berbew | e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
Size

96KB
MD5

50a43d4e1076660eb9df363fcbc6b239
SHA1

789f798a367564ca4c66f3a8eb1f4448c38fa8f5
SHA256

e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497
SHA512

2a771c651db01764c8ad633dbf066d70f1405021fd92a421062793985908ee9de024382e74eef00f8929493f8054a31412c1a4d7fad68097f09b37d8f0a9bfe0
SSDEEP

1536:0OImOjul5u/kqJx9hjQfCnQ2LN7RZObZUUWaegPYAG:0OFOu5jc1jPBNClUUWae9

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001949d-27.dat	family_bruteratel

Executes dropped EXE 10 IoCs

pid	Process
2212	Khjgel32.exe
2808	Klecfkff.exe
2768	Kenhopmf.exe
2500	Kkjpggkn.exe
2672	Kadica32.exe
1440	Kipmhc32.exe
1788	Kpieengb.exe
2064	Kgcnahoo.exe
2860	Lmmfnb32.exe
2832	Lbjofi32.exe

Loads dropped DLL 24 IoCs

pid	Process
2524	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
2524	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
2212	Khjgel32.exe
2212	Khjgel32.exe
2808	Klecfkff.exe
2808	Klecfkff.exe
2768	Kenhopmf.exe
2768	Kenhopmf.exe
2500	Kkjpggkn.exe
2500	Kkjpggkn.exe
2672	Kadica32.exe
2672	Kadica32.exe
1440	Kipmhc32.exe
1440	Kipmhc32.exe
1788	Kpieengb.exe
1788	Kpieengb.exe
2064	Kgcnahoo.exe
2064	Kgcnahoo.exe
2860	Lmmfnb32.exe
2860	Lmmfnb32.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Ijjnkj32.dll	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
File opened for modification	C:\Windows\SysWOW64\Kenhopmf.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kenhopmf.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Kenhopmf.exe	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kenhopmf.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	Khjgel32.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Kkjpggkn.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Jpnghhmn.dll	Klecfkff.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kkjpggkn.exe

Program crash 1 IoCs

pid	pid_target	Process
2072	2832	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klecfkff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Khjgel32.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2212	2524	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe	31
PID 2524 wrote to memory of 2212	2524	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe	31
PID 2524 wrote to memory of 2212	2524	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe	31
PID 2524 wrote to memory of 2212	2524	e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe	31
PID 2212 wrote to memory of 2808	2212	Khjgel32.exe	32
PID 2212 wrote to memory of 2808	2212	Khjgel32.exe	32
PID 2212 wrote to memory of 2808	2212	Khjgel32.exe	32
PID 2212 wrote to memory of 2808	2212	Khjgel32.exe	32
PID 2808 wrote to memory of 2768	2808	Klecfkff.exe	33
PID 2808 wrote to memory of 2768	2808	Klecfkff.exe	33
PID 2808 wrote to memory of 2768	2808	Klecfkff.exe	33
PID 2808 wrote to memory of 2768	2808	Klecfkff.exe	33
PID 2768 wrote to memory of 2500	2768	Kenhopmf.exe	34
PID 2768 wrote to memory of 2500	2768	Kenhopmf.exe	34
PID 2768 wrote to memory of 2500	2768	Kenhopmf.exe	34
PID 2768 wrote to memory of 2500	2768	Kenhopmf.exe	34
PID 2500 wrote to memory of 2672	2500	Kkjpggkn.exe	35
PID 2500 wrote to memory of 2672	2500	Kkjpggkn.exe	35
PID 2500 wrote to memory of 2672	2500	Kkjpggkn.exe	35
PID 2500 wrote to memory of 2672	2500	Kkjpggkn.exe	35
PID 2672 wrote to memory of 1440	2672	Kadica32.exe	36
PID 2672 wrote to memory of 1440	2672	Kadica32.exe	36
PID 2672 wrote to memory of 1440	2672	Kadica32.exe	36
PID 2672 wrote to memory of 1440	2672	Kadica32.exe	36
PID 1440 wrote to memory of 1788	1440	Kipmhc32.exe	37
PID 1440 wrote to memory of 1788	1440	Kipmhc32.exe	37
PID 1440 wrote to memory of 1788	1440	Kipmhc32.exe	37
PID 1440 wrote to memory of 1788	1440	Kipmhc32.exe	37
PID 1788 wrote to memory of 2064	1788	Kpieengb.exe	38
PID 1788 wrote to memory of 2064	1788	Kpieengb.exe	38
PID 1788 wrote to memory of 2064	1788	Kpieengb.exe	38
PID 1788 wrote to memory of 2064	1788	Kpieengb.exe	38
PID 2064 wrote to memory of 2860	2064	Kgcnahoo.exe	39
PID 2064 wrote to memory of 2860	2064	Kgcnahoo.exe	39
PID 2064 wrote to memory of 2860	2064	Kgcnahoo.exe	39
PID 2064 wrote to memory of 2860	2064	Kgcnahoo.exe	39
PID 2860 wrote to memory of 2832	2860	Lmmfnb32.exe	40
PID 2860 wrote to memory of 2832	2860	Lmmfnb32.exe	40
PID 2860 wrote to memory of 2832	2860	Lmmfnb32.exe	40
PID 2860 wrote to memory of 2832	2860	Lmmfnb32.exe	40
PID 2832 wrote to memory of 2072	2832	Lbjofi32.exe	41
PID 2832 wrote to memory of 2072	2832	Lbjofi32.exe	41
PID 2832 wrote to memory of 2072	2832	Lbjofi32.exe	41
PID 2832 wrote to memory of 2072	2832	Lbjofi32.exe	41

C:\Users\Admin\AppData\Local\Temp\e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe
"C:\Users\Admin\AppData\Local\Temp\e32fb2b7b8d9257aee3ea49f21dafead6465e4881c74e0d21e4aa212a883b497.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\Khjgel32.exe
  C:\Windows\system32\Khjgel32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\Klecfkff.exe
    C:\Windows\system32\Klecfkff.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\Kenhopmf.exe
      C:\Windows\system32\Kenhopmf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kadica32.exe

Filesize
96KB

MD5
3ce2ed92444bb0efc618077670d08d08

SHA1
173e7abe4cf672ba76e38a09d624e929c2a65f1a

SHA256
7daad3bc6ddc6064c0525fe14ec849fa097bc396fcd293592f38783f4663ad27

SHA512
594a4bff2312cf0631b86cf4cf194a6179e7b1767394da979c79d019809cde3c4cca27d3044495c6a9e9d5d18c94ac388a39c08f264cf06f1a779df645e1925f

Download Submit
C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
96KB

MD5
e6382ccd57402b8bd062a3f377a302d0

SHA1
1ccb5a6a92ebd09e10d5297a273d2be04d7f2a71

SHA256
ea638f2869f81b17ed8cc497ce36f112121b750f127157438081a294d3a36cc6

SHA512
ef43718632c6a64199e5545e74213e1d631c3f8fe5c003e6bdc8d33ee26e82177e90e70eeae2626b6ab400483f4e608661e76266c6bc09c5c1e73596e134ca26

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
96KB

MD5
43b020bacb95bbb31f5c6c5ef6a3c8ea

SHA1
8fa5ec46b4f96601194484223b46371223831a2f

SHA256
d9e8b0fc7e314c0114a8cc7b58571c23ea980d53afece06119234b2c3cd22ea7

SHA512
e046299324f9ffec9b87937390202cc4ba59fa5e50b4a9faeceb37e7ecf476875428b4add07d75e496da7e214c0c3a8ca52274da6085a0e0334629d422a9abc0

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
96KB

MD5
bcbc7603f68e94ccebca8390e40a55ea

SHA1
e854cf6740ca98c112fa880796d22c29abc4281b

SHA256
02f9a09d5bc480f59fcd0dde32e952dc0b813d7cd0061c85ab351366b5d7aef3

SHA512
9ee3e0cb931490141c0999cf57a0156cb7cea8664edfbd8b20e50556690de1d17cca1e3486a8f74a986b7e25183533f1520697aad89cd0b105f8d709ec70b767

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
96KB

MD5
45c3a48fef26059eadc31af17e605e15

SHA1
fe9d938303086b12dc272775e5a19a7514cdeb85

SHA256
12c8c18eada0f58f4db65586f1d41e728260fdebf79cf623e35d043f97994e68

SHA512
185cd9dcbee981070bd6e1ae4ab7f1d63e15312ce1693dddee4d22946d7ba4e947b93115f882856ad443709e5b8420a5cd27441370146c0a80d598d8b0495663

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
96KB

MD5
0e0a408d3269659adeee8e1769970f0b

SHA1
67de47c3d32881cf4b81d009fae35280da81636f

SHA256
10d6702472ed84666c56a49cba8ca23fc6e1eaa617d0252571039530b2cda491

SHA512
bbd52fc488c4676592bfb740bedd80b6b36a6ecad67b4929a6a3d3e34caa1311d204b8e7641caf0c405dd0cde2cc3a6edb52b6e67ef0deacc3dae9c434d0b963

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
96KB

MD5
89e3273c8e6c3544ffad0dd697cb3d64

SHA1
d238d5c66578e6f0bfe5e537de63ced76cea9fa5

SHA256
f4c60cf89d53dbdff0459b37ba2b926b69280225414c5d080129cb65d39b3dc9

SHA512
13940a7df53faa8308c8f131ae80351d8740b52dcf21e24e48820dd712541bd4e1dc69be3fd44366725c8fc42d39952735d2fa862becdefe5122f41ea7008f69

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
96KB

MD5
22f4818b636ef976eee47361cd1f270b

SHA1
0a2508c75a6deb682042e022674490111678dfa4

SHA256
fa01cb9a8ec17dfc081b514c0485d9037e7f8e8eafe78bcf5f84e6bca801eba4

SHA512
9b3e2d973ce72b5e60584e1bac4c980a050efe4b1bfe0537497e51560f6edc351434f8190c3830868d5e899f8cb38ed9ad2fb0c20113609b0a88ca38b08848fb

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
96KB

MD5
7d7c61d4aab763a19789cf0690312416

SHA1
3d45ecf5fa3a511cc451efc2f3c88c87df3f0b89

SHA256
9ae1d732c909417e560c4dfa4a2370030ff927f77ff7326e98ad5be061773b8f

SHA512
773da5ba729a8eb0052d57a01c4f81fab545194592430a99746d6f45740271808b0dd5b19700f252409fc24f51caf7edb7cc895775f52d375ca92cb36ab9db33

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
96KB

MD5
5f4665af20de1e1eade1f90ad291eaab

SHA1
6979e904b03ad7f8d9ca5f5e852b3d40eabfc3ce

SHA256
6f2b2d472c42d8aa62e08c2ef5cb5a62dcc2596a7f70d456ff79dfca86b96f6f

SHA512
c13caefaf00d0748c037266b9e06a3063eee17401ee0384880983abf433121bc0bbb8f013a4379e8dc1c11aec4b770b24a31e788a8aa97c22e6bd48a38a9f70e

Download Submit
memory/1440-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-101-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1788-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-11-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2524-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2672-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-73-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2672-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-133-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2860-127-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2860-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads