Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 03:04
Static task
static1
Behavioral task
behavioral1
Sample
c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe
Resource
win10v2004-20241007-en
General
-
Target
c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe
-
Size
84KB
-
MD5
d050b81b655f5c565b67cbe74fdd9c02
-
SHA1
40e5513be3a5f6dc902b9b9ab2cca1a62ad2fc3a
-
SHA256
c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d
-
SHA512
c51e5f0dea07fc10a4263226d9cbb9725e6eba12b20f8bd181f134a285ffa4be4fb74867305ea49efea280fa505ed73296f192cce2d7b257770f2d2c70359fba
-
SSDEEP
1536:3+r3dFPzQl/OcyQUP6VmdnX5sGovuXSREXHfVPfMVwNKT1iqWUPGc4T7VL3:3+r3LPUl/OcyQQEmFph2uCREXdXNKT1m
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danpemej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcnghpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdgic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danpemej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caifjn32.exe -
Berbew family
-
Executes dropped EXE 11 IoCs
pid Process 2440 Cnimiblo.exe 3056 Cagienkb.exe 2776 Ckmnbg32.exe 2852 Caifjn32.exe 2564 Cgcnghpl.exe 2540 Cnmfdb32.exe 2928 Cmpgpond.exe 2008 Cgfkmgnj.exe 1156 Djdgic32.exe 2016 Danpemej.exe 2528 Dpapaj32.exe -
Loads dropped DLL 25 IoCs
pid Process 2072 c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe 2072 c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe 2440 Cnimiblo.exe 2440 Cnimiblo.exe 3056 Cagienkb.exe 3056 Cagienkb.exe 2776 Ckmnbg32.exe 2776 Ckmnbg32.exe 2852 Caifjn32.exe 2852 Caifjn32.exe 2564 Cgcnghpl.exe 2564 Cgcnghpl.exe 2540 Cnmfdb32.exe 2540 Cnmfdb32.exe 2928 Cmpgpond.exe 2928 Cmpgpond.exe 2008 Cgfkmgnj.exe 2008 Cgfkmgnj.exe 1156 Djdgic32.exe 1156 Djdgic32.exe 2016 Danpemej.exe 2016 Danpemej.exe 2000 WerFault.exe 2000 WerFault.exe 2000 WerFault.exe -
Drops file in System32 directory 33 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hbcfdk32.dll Cnimiblo.exe File opened for modification C:\Windows\SysWOW64\Danpemej.exe Djdgic32.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Danpemej.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Danpemej.exe File opened for modification C:\Windows\SysWOW64\Ckmnbg32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Onaiomjo.dll Ckmnbg32.exe File created C:\Windows\SysWOW64\Omakjj32.dll Caifjn32.exe File created C:\Windows\SysWOW64\Jhogdg32.dll Cagienkb.exe File created C:\Windows\SysWOW64\Ccofjipn.dll Cgfkmgnj.exe File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe File created C:\Windows\SysWOW64\Cagienkb.exe Cnimiblo.exe File created C:\Windows\SysWOW64\Caifjn32.exe Ckmnbg32.exe File opened for modification C:\Windows\SysWOW64\Caifjn32.exe Ckmnbg32.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Cgfkmgnj.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Danpemej.exe File created C:\Windows\SysWOW64\Pobghn32.dll c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cnmfdb32.exe File opened for modification C:\Windows\SysWOW64\Djdgic32.exe Cgfkmgnj.exe File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Cgfkmgnj.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Cpmahlfd.dll Cmpgpond.exe File created C:\Windows\SysWOW64\Danpemej.exe Djdgic32.exe File created C:\Windows\SysWOW64\Cnimiblo.exe c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Cnimiblo.exe File created C:\Windows\SysWOW64\Ckmnbg32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Cgcnghpl.exe Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Cgcnghpl.exe Caifjn32.exe File created C:\Windows\SysWOW64\Cnmfdb32.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\Niebgj32.dll Cgcnghpl.exe File created C:\Windows\SysWOW64\Djdgic32.exe Cgfkmgnj.exe File created C:\Windows\SysWOW64\Cbehjc32.dll Djdgic32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Djfdob32.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Djfdob32.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2000 2528 WerFault.exe 41 -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnimiblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caifjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfkmgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe -
Modifies registry class 36 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" Cnmfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll" Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnimiblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll" Cagienkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgcnghpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caifjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caifjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Danpemej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Cgcnghpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll" Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Danpemej.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2440 2072 c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe 31 PID 2072 wrote to memory of 2440 2072 c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe 31 PID 2072 wrote to memory of 2440 2072 c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe 31 PID 2072 wrote to memory of 2440 2072 c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe 31 PID 2440 wrote to memory of 3056 2440 Cnimiblo.exe 32 PID 2440 wrote to memory of 3056 2440 Cnimiblo.exe 32 PID 2440 wrote to memory of 3056 2440 Cnimiblo.exe 32 PID 2440 wrote to memory of 3056 2440 Cnimiblo.exe 32 PID 3056 wrote to memory of 2776 3056 Cagienkb.exe 33 PID 3056 wrote to memory of 2776 3056 Cagienkb.exe 33 PID 3056 wrote to memory of 2776 3056 Cagienkb.exe 33 PID 3056 wrote to memory of 2776 3056 Cagienkb.exe 33 PID 2776 wrote to memory of 2852 2776 Ckmnbg32.exe 34 PID 2776 wrote to memory of 2852 2776 Ckmnbg32.exe 34 PID 2776 wrote to memory of 2852 2776 Ckmnbg32.exe 34 PID 2776 wrote to memory of 2852 2776 Ckmnbg32.exe 34 PID 2852 wrote to memory of 2564 2852 Caifjn32.exe 35 PID 2852 wrote to memory of 2564 2852 Caifjn32.exe 35 PID 2852 wrote to memory of 2564 2852 Caifjn32.exe 35 PID 2852 wrote to memory of 2564 2852 Caifjn32.exe 35 PID 2564 wrote to memory of 2540 2564 Cgcnghpl.exe 36 PID 2564 wrote to memory of 2540 2564 Cgcnghpl.exe 36 PID 2564 wrote to memory of 2540 2564 Cgcnghpl.exe 36 PID 2564 wrote to memory of 2540 2564 Cgcnghpl.exe 36 PID 2540 wrote to memory of 2928 2540 Cnmfdb32.exe 37 PID 2540 wrote to memory of 2928 2540 Cnmfdb32.exe 37 PID 2540 wrote to memory of 2928 2540 Cnmfdb32.exe 37 PID 2540 wrote to memory of 2928 2540 Cnmfdb32.exe 37 PID 2928 wrote to memory of 2008 2928 Cmpgpond.exe 38 PID 2928 wrote to memory of 2008 2928 Cmpgpond.exe 38 PID 2928 wrote to memory of 2008 2928 Cmpgpond.exe 38 PID 2928 wrote to memory of 2008 2928 Cmpgpond.exe 38 PID 2008 wrote to memory of 1156 2008 Cgfkmgnj.exe 39 PID 2008 wrote to memory of 1156 2008 Cgfkmgnj.exe 39 PID 2008 wrote to memory of 1156 2008 Cgfkmgnj.exe 39 PID 2008 wrote to memory of 1156 2008 Cgfkmgnj.exe 39 PID 1156 wrote to memory of 2016 1156 Djdgic32.exe 40 PID 1156 wrote to memory of 2016 1156 Djdgic32.exe 40 PID 1156 wrote to memory of 2016 1156 Djdgic32.exe 40 PID 1156 wrote to memory of 2016 1156 Djdgic32.exe 40 PID 2016 wrote to memory of 2528 2016 Danpemej.exe 41 PID 2016 wrote to memory of 2528 2016 Danpemej.exe 41 PID 2016 wrote to memory of 2528 2016 Danpemej.exe 41 PID 2016 wrote to memory of 2528 2016 Danpemej.exe 41 PID 2528 wrote to memory of 2000 2528 Dpapaj32.exe 42 PID 2528 wrote to memory of 2000 2528 Dpapaj32.exe 42 PID 2528 wrote to memory of 2000 2528 Dpapaj32.exe 42 PID 2528 wrote to memory of 2000 2528 Dpapaj32.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe"C:\Users\Admin\AppData\Local\Temp\c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe12⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 14413⤵
- Loads dropped DLL
- Program crash
PID:2000
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
MD537a8e80284dff58062a1a7ed53280b9e
SHA1662598309756707baddb23695b50cfaa9787229c
SHA256f46e0ece6e2f934d41043e46954a18b964f349a58601f60ab57607b9792f97cd
SHA5120c896415be605999c19731131e7565c1a8267bfbc43ec0d84a190c19f10a85d349159814c86a7128f78a843174e752340c35c8bc17691a6a1a870291b53dd89c
-
Filesize
84KB
MD52951d56e43c070e371a0fdaf59e1f889
SHA1c578c07b25d49b556051e629e0045010fee4d816
SHA256c5d1f4a7e00bfb0e5259f6989df9fe18742333862d822a0debb3b6093cd81c3f
SHA512df5128c1ee06103c039448c81496d49e850921a166c4169c8360331a3de0e296b2e73cb8a13e228640977eec7533f1c5be7528c332adabe7478f5c86cfb4b772
-
Filesize
84KB
MD5128cf1151e7fc060984d025fd7fad457
SHA11e61ec22b7878019ee63cd3fb2eaff47b651a5bd
SHA256ed9bf88ac6cf1e8ce44173d36fb2f69eff1c907c58a5df33b39e2d7a802ad483
SHA512b264998d2d16f6f40090268fe018dc7df351e4c08a36a0780f9a32d12a52d10771885b040a31f1da950c719733823406db37a7cc00440fbeb03f8835c5ccd588
-
Filesize
84KB
MD573ccc8c5b634178994b1be8cb4cf5e80
SHA156da2a420ada3cb7640b9d0cdb296ed0e61a6246
SHA256580a3ea093ba8249b0f2df81bd150299caefe36ff1c6b91e63f1f4ceb09f729e
SHA51289d05ae4331e99ee2b262d7abdec89a0cbdf5e8b32812ced24ace8143240ac38415f3f167debf5a37080843ebee94e3939ef741837607a045aaec621a9ecbe5e
-
Filesize
84KB
MD53053ef90d93099d6956cf4ce11756983
SHA186b8172774d3b54514e727386c0a79a097f23167
SHA25699fd667f6d2b33908e1c92057d162caf0d74fd9c10c3c5ffd011e883629636a8
SHA51247f7dc6f0a5f33b53b394e8247570a1b6ac83375406cf391481b11980c68f4a31e22e622144fd68bb5a3586cd9916bfc8a1181457a44b4e72e09a03073f7e5e1
-
Filesize
84KB
MD57ecfefc53087bae6a57ea4835f064fa4
SHA1d03701166a0342efe2bdb5f61f905c6b268be8b1
SHA256a92ca3276eec8978e7985c38c53e75e53887c54adeb8734901ae114880475c69
SHA512ff1b8d977c654a6ae204ddb03807729f36da878d50aca768e177e68f2f9bf0f188f209073e257cb6081b1f96f6d59adf36f4d5712b4c39cf2ff45fa9f5f19f6d
-
Filesize
84KB
MD5a01e2a381f7a6d8d81ae686a6a70cb61
SHA1606ae05b3d4d280b7710c70cdd129b61b26175ea
SHA2567efac4589b82b33caee532730b1ec2540ea5a2393c63480518867408278eb717
SHA512afc76b71a9160f12958784bdf3ed14a806765708a93c5bd2290ca59126539b47ecbc00ae6f16ae4ba0f1b3734764fca801a2ea915ce0a4e0fae48babc84e963e
-
Filesize
84KB
MD5cba6ccc33676abd6b3b5799ef7fe0e63
SHA1ad4e4015d6fd3bccf7267f9913ea51944364e13e
SHA256c426ffcd83612df5493b72cec2e5673c8cc520ac1e229e6c7e4e20cf4c14c681
SHA512bda151f5951295d2c56ad36688f0337d7a63bc75f9edb09546ded4eb0eac7b0e98b39ca7efff4b399ac7d4fed03466e5ec74cf077aaa333a94ec878910efb0cf
-
Filesize
84KB
MD5e42da69fa9f8a80f6c8b73f7b5069067
SHA110a182d3c1c9606784ba46742332268913fdf725
SHA2560a389a8a0101dfb5493f059775d56854dba7531ea4c11ed87af0ce2c4b4ab09f
SHA512139369d4e1ac2ac551ec0f0913946406a9365f78fb3bce16b32dac9676f6ffc5f1c5f77dd257fec6ffa66adc4c68b798d9e714ba7032fc2b1290123fbcbb2a33
-
Filesize
84KB
MD58a154bd35d7f3aeda5a60dbc96120923
SHA165b202b42dfcac0d5806c810eca2efbd1e072c05
SHA256a6e85810140a0074de4ca195a5ac277ea423437261f30fabb2af9f9fa3a9791d
SHA5129706f08209bf943f2e1d918f9d15c74e9990150aa84b70c818948c11bea1396afdd3d284316ab0639a3b1e7362bef030c2ea62a76bef8fd2955d80b4c97d8cee
-
Filesize
84KB
MD569b820f8f168b9fb70910adcbd43f614
SHA1707d02efda8413f7796b2d207476af6337342ffb
SHA256d368bb4f781fd3602f3dde6b62b9513f05663db5dbb5410baa08182e1254a8d8
SHA51269ddbe2b43a5ec8d5aa41c539c59092089a103ac0a17931176985340a9e57020ab847c998ab2ab3d6dd32909cbdd794ab4b5cd2d2b8df47853c0903a0d2cb022