berbew | 0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
Size

101KB
MD5

7d64766e8d1d12589111e82e3b01ad60
SHA1

3fe1fab564617ed9b1ec1ed81593cc3fe5229cd3
SHA256

0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398
SHA512

5b7c7071afe220de9a285e222d68d9cb760f6b2f90c37807c63ecdca3e3174c308437a64a96b1092699e0a6548d09e00de3a96dd604c53422dfb6e84fe8e878a
SSDEEP

3072:gDdQbTnRmFZuYVE2lduXqbyu0sY7q5AnrHY4vDX:i6mF432C853Anr44vDX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

pid	Process
4848	Dmefhako.exe
2996	Ddonekbl.exe
3692	Dhkjej32.exe
3012	Dkifae32.exe
4620	Dodbbdbb.exe
456	Deokon32.exe
1044	Dkkcge32.exe
792	Dmjocp32.exe
1984	Deagdn32.exe
964	Dgbdlf32.exe
3236	Dmllipeg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2928	3236	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 4848	1928	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe	83
PID 1928 wrote to memory of 4848	1928	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe	83
PID 1928 wrote to memory of 4848	1928	0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe	83
PID 4848 wrote to memory of 2996	4848	Dmefhako.exe	84
PID 4848 wrote to memory of 2996	4848	Dmefhako.exe	84
PID 4848 wrote to memory of 2996	4848	Dmefhako.exe	84
PID 2996 wrote to memory of 3692	2996	Ddonekbl.exe	85
PID 2996 wrote to memory of 3692	2996	Ddonekbl.exe	85
PID 2996 wrote to memory of 3692	2996	Ddonekbl.exe	85
PID 3692 wrote to memory of 3012	3692	Dhkjej32.exe	86
PID 3692 wrote to memory of 3012	3692	Dhkjej32.exe	86
PID 3692 wrote to memory of 3012	3692	Dhkjej32.exe	86
PID 3012 wrote to memory of 4620	3012	Dkifae32.exe	87
PID 3012 wrote to memory of 4620	3012	Dkifae32.exe	87
PID 3012 wrote to memory of 4620	3012	Dkifae32.exe	87
PID 4620 wrote to memory of 456	4620	Dodbbdbb.exe	88
PID 4620 wrote to memory of 456	4620	Dodbbdbb.exe	88
PID 4620 wrote to memory of 456	4620	Dodbbdbb.exe	88
PID 456 wrote to memory of 1044	456	Deokon32.exe	89
PID 456 wrote to memory of 1044	456	Deokon32.exe	89
PID 456 wrote to memory of 1044	456	Deokon32.exe	89
PID 1044 wrote to memory of 792	1044	Dkkcge32.exe	90
PID 1044 wrote to memory of 792	1044	Dkkcge32.exe	90
PID 1044 wrote to memory of 792	1044	Dkkcge32.exe	90
PID 792 wrote to memory of 1984	792	Dmjocp32.exe	91
PID 792 wrote to memory of 1984	792	Dmjocp32.exe	91
PID 792 wrote to memory of 1984	792	Dmjocp32.exe	91
PID 1984 wrote to memory of 964	1984	Deagdn32.exe	92
PID 1984 wrote to memory of 964	1984	Deagdn32.exe	92
PID 1984 wrote to memory of 964	1984	Deagdn32.exe	92
PID 964 wrote to memory of 3236	964	Dgbdlf32.exe	93
PID 964 wrote to memory of 3236	964	Dgbdlf32.exe	93
PID 964 wrote to memory of 3236	964	Dgbdlf32.exe	93

C:\Users\Admin\AppData\Local\Temp\0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe
"C:\Users\Admin\AppData\Local\Temp\0cfbe74729f81622000675d26bf02479a41b931f727465bba3ec6b136b65e398N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\Dmefhako.exe
  C:\Windows\system32\Dmefhako.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\Ddonekbl.exe
    C:\Windows\system32\Ddonekbl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\Dhkjej32.exe
      C:\Windows\system32\Dhkjej32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 396
        13⤵
        Program crash
        
        PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3236 -ip 3236
1⤵
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
101KB

MD5
097b07f5adf01e160d30862502f63709

SHA1
d89d87dfd37b229f8ba8a1c23947a97b258f02c4

SHA256
1d5fd17a8cd5ee947982714b1c3c00ff97fade26da4be8bc2619e4c31ce1d782

SHA512
bfdbffc8a8f810f60149597e455e59a3eb90aecc1ab815e03f675ebe8911d17e162687ee39f9a26a464d98a037a311023cf346304d6539bfabfd7d28ed03c90c

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
101KB

MD5
5f549c180131eb419ade8433a7b68e0b

SHA1
9947f02f22e67bc5c1e25e1466dade8165adaae3

SHA256
84da38f489c234255425818535a2851959ec784f6c4bd9f5f94ec20f008da0a9

SHA512
5f2eff8454fa3adfd2f7e1d499d0f4027e567881b9fffbe45f6974034b2bf059c661c567495a59867f42158091b8f5b0710e5fa835fbc9cf8fbd6e2927240c9f

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
101KB

MD5
0e64b6d6f6718957d18f0e515180b462

SHA1
038f413b6049813903c8c5837ff16637e62e83a1

SHA256
957e158a51002f95a25ec5672d13606fd8691cc1a552a85da818a346acc16660

SHA512
b2a2b830e263ede5981338831e1331b379372ae8af72277df17e672b8e1ef736f5ea6ac1e291877d4d9cd423a91141bbf50b27a2bd941b05558a5e7be4785cd8

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
101KB

MD5
6e8a89b63c59a18f11e03581b9e330dc

SHA1
cc7dc7d365d4e5c3b5047508d14d2716fd28807c

SHA256
f9ae31f35b7dd83305af48e5f5b3d0e264d62c1d4b9e39ea4efb07480b69e4d3

SHA512
e1172b84234bcebfa60f768dd63af54471acb2776ddcae0d991e0962405cb5053a5552b286ce1aea2250fdd06aa513dec5effc71db29334aca1902100125b2af

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
101KB

MD5
1ce76ecb9a91c29e287eaa08153fe78f

SHA1
1a03b70d2ca784537ef954485bc4d76d435f35cd

SHA256
dfc19846c746c165b80610172212d7012372c2946af364d89d8a9f39654d97fa

SHA512
8e6e75ed756465cabd9a591c36b12e92e7f59acfc0271f9cb135de7bf8eac81b89b6be352532bda143740bfb5508d33479f796828372813762d0b3dfb3311cae

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
101KB

MD5
2c7684e87451110206c97cc4016d0989

SHA1
3d09b9cefcb74fdb73106ea6e960a136cf26c5ba

SHA256
64c49ee1d1d5158aa6dce651c9386a192bc5e2c633c5e74157c3cab9c75a782b

SHA512
e1f2dfef122a47a21c8ea95af46ccf8056f30c294699c90d92fb44ea3d1ccdb7809861d26227e727b8fde5cecd2cd0c1f6ae6477b5e051cd9365ab95cda501aa

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
101KB

MD5
018332d6f3ab656feeb62ff9b39aee25

SHA1
3b45f1fab00f1bda276495a2b692d1c4e71d0c4a

SHA256
ba1d32e6070b8921a61cf2e93d21c56195a131ae37620e19b378b01a6a2b5cef

SHA512
0823a74cbe8d0cc0c4d4150f18185185b690d9c6170061d570212a62bc273a69cbb6b4c9afadd53d903799787e81299f1f3db5a905680119adf58968de8a45c6

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
101KB

MD5
56cf888477c3c3b1b1e4921eadfab5da

SHA1
a8855cd82b32e8c204b3b6513e18d81479d22627

SHA256
13ab51a4fde7cf7d7a3ce438d0127eccbef5283910f4c62b630055188d4c9524

SHA512
d847063f8e6b18ee643a0a9420fff5caffe3305f6c4b6f28f3b9c901dd5254a9916a7fb8d19937faf44ce92f13896453d75ebe74d6804e3846e28c59cf1ad584

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
101KB

MD5
4fbe7cc0fd3d87e5df72d7fcc0cdf3f1

SHA1
55ae9df9911d8af1c7a5fc1d6c1086fdc603ec71

SHA256
0889b102e47ea87837ef1aff567905b20ae1c5a5a70543bd3bbc1f98318f675a

SHA512
e42973fa022198452dd8e139a3a566fcc5ff10925559a4d054e589954cc301afbdf534b0e510d0d6687a4f841153544b2ffaaae4492d87f9a819748a40262e37

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
101KB

MD5
52f7feb484bf7808b0b12aea6b4eda9f

SHA1
9455aad1e5991bcb7c3b5ddf36c10bdeaf949155

SHA256
c122d18ded8386c8cc66eb6c6a5ea3f4a56d5fcf78a0de50618a23d312aeac67

SHA512
ee2109f9d1df179a2724d8ec4f4867b961686b51b6277fc21f2a1fc476119be76caaf63ae36ee0a30d25c9facdcdae8ec3bcd0f09cc06f5f44c00498dcc8e195

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
101KB

MD5
9a94f2d31558cfb79f9eb6e558bcc595

SHA1
3109d9376c990d81a27b90d905bce0f3c779774b

SHA256
215fbefaa45641ea9f7ee2a62607c4d7c85656c47cf0a9183dd7682dd91b2ec9

SHA512
5377bee51b16a85588bde318ead318b59e553d5c6d6f4e58f283513c54f8afec71352f49e4bd4cd8e7fa331e6aff1b0131d2f13f621632f6ea79105d76106056

Download Submit
memory/456-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/792-95-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/792-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/964-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/964-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1984-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3012-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3692-105-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads