berbew | fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
Size

92KB
MD5

b8e3734eb3ea588720ff3cad4bb43fc0
SHA1

40ef3727c36bea4eb56d00f7548330c037a76fd2
SHA256

fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8
SHA512

c0b6990aa8bae80032a65444973a5a5bf39e311e61f75a07f4158aaa85ecf8adcf3975540c32eadd3b63ff4875cb455577682a152af6a004cb4e0342f1aaa0b8
SSDEEP

1536:L3KSB2Uz0uZjxXMD/2BabBQ2dG+eo1xC0GZFXUmSC2e3lO:zKSgUz02yaBabBQ24ho1mtye3lO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

pid	Process
3456	Danecp32.exe
2044	Dfknkg32.exe
1556	Dobfld32.exe
4028	Ddonekbl.exe
1316	Dhkjej32.exe
4996	Dmgbnq32.exe
5108	Ddakjkqi.exe
456	Dkkcge32.exe
3036	Deagdn32.exe
3924	Dgbdlf32.exe
1416	Dmllipeg.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4044	1416	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3456	3492	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe	83
PID 3492 wrote to memory of 3456	3492	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe	83
PID 3492 wrote to memory of 3456	3492	fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe	83
PID 3456 wrote to memory of 2044	3456	Danecp32.exe	84
PID 3456 wrote to memory of 2044	3456	Danecp32.exe	84
PID 3456 wrote to memory of 2044	3456	Danecp32.exe	84
PID 2044 wrote to memory of 1556	2044	Dfknkg32.exe	85
PID 2044 wrote to memory of 1556	2044	Dfknkg32.exe	85
PID 2044 wrote to memory of 1556	2044	Dfknkg32.exe	85
PID 1556 wrote to memory of 4028	1556	Dobfld32.exe	86
PID 1556 wrote to memory of 4028	1556	Dobfld32.exe	86
PID 1556 wrote to memory of 4028	1556	Dobfld32.exe	86
PID 4028 wrote to memory of 1316	4028	Ddonekbl.exe	87
PID 4028 wrote to memory of 1316	4028	Ddonekbl.exe	87
PID 4028 wrote to memory of 1316	4028	Ddonekbl.exe	87
PID 1316 wrote to memory of 4996	1316	Dhkjej32.exe	88
PID 1316 wrote to memory of 4996	1316	Dhkjej32.exe	88
PID 1316 wrote to memory of 4996	1316	Dhkjej32.exe	88
PID 4996 wrote to memory of 5108	4996	Dmgbnq32.exe	89
PID 4996 wrote to memory of 5108	4996	Dmgbnq32.exe	89
PID 4996 wrote to memory of 5108	4996	Dmgbnq32.exe	89
PID 5108 wrote to memory of 456	5108	Ddakjkqi.exe	90
PID 5108 wrote to memory of 456	5108	Ddakjkqi.exe	90
PID 5108 wrote to memory of 456	5108	Ddakjkqi.exe	90
PID 456 wrote to memory of 3036	456	Dkkcge32.exe	91
PID 456 wrote to memory of 3036	456	Dkkcge32.exe	91
PID 456 wrote to memory of 3036	456	Dkkcge32.exe	91
PID 3036 wrote to memory of 3924	3036	Deagdn32.exe	92
PID 3036 wrote to memory of 3924	3036	Deagdn32.exe	92
PID 3036 wrote to memory of 3924	3036	Deagdn32.exe	92
PID 3924 wrote to memory of 1416	3924	Dgbdlf32.exe	93
PID 3924 wrote to memory of 1416	3924	Dgbdlf32.exe	93
PID 3924 wrote to memory of 1416	3924	Dgbdlf32.exe	93

C:\Users\Admin\AppData\Local\Temp\fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe
"C:\Users\Admin\AppData\Local\Temp\fba1dc71ad2354f2945b204b9bf86a411c508198e55534b02e40e6236250e6a8N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Windows\SysWOW64\Danecp32.exe
  C:\Windows\system32\Danecp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\SysWOW64\Dfknkg32.exe
    C:\Windows\system32\Dfknkg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\SysWOW64\Dobfld32.exe
      C:\Windows\system32\Dobfld32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 392
        13⤵
        Program crash
        
        PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1416 -ip 1416
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Danecp32.exe

Filesize
92KB

MD5
9de197dd408cfbc026493a52d934a49b

SHA1
9e3f9c6c9482e8c8e4c49d440d3f5e61e8740f4c

SHA256
64322491802df71000e0116efec8461d80142d8788ca88db3bfd830edf0ebfff

SHA512
86d2fb45e4845ee5c8c148d8b311531ad1e46ad11cc61d8c34e56fa82c51cff9c5c66bedd2a566ea18477693fb735ae033d64722762359a5fed9625229e6673a

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
92KB

MD5
84b55c42389e257c39bb063713a3e439

SHA1
4e4d714f85ebdbdc70f08cd2a22b3b56addbccdf

SHA256
b6af9889e2aab4930a489f368bd506e04e7bf45744a8ae2be505f3b1c318ba90

SHA512
824380bbbcdcb532d3529026ded3da12a275f309110f206dd19a9b9c5036c134265f840db1638075c3ffc99b14717be0af0d6783cb41250ed00a0a0a4a071eb7

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
92KB

MD5
3804ea3dabf9bd6fe56723778a655fed

SHA1
5733ec198e68531db900dfd5989f5cd829254d54

SHA256
08fc6721068483291899aa30b5cf0fb6229fe52eecc67d2af4d0a547a50b7151

SHA512
b8b9eb26708c851f05caf00f9b5beec7ee9f88d9da08ec45b90cb28ddd002977dd3b364962d7d1a3c35412d9abe8bf7f8977e26fe5d6ec04588cce5d4873f48d

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
92KB

MD5
d4d8f1bfb6a700d1337a48f0f2eefd2e

SHA1
43c58221dd61e2f011b89940c741ddd218903372

SHA256
e6acf4687d7ad99154b1cc283bd1454186834840412fd0f4d681568126c8776d

SHA512
e659a16cd2267bd633aa0b05de418436792ffd0b0835f181610a2ba32fc75ea65ef283d3890c36f7e6e22463bec9721a6c109b019f9e0ef85bc4e558a5df4821

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
92KB

MD5
f1ff04347b1b83fe57c93538616fb0a8

SHA1
52b8abd184b8785ca77cfae2fff08c3f23cdbcd2

SHA256
59e252952df505005a19aabfc5e5c3e84340adeb50ee6c815f0f9169121b6072

SHA512
4ac718a3738a7d003a92bf4877b8f443fda1f0e4868af9c03cf3b860aec1a224a82b38f97f596a1d169140faa0232e786f144f81e9c1952e6accb89fc3b58d96

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
92KB

MD5
bd3f1883d17daff5c8bff46faaba74af

SHA1
2e40e0fd5e6a96cf442923c9540661c12201738a

SHA256
043cdc53a77f594276d1f96ebcceede4353d828827bff6ca519b53b0aca25f6a

SHA512
27343c8a785f969dd958f770897ecf4bbe4c18329736db7afd4745838b224e618d2973c657047b7bd82c1207775dfbc31db0a6d577dfa7e1b0f5beddac5a5dd1

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
92KB

MD5
2d6a3317d5bcc320b0f2d4e532df4e31

SHA1
b27ca0bb5babd136390b0441f1bbe2dd27051e86

SHA256
e71eb50125aa2a742628cde1fcb7972cfa0589ff5b76db8a4bc9e72e3e3338c6

SHA512
c815e3175411172a0298e1dc20c590ccfc5146fb7b7d62f91ce5aec95827d50377cec37f8ae19215fafdfe296232f6627106d3e8fa9483ab3d8a0966b0d62a12

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
92KB

MD5
a6150c601ca72d68a8cfe538e91493b6

SHA1
53262bbfec97b884c8a0cb2b36e6543736128558

SHA256
1c90220dc9dc761afc6d53743b0fe0c701f7dd60738f4d9a5f0c57ff27496c19

SHA512
d9d7844970f3ae89c64f92580e4452fd9c2bc0004b8257933525b57f91208d917c867b7a7a14d6786e3313ffcd20485f817c368318961942f5a22439ea6845e9

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
92KB

MD5
5c4c335881e39395736c7af6c8417a97

SHA1
aaa2fc58070da402cea37e36f579e6f142367e72

SHA256
72b1e63ea72ef524fcab1d0a7eb02a6574bb30b7d2cc60eb9989df0315d2d527

SHA512
c48fcdadab3d774330f2fe26d3d19e559c5d00b92233ab603ca0010b8659ca945ec70dbb7950070d4ca8a6446422f0db1669619e33ef1d4c93dba931c5014f47

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
92KB

MD5
ef253bb79e5662fd571478283e6c623a

SHA1
b893b72f5a0b4a2332ecc59422864f724cee3f9d

SHA256
b359f96d56954fc7c1f06b45f25f74359ab5238697cfe55a3fd16fd33b71cca9

SHA512
9d8a2679bcf8d03b51a0e584890471d55e9114950ba0a7f410011dd878ba48415967162afce356149666306a8b05031e680185f2bf09ad785690fc98b589d496

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
92KB

MD5
f25d71139a0006df4a8cb74de3b18c6f

SHA1
dda30c11f16eae8127a825acb3655c2b59bd5d1b

SHA256
4ed52cefe82ad15843f031985a04c3b6e1fde83c726ef546258f7253125e9c46

SHA512
65b3684ccb1319649918c4b0bd05c3f789503148d72c0c481177b3ade6df78e2e50cce43cfc36d7ec221d533c0f7446dcd3394e6843851431c8f7c163d24133e

Download Submit
memory/456-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/456-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-101-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-106-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-94-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3924-91-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4028-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4996-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5108-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads