berbew | 9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
Size

548KB
MD5

bb5b6054ff70e4cccd7fbf0ac1b19b05
SHA1

26d6cc057a189668b485e735f050aa7dd37a7de6
SHA256

9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac
SHA512

0350ae496a048143230f769fa24dd926b030510a72a9b01d7f8475a541243564dbf75949091faa252bc62cde9571d06d39d9eb893e7c9d609fe3a6d17643d893
SSDEEP

12288:ZvW6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvGZ+C8lM1:gq5htaSHFaZRBEYyqmaf2qwiHPKgRC45

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leikbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbconkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liipnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leikbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcohahpn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

pid	Process
2824	Kgcnahoo.exe
2184	Kkojbf32.exe
2744	Ldgnklmi.exe
2796	Leikbd32.exe
780	Llbconkd.exe
2732	Lcmklh32.exe
2980	Lhiddoph.exe
2912	Lcohahpn.exe
2740	Liipnb32.exe
2424	Lkjmfjmi.exe
1320	Lepaccmo.exe

Loads dropped DLL 26 IoCs

pid	Process
2380	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
2380	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
2824	Kgcnahoo.exe
2824	Kgcnahoo.exe
2184	Kkojbf32.exe
2184	Kkojbf32.exe
2744	Ldgnklmi.exe
2744	Ldgnklmi.exe
2796	Leikbd32.exe
2796	Leikbd32.exe
780	Llbconkd.exe
780	Llbconkd.exe
2732	Lcmklh32.exe
2732	Lcmklh32.exe
2980	Lhiddoph.exe
2980	Lhiddoph.exe
2912	Lcohahpn.exe
2912	Lcohahpn.exe
2740	Liipnb32.exe
2740	Liipnb32.exe
2424	Lkjmfjmi.exe
2424	Lkjmfjmi.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe
2420	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iaimld32.dll	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Lhiddoph.exe	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Liipnb32.exe	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Lcohahpn.exe	Lhiddoph.exe
File opened for modification	C:\Windows\SysWOW64\Ldgnklmi.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Lkjmfjmi.exe	Liipnb32.exe
File opened for modification	C:\Windows\SysWOW64\Leikbd32.exe	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Nmdeem32.dll	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Llbconkd.exe	Leikbd32.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Lhiddoph.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Iekhhnol.dll	Liipnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Liipnb32.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Ldgnklmi.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Mcohhj32.dll	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lkjmfjmi.exe
File opened for modification	C:\Windows\SysWOW64\Lkjmfjmi.exe	Liipnb32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Cbamip32.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Leikbd32.exe	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Leikbd32.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Leikbd32.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Lhiddoph.exe

Program crash 1 IoCs

pid	pid_target	Process
2420	1320	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhiddoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leikbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkjmfjmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekhhnol.dll"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcohhj32.dll"	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2824	2380	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe	31
PID 2380 wrote to memory of 2824	2380	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe	31
PID 2380 wrote to memory of 2824	2380	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe	31
PID 2380 wrote to memory of 2824	2380	9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe	31
PID 2824 wrote to memory of 2184	2824	Kgcnahoo.exe	32
PID 2824 wrote to memory of 2184	2824	Kgcnahoo.exe	32
PID 2824 wrote to memory of 2184	2824	Kgcnahoo.exe	32
PID 2824 wrote to memory of 2184	2824	Kgcnahoo.exe	32
PID 2184 wrote to memory of 2744	2184	Kkojbf32.exe	33
PID 2184 wrote to memory of 2744	2184	Kkojbf32.exe	33
PID 2184 wrote to memory of 2744	2184	Kkojbf32.exe	33
PID 2184 wrote to memory of 2744	2184	Kkojbf32.exe	33
PID 2744 wrote to memory of 2796	2744	Ldgnklmi.exe	34
PID 2744 wrote to memory of 2796	2744	Ldgnklmi.exe	34
PID 2744 wrote to memory of 2796	2744	Ldgnklmi.exe	34
PID 2744 wrote to memory of 2796	2744	Ldgnklmi.exe	34
PID 2796 wrote to memory of 780	2796	Leikbd32.exe	35
PID 2796 wrote to memory of 780	2796	Leikbd32.exe	35
PID 2796 wrote to memory of 780	2796	Leikbd32.exe	35
PID 2796 wrote to memory of 780	2796	Leikbd32.exe	35
PID 780 wrote to memory of 2732	780	Llbconkd.exe	36
PID 780 wrote to memory of 2732	780	Llbconkd.exe	36
PID 780 wrote to memory of 2732	780	Llbconkd.exe	36
PID 780 wrote to memory of 2732	780	Llbconkd.exe	36
PID 2732 wrote to memory of 2980	2732	Lcmklh32.exe	37
PID 2732 wrote to memory of 2980	2732	Lcmklh32.exe	37
PID 2732 wrote to memory of 2980	2732	Lcmklh32.exe	37
PID 2732 wrote to memory of 2980	2732	Lcmklh32.exe	37
PID 2980 wrote to memory of 2912	2980	Lhiddoph.exe	38
PID 2980 wrote to memory of 2912	2980	Lhiddoph.exe	38
PID 2980 wrote to memory of 2912	2980	Lhiddoph.exe	38
PID 2980 wrote to memory of 2912	2980	Lhiddoph.exe	38
PID 2912 wrote to memory of 2740	2912	Lcohahpn.exe	39
PID 2912 wrote to memory of 2740	2912	Lcohahpn.exe	39
PID 2912 wrote to memory of 2740	2912	Lcohahpn.exe	39
PID 2912 wrote to memory of 2740	2912	Lcohahpn.exe	39
PID 2740 wrote to memory of 2424	2740	Liipnb32.exe	40
PID 2740 wrote to memory of 2424	2740	Liipnb32.exe	40
PID 2740 wrote to memory of 2424	2740	Liipnb32.exe	40
PID 2740 wrote to memory of 2424	2740	Liipnb32.exe	40
PID 2424 wrote to memory of 1320	2424	Lkjmfjmi.exe	41
PID 2424 wrote to memory of 1320	2424	Lkjmfjmi.exe	41
PID 2424 wrote to memory of 1320	2424	Lkjmfjmi.exe	41
PID 2424 wrote to memory of 1320	2424	Lkjmfjmi.exe	41
PID 1320 wrote to memory of 2420	1320	Lepaccmo.exe	42
PID 1320 wrote to memory of 2420	1320	Lepaccmo.exe	42
PID 1320 wrote to memory of 2420	1320	Lepaccmo.exe	42
PID 1320 wrote to memory of 2420	1320	Lepaccmo.exe	42

C:\Users\Admin\AppData\Local\Temp\9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe
"C:\Users\Admin\AppData\Local\Temp\9390149c7d1bd54c044a1d60b8ca67e40eef5e6f40982eeb5bf07aab2e92f4ac.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\Kgcnahoo.exe
  C:\Windows\system32\Kgcnahoo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\Kkojbf32.exe
    C:\Windows\system32\Kkojbf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\SysWOW64\Ldgnklmi.exe
      C:\Windows\system32\Ldgnklmi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Leikbd32.exe
        
        C:\Windows\system32\Leikbd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Lkjmfjmi.exe
        
        C:\Windows\system32\Lkjmfjmi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
548KB

MD5
67f736d385a8cd7dc05cfe491d1e328e

SHA1
76d97f46ed562c3430844c9f7fbeee2dab0a8c00

SHA256
72ecc09e4c9a3f3b25c77ba0886b660bf102dc6af0e4bd674289520755f08778

SHA512
7ec772b105a47cead3816886ef82c3dda6a6ce299a8927c89cc31a963cd8cfdc3d72c332a19505f4f0ebe37cc3b761b4ef757f69bf83ae87dab750dda53f710d

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
548KB

MD5
e60494ec12210b3cffd6ae701d39287e

SHA1
1f31cd2da0657311f4ca5ceda563a263e9b8485a

SHA256
bbe7e728f8ae6002840d131e01d1c928b6e7f1b4ff876a1ca4a50f67edce78fb

SHA512
659d3004be07725e007c0bcfc51bf06a64a9a32380713189296ee84411f4585cc36b63a5365371e7aa8d1a5d2e7f4f3f70c8fcadb180b1cd8c597d4e72ba49ea

Download Submit
C:\Windows\SysWOW64\Lcohahpn.exe

Filesize
548KB

MD5
98e460bed01e405b54ba9fd90e587735

SHA1
e4440c1e9a0d2519f2e8329190f786e461619835

SHA256
7da4beef458e65d435b2a09ac8ab91e71e8e5a8c1777cee22eb4a39f137a92c7

SHA512
99bc8a0d2b51ecf7bb18d4a3761d6ee7837f10e6446641c6c310bec66c085ed868cae6843123a2a80bf5121471f4f2935cd7c20461d53be3c6255614ca39b758

Download Submit
C:\Windows\SysWOW64\Ldgnklmi.exe

Filesize
548KB

MD5
5fbba40c9cb84b35d2f5326e5a7021f9

SHA1
dd807d6bb34f0ac24640899a9fe0dac49b53e181

SHA256
fd2f6bd2ae2f739bec1ab73dbda2672f7fdffaaf4baf9024cfc552a8bb3f0b17

SHA512
c71219bda051c123eda7acc1cdac5cf630b1a058a8da5115377212c79b49c8ee20a7492a850d080b0899b1923dad9b760f009b807296034f747310d8caf75b10

Download Submit
C:\Windows\SysWOW64\Leikbd32.exe

Filesize
548KB

MD5
e859a747e1ca44e5319293e44b68cefe

SHA1
1beb3bc89b293dcb5f0e564ca959260d53b16899

SHA256
6c9fca048da4833c4e648f10898414c50c9e0737d207b038b5c0629d2c8fef88

SHA512
8044d4cab38e5db312dcd468332c8e246fc1083d218acaa8808be2d1eb211c5032de79b15d17f7b66bbdc798dacd0902e316d1711e7fe8c27f571d7175fb1fe5

Download Submit
C:\Windows\SysWOW64\Lhiddoph.exe

Filesize
548KB

MD5
135a10c9876de68ab824814d00682bf0

SHA1
2ce6a2512f1f07f1a89103297bc5b68c161f8b77

SHA256
6fed72890d525355b7ceda953705901436192bde4303d153a384a19ccceedc2a

SHA512
c8fe88b674c0fdf45f8a2d1c369b252e82901d9297b583f4dc27272f90f4264795f3f02790244fdd0d462aeb3771339a9ce331bb7f309f686a3e5949f89b7d37

Download Submit
C:\Windows\SysWOW64\Liipnb32.exe

Filesize
548KB

MD5
4e2ba2f666489e7d0014a8c3f4d6f106

SHA1
f37dc8303cc481e2ae993d2eec43e500eb9f5dcd

SHA256
7b8f33a7cbc82dbe5ef700b3bd0f35243566a39b7051538527477715e8d50b0d

SHA512
44e0bd93a0367ce7ebe7ac7448fb013778271628a70f07b2946966bd3770db1ef22242484c37e673e5e26ee34ef5bfb77d3da814fae595fb15eb29d189520242

Download Submit
C:\Windows\SysWOW64\Lkjmfjmi.exe

Filesize
548KB

MD5
45ef3e20ed2fa61d20afdccfba975f6a

SHA1
94548bb9a99556153d171042cd7e8bdd13cdda93

SHA256
35d77591adf26daf267d809191df4317693d1376304a33b2e22684e0606ab930

SHA512
fb5ab973d35a90349cf9810bdd009f56e58faa5542006ab2422d7e05cb3d55aa9396c0d56ad65c84a89b6bbd9866577682b3448d58adb299360744e7e42b5515

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
548KB

MD5
57ddd7140dd9cc0118bbfb8f6cd20727

SHA1
201ee5726be966165767159917f6657d1ac361d2

SHA256
29459e67cb492513b0a59905d18b3c6b1257dfd0eef4c167b3ddbc3ffa77d10b

SHA512
e223c363ad2f744a70169313a26ee07149bb5c532bf6a11a5f681b19e5e57a75f5d67a15ec673f969e767666ef58f1c169283d506d89cf99f9e68c6faf7f8177

Download Submit
\Windows\SysWOW64\Kgcnahoo.exe

Filesize
548KB

MD5
0b5121274627fe1ad6351f5935004af2

SHA1
5b3fe5dc877f5dd9e47027ddf5bf55310b54051b

SHA256
711a3dd85707f52305464cd9b06a3f83972cfb33bc0e5bfa2d73884db4d393ea

SHA512
9993a1dac7c60a52ffebe6d8b82737540700c58784bfc7cc2c4405f4816c924cafc5518d2449e4c64b74d20dce9f692151513673c14d4649a158c4e1cc6e3344

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
548KB

MD5
e6aa7d0b4d9716bfb16f53969c1e82bd

SHA1
ba2057824c5ea71ed7e4300debaee6f018f22de5

SHA256
984829754d737599aaf329487cc1877ef291116331081c4b8a61fa3c7948dad8

SHA512
99b06253ed4a0329050c997fb4743d810e92da2964d02def710ecb83d199adea83302d0c964a4134bf7003d738b8f085858a39f676b48d2008bd0df511e500a4

Download Submit
memory/780-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-84-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1320-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-45-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2184-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-13-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2380-12-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2380-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-152-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2732-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-98-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2732-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-139-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2740-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-56-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2796-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-70-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2796-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2824-32-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2912-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-125-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2912-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads