berbew | c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
Size

80KB
MD5

7f696659be2339f9acfe93891560d877
SHA1

d124c4c43cf7d5a8af691762091987421bcf9dda
SHA256

c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8
SHA512

6a46d5f788be2790c9f77d84cfbfe0afa71f8a2b666cbc354126b2d6baa623b826f419589ab7d77c8c09df71a0b205f87190acde78fb27a1728fb5c229bfee07
SSDEEP

1536:9F1346nj8yskuT+uZlhbPJ7XW/MAYI4r0SzDfWqdMVrlEFtyb7IYOOqw4Tt:v1I6nwyduTtDr7XWCIJSzTWqAhELy1M9

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbconkd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

pid	Process
2688	Kgcnahoo.exe
2652	Lmmfnb32.exe
2808	Lgfjggll.exe
2600	Llbconkd.exe
2624	Lhiddoph.exe
3064	Lpqlemaj.exe
2528	Lhlqjone.exe
1848	Lcadghnk.exe
2616	Lepaccmo.exe

Loads dropped DLL 22 IoCs

pid	Process
2640	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
2640	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
2688	Kgcnahoo.exe
2688	Kgcnahoo.exe
2652	Lmmfnb32.exe
2652	Lmmfnb32.exe
2808	Lgfjggll.exe
2808	Lgfjggll.exe
2600	Llbconkd.exe
2600	Llbconkd.exe
2624	Lhiddoph.exe
2624	Lhiddoph.exe
3064	Lpqlemaj.exe
3064	Lpqlemaj.exe
2528	Lhlqjone.exe
2528	Lhlqjone.exe
1848	Lcadghnk.exe
1848	Lcadghnk.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe
2780	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hfopbgif.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Lhiddoph.exe	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Lpqlemaj.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
File created	C:\Windows\SysWOW64\Nmdeem32.dll	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Lcadghnk.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Lhiddoph.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Lcadghnk.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Lgfjggll.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Ljphmekn.dll	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Onkckhkp.dll	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Fhdikdfj.dll	Lhlqjone.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Llbconkd.exe	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Lhlqjone.exe	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Lpqlemaj.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Lhlqjone.exe	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kgcnahoo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2780	2616	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqlemaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcadghnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhiddoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhlqjone.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljphmekn.dll"	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll"	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpqlemaj.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2688	2640	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe	30
PID 2640 wrote to memory of 2688	2640	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe	30
PID 2640 wrote to memory of 2688	2640	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe	30
PID 2640 wrote to memory of 2688	2640	c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe	30
PID 2688 wrote to memory of 2652	2688	Kgcnahoo.exe	31
PID 2688 wrote to memory of 2652	2688	Kgcnahoo.exe	31
PID 2688 wrote to memory of 2652	2688	Kgcnahoo.exe	31
PID 2688 wrote to memory of 2652	2688	Kgcnahoo.exe	31
PID 2652 wrote to memory of 2808	2652	Lmmfnb32.exe	32
PID 2652 wrote to memory of 2808	2652	Lmmfnb32.exe	32
PID 2652 wrote to memory of 2808	2652	Lmmfnb32.exe	32
PID 2652 wrote to memory of 2808	2652	Lmmfnb32.exe	32
PID 2808 wrote to memory of 2600	2808	Lgfjggll.exe	33
PID 2808 wrote to memory of 2600	2808	Lgfjggll.exe	33
PID 2808 wrote to memory of 2600	2808	Lgfjggll.exe	33
PID 2808 wrote to memory of 2600	2808	Lgfjggll.exe	33
PID 2600 wrote to memory of 2624	2600	Llbconkd.exe	34
PID 2600 wrote to memory of 2624	2600	Llbconkd.exe	34
PID 2600 wrote to memory of 2624	2600	Llbconkd.exe	34
PID 2600 wrote to memory of 2624	2600	Llbconkd.exe	34
PID 2624 wrote to memory of 3064	2624	Lhiddoph.exe	35
PID 2624 wrote to memory of 3064	2624	Lhiddoph.exe	35
PID 2624 wrote to memory of 3064	2624	Lhiddoph.exe	35
PID 2624 wrote to memory of 3064	2624	Lhiddoph.exe	35
PID 3064 wrote to memory of 2528	3064	Lpqlemaj.exe	36
PID 3064 wrote to memory of 2528	3064	Lpqlemaj.exe	36
PID 3064 wrote to memory of 2528	3064	Lpqlemaj.exe	36
PID 3064 wrote to memory of 2528	3064	Lpqlemaj.exe	36
PID 2528 wrote to memory of 1848	2528	Lhlqjone.exe	37
PID 2528 wrote to memory of 1848	2528	Lhlqjone.exe	37
PID 2528 wrote to memory of 1848	2528	Lhlqjone.exe	37
PID 2528 wrote to memory of 1848	2528	Lhlqjone.exe	37
PID 1848 wrote to memory of 2616	1848	Lcadghnk.exe	38
PID 1848 wrote to memory of 2616	1848	Lcadghnk.exe	38
PID 1848 wrote to memory of 2616	1848	Lcadghnk.exe	38
PID 1848 wrote to memory of 2616	1848	Lcadghnk.exe	38
PID 2616 wrote to memory of 2780	2616	Lepaccmo.exe	39
PID 2616 wrote to memory of 2780	2616	Lepaccmo.exe	39
PID 2616 wrote to memory of 2780	2616	Lepaccmo.exe	39
PID 2616 wrote to memory of 2780	2616	Lepaccmo.exe	39

C:\Users\Admin\AppData\Local\Temp\c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe
"C:\Users\Admin\AppData\Local\Temp\c69f795bf651d5c5b550f9d3df6684f0eda06c55825b9d7e7157c53da91662e8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\Kgcnahoo.exe
  C:\Windows\system32\Kgcnahoo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Lmmfnb32.exe
    C:\Windows\system32\Lmmfnb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\Lgfjggll.exe
      C:\Windows\system32\Lgfjggll.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Lpqlemaj.exe
        
        C:\Windows\system32\Lpqlemaj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Lhlqjone.exe
        
        C:\Windows\system32\Lhlqjone.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
80KB

MD5
3f41fead2732ab7683b22e936e3b4a1c

SHA1
d2049364b23035cf2fc7b28d2e0cb953244061aa

SHA256
1a6372da8ee1eeb7ae2fae072a07763c5a922adf89b8dcf2d5b92a3f97e7e358

SHA512
caf6a128dfda7593ff8efb56b3f602dc02ed5730bc6ff5cff2cc459d1c0c1d57f48c7c8c56f9a88388153a899d6309094ddb21f406b28ac93f4cc8c3809bf035

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
80KB

MD5
e833f8db51990565a88d04f89a3b893b

SHA1
5501d31eb108dafe8872bae0d701827a8628f354

SHA256
252e6121c0b0bc5974d7674ac405ecc494fffe1c125a4b836cfc7d773502cbc9

SHA512
0bce9e79c2b1e07f89eded0e8ce0106ca9962769d92988d88a39eb4a19660c56a90d2c92fd666b1ee94f22d9c9e474315442e0708226623e4e6695e654865794

Download Submit
\Windows\SysWOW64\Lcadghnk.exe

Filesize
80KB

MD5
cd616abfbf2653bd509490b1073f50e5

SHA1
61b53476c029dbbccca294f218162e594abd7f35

SHA256
8ea44fda253151ca51edcfa50125fe34ebe9598a5d4eda994b7617cf73fb4093

SHA512
e9e0442b6bfe9b308ea0ebbe8da6dccd3d08a78ed05845fb6480fc69fb43f7af59ee06cede45f4c1156d88972ee4fc1f8c7beed8c1e7452c7c04ba7aee1654ed

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
80KB

MD5
dcc50647de90d00ca38982edc88d9971

SHA1
9fe0c556fa67ee2a6a06e12344f1b64e9caaf30a

SHA256
66127e18f6738e97e9e2c85fbf2da292fdc465b95acdbee347da2b5b2157a604

SHA512
2898b10ee7852c56b3f2f0073c8e1f573ce48415a5b61d3340d1417b58b343a7fd6541b5b21e2972a6bf92df4ab7bd7a9ab1042a265bc37484fbbaa437eef473

Download Submit
\Windows\SysWOW64\Lhiddoph.exe

Filesize
80KB

MD5
66cf8578f997c0bd65000b9c5d016801

SHA1
4471cbc94cc87132489ba00c17f7c0b88eac2a0f

SHA256
b4303b0f24389acfc6136f539ffc615477f6b93ed4562dd72faf159250c55173

SHA512
73058121356968d34ab018dc7d8bc60f5b17a39da3657d3f7ca1b17d84e068da603e7278a5651074ab7b15e5e59aa57a7ee39b8028272786b9784fed85ebd497

Download Submit
\Windows\SysWOW64\Lhlqjone.exe

Filesize
80KB

MD5
ec0ce787d2bad76154eaeefa7419233c

SHA1
dcdee282f2e940bb1dd481bc618da4318a46abdf

SHA256
8309761e8276e55a7c055be46cbb8f3bde25fd58552fc366491a6889ee705eec

SHA512
6a9ce336faa4ed21170a9fc9033767fd14129a6c5bbebad65b0b1631bdbc86518b86c514d416890dcc8a4b4555ff975060d71f3e5ce59193e89d777d32ea5ea3

Download Submit
\Windows\SysWOW64\Llbconkd.exe

Filesize
80KB

MD5
13f2504c2c4fd2f601aadbab30c48cc5

SHA1
a3c7d9313e1e49b7c7bdb6846f42a6db7cc5e83b

SHA256
282299ca0c378812ea8c726216e2436e618568c37defdde34e05890c7d74b5d4

SHA512
1812d887e81124aa4f9e8074e2c3151b6f2c85610f8a4f554533e34b6d4c773fc822b6053608896d783986bbd831b13d34192693e94e02e563b35d6df841670c

Download Submit
\Windows\SysWOW64\Lmmfnb32.exe

Filesize
80KB

MD5
e89094d33e736caf98f06196d90862ec

SHA1
ac2c618e0fa0bf30ff8b5bedab1fc37112e957ee

SHA256
62e26ca645c18da6cd51416681ce140b8d64f545a1c15495b6171284b022c26a

SHA512
21b0f7b4ced18b576f8356aa4af6779409224291440499a31f6909fdbaecc7926e2d2c10cdd49124727d3fd20cc40d2e2c2014300223dbee0fc944acf2bb0f04

Download Submit
\Windows\SysWOW64\Lpqlemaj.exe

Filesize
80KB

MD5
abc3bc4d8cf4ac73948433e78b6678ab

SHA1
3e90b531895cfafff00817adf53c061cd1bd1777

SHA256
048ecca12106d77e13d031730b4ed2b63bc59c8ea164f259a68732b57bef0af5

SHA512
a11881ece78d2d576b446782703b41f67dcff26450ce4752f6ca95cfeca0a37f6a59c6c8bae31194d6dc43fdb05cac981a6d85e0c7c419f64084c3af363cbb8b

Download Submit
memory/1848-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-94-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-106-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2600-67-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2600-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-127-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-75-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2624-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2624-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-11-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2640-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-12-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2652-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-35-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2652-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-48-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2808-131-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3064-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads