berbew | a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
Size

1.3MB
MD5

d84f06ee32dc26c8f7df4195b7a0a7d0
SHA1

761fb12befa7ed0eb0eed0d94180e4bcf321abd5
SHA256

a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef
SHA512

357f365335fcc4062f1e1fa138256ddf01f3c2fc9511525f53378ceeb7ff187bd9b90073f8bc1a46c21b8533b5d7d8099c89d3fa4705f0ad17dab2de94a20a2d
SSDEEP

6144:UWMzoLn+E5ZC2npb+oB+Zz2HG8t0DoEWufVuvw0HBHY8rQ+6bPD3wPSk8ymL2MTb:U6L+Abaz22cWfVaw0HBHY8r8ABjMn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifolhann.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iogpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifolhann.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
2512	Ifolhann.exe
3036	Iogpag32.exe
2748	Ijcngenj.exe
2816	Jcqlkjae.exe
2464	Kidjdpie.exe
2844	Koflgf32.exe
2680	Kfaalh32.exe
2712	Libjncnc.exe
2224	Lplbjm32.exe
2176	Lbjofi32.exe

Loads dropped DLL 24 IoCs

pid	Process
2156	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
2156	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
2512	Ifolhann.exe
2512	Ifolhann.exe
3036	Iogpag32.exe
3036	Iogpag32.exe
2748	Ijcngenj.exe
2748	Ijcngenj.exe
2816	Jcqlkjae.exe
2816	Jcqlkjae.exe
2464	Kidjdpie.exe
2464	Kidjdpie.exe
2844	Koflgf32.exe
2844	Koflgf32.exe
2680	Kfaalh32.exe
2680	Kfaalh32.exe
2712	Libjncnc.exe
2712	Libjncnc.exe
2224	Lplbjm32.exe
2224	Lplbjm32.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Kndkfpje.dll	Ifolhann.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Iogpag32.exe	Ifolhann.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Kidjdpie.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Phblkn32.dll	Koflgf32.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Ijcngenj.exe
File created	C:\Windows\SysWOW64\Ffdmihcc.dll	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
File opened for modification	C:\Windows\SysWOW64\Iogpag32.exe	Ifolhann.exe
File opened for modification	C:\Windows\SysWOW64\Ijcngenj.exe	Iogpag32.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Ifolhann.exe	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Ifolhann.exe	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
File created	C:\Windows\SysWOW64\Diodocki.dll	Iogpag32.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Ijcngenj.exe
File created	C:\Windows\SysWOW64\Cmojeo32.dll	Ijcngenj.exe
File opened for modification	C:\Windows\SysWOW64\Kidjdpie.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Aiomcb32.dll	Jcqlkjae.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Ijcngenj.exe	Iogpag32.exe

Program crash 1 IoCs

pid	pid_target	Process
2200	2176	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifolhann.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijcngenj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ifolhann.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iogpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll"	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll"	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diodocki.dll"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll"	Ijcngenj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2512	2156	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe	30
PID 2156 wrote to memory of 2512	2156	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe	30
PID 2156 wrote to memory of 2512	2156	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe	30
PID 2156 wrote to memory of 2512	2156	a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe	30
PID 2512 wrote to memory of 3036	2512	Ifolhann.exe	31
PID 2512 wrote to memory of 3036	2512	Ifolhann.exe	31
PID 2512 wrote to memory of 3036	2512	Ifolhann.exe	31
PID 2512 wrote to memory of 3036	2512	Ifolhann.exe	31
PID 3036 wrote to memory of 2748	3036	Iogpag32.exe	32
PID 3036 wrote to memory of 2748	3036	Iogpag32.exe	32
PID 3036 wrote to memory of 2748	3036	Iogpag32.exe	32
PID 3036 wrote to memory of 2748	3036	Iogpag32.exe	32
PID 2748 wrote to memory of 2816	2748	Ijcngenj.exe	33
PID 2748 wrote to memory of 2816	2748	Ijcngenj.exe	33
PID 2748 wrote to memory of 2816	2748	Ijcngenj.exe	33
PID 2748 wrote to memory of 2816	2748	Ijcngenj.exe	33
PID 2816 wrote to memory of 2464	2816	Jcqlkjae.exe	34
PID 2816 wrote to memory of 2464	2816	Jcqlkjae.exe	34
PID 2816 wrote to memory of 2464	2816	Jcqlkjae.exe	34
PID 2816 wrote to memory of 2464	2816	Jcqlkjae.exe	34
PID 2464 wrote to memory of 2844	2464	Kidjdpie.exe	35
PID 2464 wrote to memory of 2844	2464	Kidjdpie.exe	35
PID 2464 wrote to memory of 2844	2464	Kidjdpie.exe	35
PID 2464 wrote to memory of 2844	2464	Kidjdpie.exe	35
PID 2844 wrote to memory of 2680	2844	Koflgf32.exe	36
PID 2844 wrote to memory of 2680	2844	Koflgf32.exe	36
PID 2844 wrote to memory of 2680	2844	Koflgf32.exe	36
PID 2844 wrote to memory of 2680	2844	Koflgf32.exe	36
PID 2680 wrote to memory of 2712	2680	Kfaalh32.exe	37
PID 2680 wrote to memory of 2712	2680	Kfaalh32.exe	37
PID 2680 wrote to memory of 2712	2680	Kfaalh32.exe	37
PID 2680 wrote to memory of 2712	2680	Kfaalh32.exe	37
PID 2712 wrote to memory of 2224	2712	Libjncnc.exe	38
PID 2712 wrote to memory of 2224	2712	Libjncnc.exe	38
PID 2712 wrote to memory of 2224	2712	Libjncnc.exe	38
PID 2712 wrote to memory of 2224	2712	Libjncnc.exe	38
PID 2224 wrote to memory of 2176	2224	Lplbjm32.exe	39
PID 2224 wrote to memory of 2176	2224	Lplbjm32.exe	39
PID 2224 wrote to memory of 2176	2224	Lplbjm32.exe	39
PID 2224 wrote to memory of 2176	2224	Lplbjm32.exe	39
PID 2176 wrote to memory of 2200	2176	Lbjofi32.exe	40
PID 2176 wrote to memory of 2200	2176	Lbjofi32.exe	40
PID 2176 wrote to memory of 2200	2176	Lbjofi32.exe	40
PID 2176 wrote to memory of 2200	2176	Lbjofi32.exe	40

C:\Users\Admin\AppData\Local\Temp\a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe
"C:\Users\Admin\AppData\Local\Temp\a53dbd15d53bc25a4ef842335a8155af35c46b115bc663f9d87d41b163152bef.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\Ifolhann.exe
  C:\Windows\system32\Ifolhann.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\Iogpag32.exe
    C:\Windows\system32\Iogpag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\SysWOW64\Ijcngenj.exe
      C:\Windows\system32\Ijcngenj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\Jcqlkjae.exe
        
        C:\Windows\system32\Jcqlkjae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aiomcb32.dll

Filesize
7KB

MD5
b37e3f2e567548bb11a51c48646e8996

SHA1
f732f094e6acf60c68932f2058c9ca60ffeafc89

SHA256
53e9eee9a0c5a66bce44e9cde24199c3d44304532ea87a4e8e68e7f25fb67b55

SHA512
473ad9f83e5cf9f4a20518305122124e616b13850316b6aeb05b8f03506da005fafeaff43e1de0103d5ba8408375a172dad4ec17f947509d5ff07732a367c3f5

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
1.3MB

MD5
e2525ab184daf0715a2476deb2fb9733

SHA1
30ac0c1cef89adca35da209e36f73bf9715ffd22

SHA256
b1787009ab2037f54ea2069a30caadb76fa7109628ebc7105d79760cb59995d0

SHA512
6f31902c615b76ab5835f0ebaca2010242160fbadad2703d4e9892c63f1491a2e53afcdb78317c8b94554ade17eaacbc6b352316d614ca14887bc732606c0818

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
1.3MB

MD5
2c4eaebd14d444d7756edefd90375b7f

SHA1
044289db8ec59201ecc463628c3bdb9ea9a0e766

SHA256
fcadf20829bf33c186b70abdbefbfb8e9a74fc2cfe7968e371d95deca07596c2

SHA512
23630345d6a09d2be84e482f1f9312efd751ae0a33efe82745363afd022dbfb0a59d25b59ef6cdf264c02f624465c7490dfa5f9557428b859502b767b58f48ad

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
1.3MB

MD5
2499bcf68309d5f67ac9c06819f6b53a

SHA1
9d490cc8c860fe08b55c183599b2aef2480d7157

SHA256
d9da0e46145bf78f8c49d29f432dbe17831a02612c06ae47b3ed3f3b26b018c5

SHA512
f9352304061ee785798302c7b1d51602a10a11df8aa9bfc63967039fb7597fa7791af86ea78d8b7d5aad8ecf89a96a288d683cb10cf03519ae410f8df656faed

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
1.3MB

MD5
b0e5f06209bf608763b3fb64f4a492e8

SHA1
4ce6649ac5bf5df8ab8bdd348ebb6c523ab4b4c9

SHA256
c1b4e07e21a319da96f1c72eef8293c1778997cb5c6f2ab9fda18b47223474ee

SHA512
db6d5c7d2084a360e99f03993a9792a7f9751b68a0dcd4012970d99b055e86090aabde8ab5208e6cb67bfd2a68376f043ad36f71ab8611adc62545aa20483827

Download Submit
\Windows\SysWOW64\Ifolhann.exe

Filesize
1.3MB

MD5
c0450ce48258669b230b8f076c58baa3

SHA1
a21cb56bf7cd2a33914bbb80857107029ae10a4c

SHA256
bfff0618147de2321119f69d78202cadcbae9bae041b5ae79784c31a49768d9d

SHA512
23d2aee10edd751088f67cd269d1df1b360abbc61f46115054684b29dea2bd79775199e43cb09e92a132d5853188968f6fadd3d9f9b85969d01ac7dd7d330d6e

Download Submit
\Windows\SysWOW64\Ijcngenj.exe

Filesize
1.3MB

MD5
e888071d39543da232e23e68f3c4cfd1

SHA1
1f1ab3b5c40dc1c3290ff214ea52ad16566a67d2

SHA256
be6ffe3d2cd4a37d7dcc48713d0f4aca4d55101640a9f4170b9e35fd5db26848

SHA512
29eb9d9a85bff1ce7f5d58480060c298b9b9645ff2c4c90cc0fa3602da08c0601541ecbd5e4423cd087758c41115437c46ddb7c8c795430073a9fb8cccc39c10

Download Submit
\Windows\SysWOW64\Iogpag32.exe

Filesize
1.3MB

MD5
a027ace5ce3c84a3aaa5305f5367ca9e

SHA1
38ef399449a5f7f6c20ad154f0dc3bc5ca599ba2

SHA256
0f2683962260e329c76b3a7fcf881dabee6f33d50576202a8bbd5e7c4fa70a65

SHA512
4f25292920100eb0c1108116f17aa12b27175b1b58a484db764aa06bb6d55a278cc820f8e986a64a38aa28076239ba73a53fd2dbc40a6de3e822ffedffe3c8d1

Download Submit
\Windows\SysWOW64\Jcqlkjae.exe

Filesize
1.3MB

MD5
1da92f82a934fdd124f19238f11d5120

SHA1
9bda3f39ea3db15c8763bd556eb1e55f0eec794f

SHA256
4c6f701df463babaa9b70b52e2818bb1bda746deca40c4443705ec09b3b204c3

SHA512
73e1fc35f2c81b81edcbdd9d059d12a1f25ee61b7da9fc62b061176e65d8dbd4e3056143358c14f7baa440ae2aeb832b19396e5d390cf283f70359592f94738f

Download Submit
\Windows\SysWOW64\Kidjdpie.exe

Filesize
1.3MB

MD5
00f688b2063a58bcfcdca1751b07aa90

SHA1
80bc765c417135f5aef4a79d1474178b1097600a

SHA256
29600a6d573706e633b368bf78e51434d691d5caf4d06bdfdcc01c40eb16c90a

SHA512
1ed5cac8a8325fde679305aa4b6a2e82e4c8cfad342ba68a3810cec929186015dcfe85afaa956aa74be9a47aa01b204c78278b4e115676a3de6de7dacc4bd57b

Download Submit
\Windows\SysWOW64\Libjncnc.exe

Filesize
1.3MB

MD5
3fa74d47c2729591e3ff20f819be3eb9

SHA1
7ffc9707a292a00c016cf3dbb97f669e9c1a09c5

SHA256
bde5dabcdac224a740655341d813c11f7e483094801a6306402460ffefd02e5e

SHA512
8268d0227b71583fb229694cc7d41c56d42c4e81b2635c7ba9f5906f527f666365aee85e68ada34e0e8e4f151a2d9df3df9adcd84342f3d3bc36c6720df32529

Download Submit
memory/2156-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-11-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2156-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-12-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2176-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-81-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2464-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-22-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2680-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2680-113-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2712-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-50-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2748-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-63-0x0000000000340000-0x0000000000374000-memory.dmp

Filesize
208KB

Download
memory/2844-95-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2844-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-35-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads