dll

Filesize
7KB

MD5
d26a4bdaa2c95f1e794fe94cc949c79e

SHA1
4eb236568651a116b31d5b9bde1f02fccfcaba15

SHA256
48dce6b0ce3d5364b58ee35ea58367516928b8894cab2628f0f3d916e118dd26

SHA512
4c26c6d47e612ac39b882d7f2285783e733cb84bd72aadfae5a38bad4847f18ee7f7805f74969bf6b3d3bb41f002396e2134a3c868efedb2acb106caf2f3e0bd

Download Submit
\Windows\SysWOW64\Bdkgocpm.exe

Filesize
92KB

MD5
cdee720c247137d2d977160a30d34f0e

SHA1
504dba973c6991f081af6b313c976f26db9dac65

SHA256
a38a516e5f925cdb8d7937c669d4e7b7cc2694b699ea2fabccc569614b460001

SHA512
6c796cee85b23747e2417668b7d986a72e0e5fbe9e759cba2e1bcfe7b7b20428a8db1ecfa91a781145638c2ca942dc42e0e20e4b48c445fc4483dce32890624d

Download Submit
\Windows\SysWOW64\Bejdiffp.exe

Filesize
92KB

MD5
eb80ef9f2b501328adacb53c4bb8bc9a

SHA1
74deb2f58f72b973b230faaff42c3a7960e5abcc

SHA256
97ed69057d6af8e13b8a601f9b6afc9584494e5a1f53298ead6c3213984e7a40

SHA512
353e4c3fd024c9212e665d0e7e79b09e4430a02b51564f6ac1e9fc7c9a40de3793d79dc9010287b36250560e3a7e6e1e58d27ceddc752207f234872bd8aa0db3

Download Submit
\Windows\SysWOW64\Bhdgjb32.exe

Filesize
92KB

MD5
3175a57def161943c8cfda3db94766ac

SHA1
d5c0205f28c647ead0c5c611e15fad1b9e494bb3

SHA256
88fccf80aa7a488181d252e2a420ffd7b97c1440deba8fa6f63ff60d32ec8ee3

SHA512
aecd7547d27fc77af100fcdb0b6a348676b68271574e53101bc066729d51d624eae6c976fb26efe3756663428387b472b7ac4921baf3237d4368f41f0cb5ea26

Download Submit
\Windows\SysWOW64\Bnkbam32.exe

Filesize
92KB

MD5
8b13896cbf5ca702231205174d04c439

SHA1
01780539e36869994fcc09fb841acbd279c59395

SHA256
2d3820b8534816c6bef9ba78492a8b7ee7d860519111ce4d3dd885e5164bc703

SHA512
b411225ca1947c4249f58b05e30fa72fb7540ec97ae84015bfe6a2df26003de44edf4eee18b2073921634bf046c2844de6e1613bc95b124e54a5d423fc90cb09

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
92KB

MD5
8ac620018e2b4f7f116b4b73a03a9351

SHA1
0e1514a1b2540b4718bd14d686a057411edde9f7

SHA256
a62f1cdb12171b297f874af856cbaeb42c40cb100a490543d0fd1dc4d27c1faf

SHA512
f750f18af52d020ba6a4c2c6c3cb5eaab9487d656e7df1e2b9b6527d7ff1a167fba5353b432f83ab9523f1c1ef25a151619ffebe1cdc00a915a3f465c43dfd4d

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
92KB

MD5
0be909baeac9bc3dd7aa8fb8a3935ca2

SHA1
0f45690bc3fdf17ff7e86015cb9be62a50083a80

SHA256
46db9c8cfd1d11a810e757cf2774e0c7101aefaeb56f2b7c3f1eb71d6113f0bd

SHA512
5f9bd6873a72ca5b4dcc14390855983567c03a41b1aafc4eda8172255191d3af7840801fc982ff9f40d8c74726880100b27560f687366d8927a88af078fa8576

Download Submit
\Windows\SysWOW64\Chkmkacq.exe

Filesize
92KB

MD5
1de18d1ab469b06080737750c3d83f2f

SHA1
898e410c6a80e5449d4ac290a5d1c31237da43ee

SHA256
6d15578b4abd10c676f86bd6ff32a39ab597aa0e64ae3b74a0d8a8396c6c1800

SHA512
bfed37dc46b649b1ef2686449a77a6285e168e67c7170414ce58b89fa842f78c0db02d314d3313760d62eb7fe0a2da0318abe0ce8d7199da28598284dd4a85e5

Download Submit
memory/320-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/320-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-88-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1504-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-61-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2744-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2824-6-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2824-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-41-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2828-34-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2828-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-26-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/2972-25-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads