berbew | ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb

Analysis

max time kernel
93s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
Size

63KB
MD5

9395ff9e3a239e20ae688400fd27d93e
SHA1

a9de2d678a1fd9dc333bcac7893a2491322eced7
SHA256

ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb
SHA512

a5d915830e28f365c0692aa6f8ac73e83e632ca467e283c9cb6d3c935c61012c1988e5172861ea582820c7fd3aed02101ab940a639990b97a727bfe038e88760
SSDEEP

768:CIKjPVvIe0KFuZbmWFrmPvYD4CR74vDl/1H5tmXdnhg20a0kXdnhAPAPDXdnhe:CIK9IeHFuQ2moDU/DkH1juIZo

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
4000	Dmefhako.exe
3088	Ddonekbl.exe
4444	Dfnjafap.exe
4804	Dmgbnq32.exe
5072	Ddakjkqi.exe
2084	Dfpgffpm.exe
2692	Dmjocp32.exe
4800	Dddhpjof.exe
3480	Dgbdlf32.exe
3872	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3628	3872	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 4000	2584	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe	83
PID 2584 wrote to memory of 4000	2584	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe	83
PID 2584 wrote to memory of 4000	2584	ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe	83
PID 4000 wrote to memory of 3088	4000	Dmefhako.exe	84
PID 4000 wrote to memory of 3088	4000	Dmefhako.exe	84
PID 4000 wrote to memory of 3088	4000	Dmefhako.exe	84
PID 3088 wrote to memory of 4444	3088	Ddonekbl.exe	85
PID 3088 wrote to memory of 4444	3088	Ddonekbl.exe	85
PID 3088 wrote to memory of 4444	3088	Ddonekbl.exe	85
PID 4444 wrote to memory of 4804	4444	Dfnjafap.exe	86
PID 4444 wrote to memory of 4804	4444	Dfnjafap.exe	86
PID 4444 wrote to memory of 4804	4444	Dfnjafap.exe	86
PID 4804 wrote to memory of 5072	4804	Dmgbnq32.exe	87
PID 4804 wrote to memory of 5072	4804	Dmgbnq32.exe	87
PID 4804 wrote to memory of 5072	4804	Dmgbnq32.exe	87
PID 5072 wrote to memory of 2084	5072	Ddakjkqi.exe	88
PID 5072 wrote to memory of 2084	5072	Ddakjkqi.exe	88
PID 5072 wrote to memory of 2084	5072	Ddakjkqi.exe	88
PID 2084 wrote to memory of 2692	2084	Dfpgffpm.exe	89
PID 2084 wrote to memory of 2692	2084	Dfpgffpm.exe	89
PID 2084 wrote to memory of 2692	2084	Dfpgffpm.exe	89
PID 2692 wrote to memory of 4800	2692	Dmjocp32.exe	90
PID 2692 wrote to memory of 4800	2692	Dmjocp32.exe	90
PID 2692 wrote to memory of 4800	2692	Dmjocp32.exe	90
PID 4800 wrote to memory of 3480	4800	Dddhpjof.exe	91
PID 4800 wrote to memory of 3480	4800	Dddhpjof.exe	91
PID 4800 wrote to memory of 3480	4800	Dddhpjof.exe	91
PID 3480 wrote to memory of 3872	3480	Dgbdlf32.exe	92
PID 3480 wrote to memory of 3872	3480	Dgbdlf32.exe	92
PID 3480 wrote to memory of 3872	3480	Dgbdlf32.exe	92

C:\Users\Admin\AppData\Local\Temp\ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe
"C:\Users\Admin\AppData\Local\Temp\ce0970733f03dac573e2b39fcc70fa805a4a479fdd0b8fd8058661660f0aa3bb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\Dmefhako.exe
  C:\Windows\system32\Dmefhako.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\Ddonekbl.exe
    C:\Windows\system32\Ddonekbl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\SysWOW64\Dfnjafap.exe
      C:\Windows\system32\Dfnjafap.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 428
        12⤵
        Program crash
        
        PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3872 -ip 3872
1⤵
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
63KB

MD5
8c8d46f3f61b2b7a104a63c55c295b20

SHA1
8f0b3d40152d6e3202bf0ea9eff1c82c428e1aa9

SHA256
9e972238e5803a886f1792576dffeafc5909fd30e8baf28aac3f6b76c1ae9f44

SHA512
3f16cbf8a67d2d8c71d7ea1652f17052ff2e773ebc2293d7c0f97f2092b15ddb8c33fb6f3a480a8889c51d296a10737239b97da6f06fdc0218a8a92730d3668b

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
63KB

MD5
21a2f416c994631d7f67917a5c98b43b

SHA1
551849d59e49d5d9d12d51cbfff0bd6c232b857a

SHA256
a5edc86e26e783b1b50003dc5660c866d8259d520c58d89c35817e04b7add85a

SHA512
33346c81a0892f7476c825f9a93efd29ef2a4400da8523b3befc59814c27f4604a5ccf78b780a60db14f048a9ba1b285927916125377b8bfd990331ca95f825b

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
63KB

MD5
14c021c7740160f76bd8fb94f925572b

SHA1
bf005bb767c936a9f0ae9db9b565fb7d4c86fab7

SHA256
1aa99784f131066f608337f0cf4162169207f85d63869f31925924f081e2b804

SHA512
9069e51d25a941d17102c338cfe978c6f7a9067a1a05d319dd2240db6a124438547ba6f1373e7a9e9192310907576454726b8e64f67039d082e5ed17d7665d44

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
63KB

MD5
5512045a89a96ee97c87b8ca4d7961d5

SHA1
668fe4874eed13e994f07e8a3b2d3dc1ca2994cd

SHA256
c62b1d5dcf5e200a9a76785bfb24c2ead5d4ed408f47cae5bb7a44fa5de5e1c7

SHA512
e5239ec089c59f0dfe7df58484723278fe56cda8424237334b6a8c831e8242bb4a23876c61ab2caae9923c1f57723610a9ae11545ccffc8d65dc79a53e0cdca3

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
63KB

MD5
052b438978f1bd9e5b555943c1113f36

SHA1
dfe2361fa39f7dfde40b53f85856a3c27876bf37

SHA256
e2844d36a72cce705f2b65a03a73e2639a23c4528eea9a9d587d0910238721f2

SHA512
4c55984209e4c926951bf7b38be8d017e9cc046b68ea1d7b8db210335b40d33ce5a14de12809bf7424c09ff2eb3fd8a07cb5ec42552e7035b6a3b3f814b195aa

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
63KB

MD5
9ce751d922fd708be7c82282b63ef7b7

SHA1
9305ef305806ed609fe3ff89b6f9b3e877eb94db

SHA256
2a1af735f3b724c3223396b386dfd2f88703b017066d1d2856b8432bebc92fb5

SHA512
8728c34ea4ec72a342831582895b67272f2b1b69699ec1eed8a7ec9e4a9a7a856e51e8922b4c9244c29c75f0d081f31ba4e685b6e439228e4b838e37acd86a06

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
63KB

MD5
d9fda89f816a3f0ed5fea6d264deba12

SHA1
2a10527f3dac5ba31ef5f8e6b239e9834f814115

SHA256
a628bf79e240ef0baa978711862f91618154179e6d02a755e32515f6e10b0e4e

SHA512
8b6d5704c5341b51cdb3d6a1d8c1c5c995862350b7a8b86407e43af7fe9da427cd3f06f1d6b625486e888bc7f0cf35b0556f8d5f3550f4cffc5cec6d4ba56777

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
63KB

MD5
1a85b2affa4cf870af396576b9ab80e4

SHA1
f9dd37f708997955eab87b4fbd6043c28288afce

SHA256
fb42b52e2d3a6080b27a4a04dd6ef798e0362f2c8079220af3c346ce64f3a2d4

SHA512
04893852b687dadb84c55b0293e839e4bebb160b0c513127fb86ed7b4d482c89b13dc4a444ebebccfc5a79a84d67fe3692572887833fd52fb9228b3e5ec7abfe

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
63KB

MD5
7bc7ab9708c1b9ff50b23f4f028f2227

SHA1
0e4cde39a635953a955fb542b75d11a4d3cb054a

SHA256
2da29488deb14cff4160c379c9f83db3dd6343b50d88ca127a68bbc9be2c770a

SHA512
abaff9342092103b1d4760a545b509d9d44ca6215e4890898b5b5d4ad13f43b60fd14ab799de2f282732d608724550c2a9ee31d1eb397faae19318d0865e98d9

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
63KB

MD5
c072048b54bb4653ec9ce038ab75f828

SHA1
5f6fe42ae597a01c826e92b7bf685276a6de8603

SHA256
f13e505a44c16f68ae201a54c1ff67f60a46127cbf5f87b9e162f8006c67c7ed

SHA512
e75c3597824940cbbc09892d4cd39aeccdcdd10ea0f626133537caa5067e29944624de0e31dd1677416fbd3cd9fc0a45cab6ab1ec53784da08e365f68c0b1e18

Download Submit
memory/2084-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2084-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-94-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2584-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/2692-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3088-102-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3480-85-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3480-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3872-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3872-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-9-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4000-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-99-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4444-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4804-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4804-101-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads