berbew | 7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 00:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
Size

192KB
MD5

731d7ab4d9eb40d0e87b3ef1b72afad9
SHA1

a914e8e65f54bdd37f044eb97e4be83e55352ba0
SHA256

7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd
SHA512

22fa24fceb67382ce9e2edf1528638ffd0dc8fb85dbbe983cbe767d8a4cb5b0f715041f4840ce76630de4585037540db3a59ce14bb64fd9e348013276a2e6792
SSDEEP

3072:fUPwhlqmY/DACkAbeIr4MKy3G7UEqMM6T9pui6yYPaI7DehizrVtNe8ohrQ3N:4whpYbACkAilndpui6yYPaIGckfruN

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
3804	Ddmaok32.exe
1668	Djgjlelk.exe
744	Delnin32.exe
3908	Dkifae32.exe
1232	Dmgbnq32.exe
2432	Dhmgki32.exe
1340	Dogogcpo.exe
552	Deagdn32.exe
4244	Dddhpjof.exe
2436	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2848	2436	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 3804	4884	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe	83
PID 4884 wrote to memory of 3804	4884	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe	83
PID 4884 wrote to memory of 3804	4884	7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe	83
PID 3804 wrote to memory of 1668	3804	Ddmaok32.exe	84
PID 3804 wrote to memory of 1668	3804	Ddmaok32.exe	84
PID 3804 wrote to memory of 1668	3804	Ddmaok32.exe	84
PID 1668 wrote to memory of 744	1668	Djgjlelk.exe	85
PID 1668 wrote to memory of 744	1668	Djgjlelk.exe	85
PID 1668 wrote to memory of 744	1668	Djgjlelk.exe	85
PID 744 wrote to memory of 3908	744	Delnin32.exe	86
PID 744 wrote to memory of 3908	744	Delnin32.exe	86
PID 744 wrote to memory of 3908	744	Delnin32.exe	86
PID 3908 wrote to memory of 1232	3908	Dkifae32.exe	87
PID 3908 wrote to memory of 1232	3908	Dkifae32.exe	87
PID 3908 wrote to memory of 1232	3908	Dkifae32.exe	87
PID 1232 wrote to memory of 2432	1232	Dmgbnq32.exe	88
PID 1232 wrote to memory of 2432	1232	Dmgbnq32.exe	88
PID 1232 wrote to memory of 2432	1232	Dmgbnq32.exe	88
PID 2432 wrote to memory of 1340	2432	Dhmgki32.exe	89
PID 2432 wrote to memory of 1340	2432	Dhmgki32.exe	89
PID 2432 wrote to memory of 1340	2432	Dhmgki32.exe	89
PID 1340 wrote to memory of 552	1340	Dogogcpo.exe	90
PID 1340 wrote to memory of 552	1340	Dogogcpo.exe	90
PID 1340 wrote to memory of 552	1340	Dogogcpo.exe	90
PID 552 wrote to memory of 4244	552	Deagdn32.exe	91
PID 552 wrote to memory of 4244	552	Deagdn32.exe	91
PID 552 wrote to memory of 4244	552	Deagdn32.exe	91
PID 4244 wrote to memory of 2436	4244	Dddhpjof.exe	92
PID 4244 wrote to memory of 2436	4244	Dddhpjof.exe	92
PID 4244 wrote to memory of 2436	4244	Dddhpjof.exe	92

C:\Users\Admin\AppData\Local\Temp\7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe
"C:\Users\Admin\AppData\Local\Temp\7fc70a41586a3daf5351d92e32ddebe50c65ad1d4664a918305e7320e1d64bcd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\SysWOW64\Ddmaok32.exe
  C:\Windows\system32\Ddmaok32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SysWOW64\Djgjlelk.exe
    C:\Windows\system32\Djgjlelk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\SysWOW64\Delnin32.exe
      C:\Windows\system32\Delnin32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3908
      - C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 416
        12⤵
        Program crash
        
        PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2436 -ip 2436
1⤵
PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
192KB

MD5
95038d12249e18fd5e1957dcfc845458

SHA1
3a9757f0ad9ab9106621c6311002f6497b28dc8d

SHA256
02fa625c52b87d62c7f64a2c77077d7673fde15e7428b664d4bcf28a11ad0a6f

SHA512
ab371b8e9a66b2ab660a7a9e1a1cfd721a00f26788f6724026e2e4ca116b57e89c8cf34bd57747ace6c374079b5475095a1bf3fa4d160c23d35532af3ba10105

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
192KB

MD5
bcbb090deecd14ed6c9be42d2bd40ea5

SHA1
8be825d555549c1a19f74396a48c3a448d577479

SHA256
df6044001bfed3a6ca08c04dc094eaecfdcbb93c339f4051ff17d1e5f626be99

SHA512
50f4b6825e0bc2ce0608205e66b75174f9a356d1019af5f3d4a61373d18ba7597135be7c8408a03f6bc583e18be4574f6c141e8d672e9cae9f054923dcdb03f7

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
192KB

MD5
91c7e8450459460784e7b97b78b5d2c4

SHA1
4d0d22eb843cd1e63ad2028b4b14bd7898b7a2ed

SHA256
2112c79b3913ff462d7ff22cc06b1a34151c3010d8b3568453a3a1e72371336b

SHA512
19e9a9a02bebc908417a1cf205484008f1d873e35c7782f18f593cebad71d9e89f5f9dd04b4a63ad6e043f110b83e0e1eeba01453f6679a91dc496c0696484cb

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
192KB

MD5
59db680be400888ab2f342caa0d90ff2

SHA1
2852566ae06a49d5b322e39f81207f2a8023445e

SHA256
6e724ba2206e879dafc761a064d536f708cf20d8432a633e4db65bbf3340dcaa

SHA512
72f24a014612dba4d50d4cf21f52f68d909d02136cb92f5ae7cb9386520b12669767368d2bed63f5b6c62bf07d41b787144eb45ea837b8c108d556692892cec3

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
192KB

MD5
04897a118eede85927984130e5dd557e

SHA1
9666229b95b88241a5a6f2538d27a44c3438ca3d

SHA256
882e63de54f662371a8e49cec9d51b3a1ad24916b9da4e073deefd844a9696b1

SHA512
ddd9760f17a98d67b6cae430b57da45a0021316c5c16a61bdfc842ac143f191657e871d192215cc21a4f296c4a856e2f7ef05d16f48804730bf592bde5af2d38

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
192KB

MD5
a1bc9cadf0106452294ab8bb38b1ef00

SHA1
37ab4f4a9e0c30db182d3b8a2e5d152b0810f90d

SHA256
9e992a7a25f22f59dee873e23a8603ce3088492e0bfb6ca056763024416424d1

SHA512
3836ad60501f35eb9fb572069b70648a55fa2336e8c43d234f14ff68f973bc66efae78cf1b1d5ccd50f0b30e02a107125a3104bacaf307fdf62c485a4bef2950

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
192KB

MD5
718549dd28c76dc15935ba066de08fba

SHA1
f660c10738370a5d7b08f053f8fc391be46b3ca1

SHA256
105f4f586cc7f8ec93bd754556ca0ee0b8d6ad5fae83013f8aa9adc9b8845351

SHA512
fa778662827cc91bfa08214b8b3d9605ad4fd3a837cd2a8917dea95189e1edac123187e181f817c46d1dd002c063fb391a2447fe2d7750b4f7aa9e5393ff9e26

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
192KB

MD5
92654e1e829134196df1edd2728cac8a

SHA1
798d75d2808adf70b88f556df7ec507139f3a88e

SHA256
63f7229f6947261e7a70017b1035c5ad33406433802aedbc80732e4bd49df4e5

SHA512
237196c10d33f65947d3d0c89d48e6b052ffdb9b597223ef749c1a300dea5b2999d5b172068ebac1d2e516b9de9f45b9f75c42fd4d225eadceb9447756cd3c0a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
128KB

MD5
56a7b5d920807fede3c257632501db34

SHA1
0868aea512d59586f5fe2a86061b0057919ca83a

SHA256
005388c9dbdf1e0541a819b5b1a6547a97d1cc0bfb49011d278684362ef7a66f

SHA512
eabef905833a653ff295dc8ea20d653341e5fdae63fd44f44806c503246364157f7ea33a82fbc78dc86f06119129992e3fa9befbed33cdb830997df8e612e3a8

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
192KB

MD5
36643fc0037c52ce4837daff1c03cc63

SHA1
d7b8c432d683496fed8c02dbef4b40cac4461e9e

SHA256
60d61ca11af087be29a5fcd1f70887a3ed87b33fe4af53f1bcfeccaea45128ed

SHA512
a39964e11697d2cb1a66e21dccb90624f7883418a27ada75d64323e6b03ac8db9780924ffd3c874fbc3e903ea34a0f5fa0761213c477b8f23d9810976b55e123

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
192KB

MD5
ea5a3ce1d582cd80675499c2171a11cf

SHA1
77e952ada8379b743d7357c3c2f6e147ae231fb8

SHA256
58d7b81911c8fbb09944833952a2db723dbc0a6f15f97b426ebb93016153faf0

SHA512
2b78e1ff58e8d271fb7a99ca4050e3d8c2274daff1f260e5ff32799fbaa1776040cdffb55dc59acc7ebba12a27e8822709b0ba02db48f00aa16919c873ff2afb

Download Submit
C:\Windows\SysWOW64\Ihidnp32.dll

Filesize
7KB

MD5
28df198c649799b6e5afcc8168bac965

SHA1
aa422926d1c83c269b39892c7cc46309f708d004

SHA256
ebafd16cbc01a8502c3fa7fbaaee8e49c2d1845a3ba4ae2b73dfa08712429ed7

SHA512
c2cd0b6f4e0a8c861811dbd478bce1a4e7fcec4e158a5505e1022c2f3dd2eeab367a7c208d6b8541ae7ed4dc1b545660e2dc3807570d6df0482d03400192f202

Download Submit
memory/552-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/744-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1232-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1232-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1340-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1668-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1668-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2436-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3908-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3908-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4244-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4884-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4884-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads