berbew | 85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12

Analysis

max time kernel
23s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
Size

55KB
MD5

b186a5f554c87e64e6395ca84119d7b0
SHA1

fc85d47489ebf9778d6dc5d074eca02223197cb8
SHA256

85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12
SHA512

a738c9233c76f5df825d99bb18c2534466b5de2e09e969752a4a0c87e4692f7123a47c6df6d5f3a490d7a90f5f7142f8ab1137939782b23df3e5e258f6381f19
SSDEEP

1536:e4CaNpnc031u1dIuAmphjjs+NSoNSd0A3shxD6T:Tlu1dzprjjs+NXNW0A8hho

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbgnak32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

pid	Process
2972	Bbgnak32.exe
2828	Beejng32.exe
2840	Bbikgk32.exe
2740	Bjdplm32.exe
320	Baohhgnf.exe
1504	Bhhpeafc.exe
2908	Baadng32.exe
2764	Cfnmfn32.exe
2412	Cacacg32.exe

Loads dropped DLL 22 IoCs

pid	Process
2816	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
2816	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
2972	Bbgnak32.exe
2972	Bbgnak32.exe
2828	Beejng32.exe
2828	Beejng32.exe
2840	Bbikgk32.exe
2840	Bbikgk32.exe
2740	Bjdplm32.exe
2740	Bjdplm32.exe
320	Baohhgnf.exe
320	Baohhgnf.exe
1504	Bhhpeafc.exe
1504	Bhhpeafc.exe
2908	Baadng32.exe
2908	Baadng32.exe
2764	Cfnmfn32.exe
2764	Cfnmfn32.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe
2432	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Bbgnak32.exe	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
File created	C:\Windows\SysWOW64\Bbikgk32.exe	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	Bbgnak32.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bbikgk32.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Nfolbbmp.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Ehieciqq.dll	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	Bbgnak32.exe
File opened for modification	C:\Windows\SysWOW64\Bbikgk32.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bbikgk32.exe
File opened for modification	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Bbgnak32.exe	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
File created	C:\Windows\SysWOW64\Abacpl32.dll	Beejng32.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Baohhgnf.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Baohhgnf.exe	Bjdplm32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Baohhgnf.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2432	2412	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baohhgnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbgnak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbikgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhpeafc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abacpl32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfolbbmp.dll"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehieciqq.dll"	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baohhgnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	Bbgnak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbikgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbgnak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Bbikgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baohhgnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2972	2816	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe	30
PID 2816 wrote to memory of 2972	2816	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe	30
PID 2816 wrote to memory of 2972	2816	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe	30
PID 2816 wrote to memory of 2972	2816	85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe	30
PID 2972 wrote to memory of 2828	2972	Bbgnak32.exe	31
PID 2972 wrote to memory of 2828	2972	Bbgnak32.exe	31
PID 2972 wrote to memory of 2828	2972	Bbgnak32.exe	31
PID 2972 wrote to memory of 2828	2972	Bbgnak32.exe	31
PID 2828 wrote to memory of 2840	2828	Beejng32.exe	32
PID 2828 wrote to memory of 2840	2828	Beejng32.exe	32
PID 2828 wrote to memory of 2840	2828	Beejng32.exe	32
PID 2828 wrote to memory of 2840	2828	Beejng32.exe	32
PID 2840 wrote to memory of 2740	2840	Bbikgk32.exe	33
PID 2840 wrote to memory of 2740	2840	Bbikgk32.exe	33
PID 2840 wrote to memory of 2740	2840	Bbikgk32.exe	33
PID 2840 wrote to memory of 2740	2840	Bbikgk32.exe	33
PID 2740 wrote to memory of 320	2740	Bjdplm32.exe	34
PID 2740 wrote to memory of 320	2740	Bjdplm32.exe	34
PID 2740 wrote to memory of 320	2740	Bjdplm32.exe	34
PID 2740 wrote to memory of 320	2740	Bjdplm32.exe	34
PID 320 wrote to memory of 1504	320	Baohhgnf.exe	35
PID 320 wrote to memory of 1504	320	Baohhgnf.exe	35
PID 320 wrote to memory of 1504	320	Baohhgnf.exe	35
PID 320 wrote to memory of 1504	320	Baohhgnf.exe	35
PID 1504 wrote to memory of 2908	1504	Bhhpeafc.exe	36
PID 1504 wrote to memory of 2908	1504	Bhhpeafc.exe	36
PID 1504 wrote to memory of 2908	1504	Bhhpeafc.exe	36
PID 1504 wrote to memory of 2908	1504	Bhhpeafc.exe	36
PID 2908 wrote to memory of 2764	2908	Baadng32.exe	37
PID 2908 wrote to memory of 2764	2908	Baadng32.exe	37
PID 2908 wrote to memory of 2764	2908	Baadng32.exe	37
PID 2908 wrote to memory of 2764	2908	Baadng32.exe	37
PID 2764 wrote to memory of 2412	2764	Cfnmfn32.exe	38
PID 2764 wrote to memory of 2412	2764	Cfnmfn32.exe	38
PID 2764 wrote to memory of 2412	2764	Cfnmfn32.exe	38
PID 2764 wrote to memory of 2412	2764	Cfnmfn32.exe	38
PID 2412 wrote to memory of 2432	2412	Cacacg32.exe	39
PID 2412 wrote to memory of 2432	2412	Cacacg32.exe	39
PID 2412 wrote to memory of 2432	2412	Cacacg32.exe	39
PID 2412 wrote to memory of 2432	2412	Cacacg32.exe	39

C:\Users\Admin\AppData\Local\Temp\85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe
"C:\Users\Admin\AppData\Local\Temp\85a5a630a173c3d6f007ce11c20a681b90cc1c13a697e2d21ef0076bcfccec12N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\Bbgnak32.exe
  C:\Windows\system32\Bbgnak32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\Beejng32.exe
    C:\Windows\system32\Beejng32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\Bbikgk32.exe
      C:\Windows\system32\Bbikgk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Baohhgnf.exe
        
        C:\Windows\system32\Baohhgnf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbgnak32.exe

Filesize
55KB

MD5
b85956872979d63ca25fa87e6fbfd874

SHA1
f4328483fc1272a92fc77b84296756ddf44723bd

SHA256
0f12f48c0c8a15f5df68225fbe80bd130257469ced032f51ce9071de01bc49d0

SHA512
edf8e1b2e796a4b594d810f5fb016b78f156a8e82b08d820c633131517799c348057ac9dee16dab2714ad8fc365e749875b6e1bce2dab3cf53b766aa591b6057

Download Submit
C:\Windows\SysWOW64\Bjdplm32.exe

Filesize
55KB

MD5
6e1d250ff486f821fb3f3fc6abf4dd63

SHA1
51d3f0407dad73701b8aa50d4e72d241436f0d24

SHA256
9f60e876b52e506478a40ce11333a1a74ad18c6ac55b9ce472560f88acd73cb3

SHA512
2306fa740eccac38bd1943c648ac6a3aba3300eb8535fe7deaf0b209c6dd7695fce5fbd2dbedb013ae495b9e68b72ed11090451dcd27d6308b9f3c3879e32ef5

Download Submit
\Windows\SysWOW64\Baadng32.exe

Filesize
55KB

MD5
55cae9a21cb96cd45118d498c5c688ba

SHA1
9aa43f8ad861a5bc0ddb58405cccdd5b87c93464

SHA256
add82e7fb4bbb080a6f5fdb7fa70fe2fa59527f54d839ad25d2fcc4647090772

SHA512
28bd40da80f1d7b0736cc0d7ac342c231b365cfdcc63fd14d192bbc6417e47b43339fbd0ada6cb64ae6884d1995c8f819b71bb1911d3b312f9f025bd6bfb9ca1

Download Submit
\Windows\SysWOW64\Baohhgnf.exe

Filesize
55KB

MD5
7e06e7cec97735d6c9bc0765b8a0f574

SHA1
bed3c53a2db6e7e17b3a168b175d65da9d64242d

SHA256
0524bf9d9ea37b85dbc38243619f76aa14f9072078c6901e41bff63a99f4c69a

SHA512
376b4800e75d79b37f3a1316c6afce14baaedefccd16a1fcfe6f11911a4c887fe6edd426f8ccfa4d8bf5ef22b0b961dfad0e734f831160bf8d7b98ec989fb70c

Download Submit
\Windows\SysWOW64\Bbikgk32.exe

Filesize
55KB

MD5
47430f59c4905bc651246050ebbc8bd8

SHA1
5d104280b5a04d37af80b791725a15fe5aebfefe

SHA256
892cbbbf917679582cdde97994ec140d04a11d8250acd9b4285b0e28513937f2

SHA512
97e66b48c9822ce12e1f8dedf10acb643336c7ff9e5afb24666e4c589b1e3a357890d10ea17bf0f8cf232251dbd770ef8a503eafc935b6836b68bf924e75c4b7

Download Submit
\Windows\SysWOW64\Beejng32.exe

Filesize
55KB

MD5
a28dad3fd91adc5fbd5cb984f5877010

SHA1
d5f481ccd6e3a36a15bb97b5dab222be42833a90

SHA256
439313591abc1fcfd2da5d7207a31e4de9509b3ea5621343be6515864a614499

SHA512
2f9eb157fd3788c0c01fda9170c26c25020a6dfefd81eb7263e2dbd143e0c23b9f0bb7ce9d03a6e8ba6daadd228d264e0b1dd44bc3cd0542c9c285a6522957ea

Download Submit
\Windows\SysWOW64\Bhhpeafc.exe

Filesize
55KB

MD5
d44ef635d233ce6a61992e5f611f5ae1

SHA1
cebc256bf3f64f4113f889469ce1952784ddf2dc

SHA256
8a9ac01654c2ed6737374b21c4fa81251da134aa153967fd75210c6bc4dff06e

SHA512
9b15baf3c0412d8cab34803353ce29b5e0a86cb249e0757421ed270c1d70245077e474855ef36b50dd1429957ecc176fe24c16209cdfa5cddab4d9b8ef63dfea

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
55KB

MD5
2c437d1afd931cddf45975ca73e35ef8

SHA1
0fc0663910e54493c7de80e38e85f68709b52abb

SHA256
cfb1d4670885542ec07b1831782c33814a4a6bd45de34b2e5692b70ef4650b4a

SHA512
b91cdad6f084c9d96a3bd68d0f1b9b41861ad9d5948c5ec06f058c984867e2361681097ebda517c351a0268cce84e0d5bf82b5d19964b5065730804ed8f3a83d

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
55KB

MD5
5f1b8e9678bdfe09b4e009a123e570dc

SHA1
63a8b6a9a148c127f144603b85c37e9c4999dd94

SHA256
e1cf4d789be04b3c36be880b2afa085f631c7263a51dde67126fadabb413449f

SHA512
f66fa19890353f3afe9c3de1808bff512eb2ea90b49b28de526c7a9d5fb68372f623046dc6d144a988c1c379b5e6fdef0b59737bc7f94a86614b2508df33c30e

Download Submit
memory/320-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/320-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-90-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1504-130-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-63-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2740-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-117-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2764-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-109-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-18-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2816-17-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2816-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-39-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2840-53-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2840-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2908-131-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads