berbew | 1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
Size

67KB
MD5

842360872a44ded8ca1de00f0ae7ba5d
SHA1

df62f181000af67d33ef3c253eb36a884089db18
SHA256

1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae
SHA512

63394d50f812c30dceb661ce32b2bafe27ffe1746dac6cc6a8ca7ddb44c95e987c6305fd0675f6250c088e4b3129cf558115c7774f06543464ee39a761427aef
SSDEEP

1536:dPZ7OoUDp0tdgnOxpJsxS11pMwdKwEcsJifTduD4oTxwB:7t6rdajdKw3sJibdMTxwB

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naimccpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Naimccpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meppiblm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

pid	Process
2832	Mkklljmg.exe
2840	Meppiblm.exe
2852	Mholen32.exe
2720	Ngdifkpi.exe
1980	Naimccpo.exe
1476	Niebhf32.exe
2012	Ngibaj32.exe
2008	Ncpcfkbg.exe
2776	Nlhgoqhh.exe

Loads dropped DLL 22 IoCs

pid	Process
2884	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
2884	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
2832	Mkklljmg.exe
2832	Mkklljmg.exe
2840	Meppiblm.exe
2840	Meppiblm.exe
2852	Mholen32.exe
2852	Mholen32.exe
2720	Ngdifkpi.exe
2720	Ngdifkpi.exe
1980	Naimccpo.exe
1980	Naimccpo.exe
1476	Niebhf32.exe
1476	Niebhf32.exe
2012	Ngibaj32.exe
2012	Ngibaj32.exe
2008	Ncpcfkbg.exe
2008	Ncpcfkbg.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Mholen32.exe
File created	C:\Windows\SysWOW64\Eppddhlj.dll	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Naimccpo.exe	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Ngdifkpi.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Mkklljmg.exe	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
File opened for modification	C:\Windows\SysWOW64\Mkklljmg.exe	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
File opened for modification	C:\Windows\SysWOW64\Meppiblm.exe	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Lhajpc32.dll	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Naimccpo.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Oaajloig.dll	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Naimccpo.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Ngdifkpi.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Nldodg32.dll	Meppiblm.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Meppiblm.exe	Mkklljmg.exe
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Meppiblm.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Niebhf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3032	2776	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkklljmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mholen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdifkpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meppiblm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppddhlj.dll"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Naimccpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaajloig.dll"	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Niebhf32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2832	2884	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe	30
PID 2884 wrote to memory of 2832	2884	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe	30
PID 2884 wrote to memory of 2832	2884	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe	30
PID 2884 wrote to memory of 2832	2884	1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe	30
PID 2832 wrote to memory of 2840	2832	Mkklljmg.exe	31
PID 2832 wrote to memory of 2840	2832	Mkklljmg.exe	31
PID 2832 wrote to memory of 2840	2832	Mkklljmg.exe	31
PID 2832 wrote to memory of 2840	2832	Mkklljmg.exe	31
PID 2840 wrote to memory of 2852	2840	Meppiblm.exe	32
PID 2840 wrote to memory of 2852	2840	Meppiblm.exe	32
PID 2840 wrote to memory of 2852	2840	Meppiblm.exe	32
PID 2840 wrote to memory of 2852	2840	Meppiblm.exe	32
PID 2852 wrote to memory of 2720	2852	Mholen32.exe	33
PID 2852 wrote to memory of 2720	2852	Mholen32.exe	33
PID 2852 wrote to memory of 2720	2852	Mholen32.exe	33
PID 2852 wrote to memory of 2720	2852	Mholen32.exe	33
PID 2720 wrote to memory of 1980	2720	Ngdifkpi.exe	34
PID 2720 wrote to memory of 1980	2720	Ngdifkpi.exe	34
PID 2720 wrote to memory of 1980	2720	Ngdifkpi.exe	34
PID 2720 wrote to memory of 1980	2720	Ngdifkpi.exe	34
PID 1980 wrote to memory of 1476	1980	Naimccpo.exe	35
PID 1980 wrote to memory of 1476	1980	Naimccpo.exe	35
PID 1980 wrote to memory of 1476	1980	Naimccpo.exe	35
PID 1980 wrote to memory of 1476	1980	Naimccpo.exe	35
PID 1476 wrote to memory of 2012	1476	Niebhf32.exe	36
PID 1476 wrote to memory of 2012	1476	Niebhf32.exe	36
PID 1476 wrote to memory of 2012	1476	Niebhf32.exe	36
PID 1476 wrote to memory of 2012	1476	Niebhf32.exe	36
PID 2012 wrote to memory of 2008	2012	Ngibaj32.exe	37
PID 2012 wrote to memory of 2008	2012	Ngibaj32.exe	37
PID 2012 wrote to memory of 2008	2012	Ngibaj32.exe	37
PID 2012 wrote to memory of 2008	2012	Ngibaj32.exe	37
PID 2008 wrote to memory of 2776	2008	Ncpcfkbg.exe	38
PID 2008 wrote to memory of 2776	2008	Ncpcfkbg.exe	38
PID 2008 wrote to memory of 2776	2008	Ncpcfkbg.exe	38
PID 2008 wrote to memory of 2776	2008	Ncpcfkbg.exe	38
PID 2776 wrote to memory of 3032	2776	Nlhgoqhh.exe	39
PID 2776 wrote to memory of 3032	2776	Nlhgoqhh.exe	39
PID 2776 wrote to memory of 3032	2776	Nlhgoqhh.exe	39
PID 2776 wrote to memory of 3032	2776	Nlhgoqhh.exe	39

C:\Users\Admin\AppData\Local\Temp\1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe
"C:\Users\Admin\AppData\Local\Temp\1d63c4dba7a29419e9f197f8a0ff626a6a29b67d8effbab2bb167059da2b4eae.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\Mkklljmg.exe
  C:\Windows\system32\Mkklljmg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Meppiblm.exe
    C:\Windows\system32\Meppiblm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\Mholen32.exe
      C:\Windows\system32\Mholen32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Meppiblm.exe

Filesize
67KB

MD5
1b7bcb81ced98a03f87210fe139989e0

SHA1
899087fa902650f0e022340a575a2e716abb745c

SHA256
6d3764679390ccb0f7d68abccfffdf2fe48c6d53ee1a47bee16a2572edae6606

SHA512
ae0334abe4908f223cecbe505fb7c97a1d3da13d9720e06f762a6cf1fe444dc4fa7939e7c4b0db5b200ff5d09f0f79cfba5c0095ce2d3cbcbca0f06548b573e0

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
67KB

MD5
71a3cc60f3cfc38c64ad1ede19dea190

SHA1
9364e9cae13aa7ea000e9d7d733de4d2e87d21dd

SHA256
534a3b3b9c503ad20182ba842cc44d1fbf41738657574510af9cd75d3d2ee53b

SHA512
a582335208b9c757e177d3d74736de86036a7a09c8af012c42eb6bb447f3936003707e170b325f5cae2799b0cb6a6dc2bd9308adcb4d1f3bfc55035d0e3a9e67

Download Submit
C:\Windows\SysWOW64\Ngdifkpi.exe

Filesize
67KB

MD5
d6c5cc23b1914b1d4d2f4ef50196f88f

SHA1
6b65978eef21e21327ced73d2f7bda558c54f50d

SHA256
783adce36334001d4fc7d173de9bdeb40ff802beba2636665c3c198850c879ee

SHA512
3668fafb9b8304a5981b42f2928a174501af81fc8894fec20e7cf160927e8527ed6cc737bf10d8d69f90ee3a88109479af1daf8c336f4554d732daa80826f9d0

Download Submit
\Windows\SysWOW64\Mkklljmg.exe

Filesize
67KB

MD5
5d02f1a3a16a6e8b2ff8fe5e426f0223

SHA1
a4a31f4d1e7da67fb03a6582adb90b5d966af1fa

SHA256
501bc873b60dc643d834b3c933e168fcf59b8c7d6bce40d4703b32c40cc9f807

SHA512
334349af842beee0266f217b2fd946adbc3944ec33cf2f61fd84818da42ca2b1405380bcebc69277daefb1ff4d8b2787f14171b055d8b7b42e868f01b85e4cd5

Download Submit
\Windows\SysWOW64\Naimccpo.exe

Filesize
67KB

MD5
0bccc42e6f9563708195530a789c916c

SHA1
ea6dd975dcc7b2e3d22be53ede285bd1c861e40d

SHA256
15a27dfb7fd6f096d9814e8d2af79383a27a5945e75ba92fd980565bf8906fd8

SHA512
0ecfe5ddad0788211b011cb6fe6e9631db6ebd458ad7403e1a38374758d05fb8218abd55291b2b242a77059137bad7e6217a5cbde2095db82916bc7f329b56d8

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
67KB

MD5
42e3739e51dd34ba7d2f65effd9a5234

SHA1
9046f2adaa056755dec9d8dedc622bf81a1cdf9f

SHA256
91621bfe39ce3ba4952517a414dc50af7ff3b8aa4f6df3ebfde9e6b7f0644b00

SHA512
e0f51a723d0b9e8f63c09e69d442cce341d3b9fa9213d8b558a77803bcabb72f679f61136721b5db57c5671bfc20ab46dbd852d8322e46fb2cb8c6f6dbdcc51e

Download Submit
\Windows\SysWOW64\Ngibaj32.exe

Filesize
67KB

MD5
074c2c3159865600fbc6db6a32bb9c57

SHA1
b0d9ca6d61a54632e125abfb9ad6293ecb97212c

SHA256
fa6610f6fbf2018e8fbbe99e1418883600de255435390e7ff05c92a851ac889a

SHA512
876f3ac8e4fc4badac48c73b1aa1f92dfc76b24cf975ea10ee833fc555982bba861c3262a99edbbd2858b0749cb86b8ac309d04906304d465817cafb4acc8caf

Download Submit
\Windows\SysWOW64\Niebhf32.exe

Filesize
67KB

MD5
da5396d8f7f1e6b0c62cf0e12d64043d

SHA1
a7ae8bf2f8c4a92e933ce6a6220201dd2959c16f

SHA256
685cd05aa7dfe2dd243a94e94769abda3e317a9855e34736905ece8f25923e1e

SHA512
f42b57bd31d7f362e3415bf5df3a20d9d3a483ef8bd190c7cbe453adba1d8786388b97f8f4f26f6b9659644eac87ffda685484a93e5746445ddf25ddaed01fdc

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
67KB

MD5
cb7c2beb5a33cdb7e8cdee8862f8f5e2

SHA1
d5ca869c942292cb54e7a9574b95c61b5fa8d9ce

SHA256
2c57ec3c8bc07badbe4a964f4f0c4fc1c01f1e7ecb28cc28f46fafd60e39aa3e

SHA512
ee9913fe1d50afa57dc866e19ee8b398c9c5dac9b9c3f8b2d024da59f441a276821a3774358607b7576191831033013cb8c020a136d27a4d4fb7ff8830dcf00b

Download Submit
memory/1476-131-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1476-89-0x0000000001F50000-0x0000000001F8B000-memory.dmp

Filesize
236KB

Download
memory/1476-96-0x0000000001F50000-0x0000000001F8B000-memory.dmp

Filesize
236KB

Download
memory/1476-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1980-118-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1980-67-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2008-111-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2008-126-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2008-133-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2008-120-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2012-132-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-61-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2720-52-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2720-105-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2776-134-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2832-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2840-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2840-34-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/2840-26-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2852-95-0x00000000005D0000-0x000000000060B000-memory.dmp

Filesize
236KB

Download
memory/2852-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-17-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2884-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2884-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads