Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 13:32
Behavioral task
behavioral1
Sample
3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe
Resource
win7-20240903-en
General
-
Target
3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe
-
Size
93KB
-
MD5
3ba3bcaa66fa6540aac0f3f6b6dd3700
-
SHA1
cb5ed9ab88614c7679b4f1237242bf46add15473
-
SHA256
3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4
-
SHA512
b2f23358e73123f08155630ddda053eeee8a24779fbeb7e1856cd5b214f9e50bc86338e86185eebe0bbf7d0a783329f3cde417dcf5ff724e5fe4cf295bd87c54
-
SSDEEP
1536:U3c9UO1i+V9EgYT2V6wwmbmPoFDCFvu01DaYfMZRWuLsV+1B:ldDEgqxwwmbOoFGtTgYfc0DV+1B
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgcnghpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boogmgkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbppnbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cebeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjonncab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 12 IoCs
pid Process 2320 Bjbndpmd.exe 1816 Boogmgkl.exe 2708 Bmbgfkje.exe 2720 Cbppnbhm.exe 2588 Cocphf32.exe 2728 Cileqlmg.exe 2632 Cebeem32.exe 3044 Cjonncab.exe 1324 Cgcnghpl.exe 1988 Cmpgpond.exe 560 Djdgic32.exe 1152 Dpapaj32.exe -
Loads dropped DLL 27 IoCs
pid Process 2448 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe 2448 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe 2320 Bjbndpmd.exe 2320 Bjbndpmd.exe 1816 Boogmgkl.exe 1816 Boogmgkl.exe 2708 Bmbgfkje.exe 2708 Bmbgfkje.exe 2720 Cbppnbhm.exe 2720 Cbppnbhm.exe 2588 Cocphf32.exe 2588 Cocphf32.exe 2728 Cileqlmg.exe 2728 Cileqlmg.exe 2632 Cebeem32.exe 2632 Cebeem32.exe 3044 Cjonncab.exe 3044 Cjonncab.exe 1324 Cgcnghpl.exe 1324 Cgcnghpl.exe 1988 Cmpgpond.exe 1988 Cmpgpond.exe 560 Djdgic32.exe 560 Djdgic32.exe 1116 WerFault.exe 1116 WerFault.exe 1116 WerFault.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\Djdgic32.exe Cmpgpond.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Djdgic32.exe File created C:\Windows\SysWOW64\Ibcihh32.dll Bjbndpmd.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Boogmgkl.exe File opened for modification C:\Windows\SysWOW64\Cbppnbhm.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Omakjj32.dll Cjonncab.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Cileqlmg.exe Cocphf32.exe File created C:\Windows\SysWOW64\Fnbkfl32.dll Cileqlmg.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\Cgcnghpl.exe Cjonncab.exe File created C:\Windows\SysWOW64\Ccofjipn.dll Cmpgpond.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Djdgic32.exe File created C:\Windows\SysWOW64\Bjbndpmd.exe 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe File created C:\Windows\SysWOW64\Aqpmpahd.dll Cbppnbhm.exe File created C:\Windows\SysWOW64\Cmbfdl32.dll Cocphf32.exe File opened for modification C:\Windows\SysWOW64\Cebeem32.exe Cileqlmg.exe File created C:\Windows\SysWOW64\Lbhnia32.dll Boogmgkl.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File opened for modification C:\Windows\SysWOW64\Bjbndpmd.exe 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe Cocphf32.exe File created C:\Windows\SysWOW64\Cjonncab.exe Cebeem32.exe File created C:\Windows\SysWOW64\Oeopijom.dll Cebeem32.exe File opened for modification C:\Windows\SysWOW64\Cgcnghpl.exe Cjonncab.exe File opened for modification C:\Windows\SysWOW64\Djdgic32.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Boogmgkl.exe Bjbndpmd.exe File opened for modification C:\Windows\SysWOW64\Boogmgkl.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Hmdeje32.dll Bmbgfkje.exe File opened for modification C:\Windows\SysWOW64\Cocphf32.exe Cbppnbhm.exe File created C:\Windows\SysWOW64\Gfikmo32.dll 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe File created C:\Windows\SysWOW64\Cebeem32.exe Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Cjonncab.exe Cebeem32.exe File created C:\Windows\SysWOW64\Bmbgfkje.exe Boogmgkl.exe File created C:\Windows\SysWOW64\Cocphf32.exe Cbppnbhm.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Djdgic32.exe File created C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1116 1152 WerFault.exe 42 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbndpmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boogmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe -
Modifies registry class 39 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djdgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll" Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbgfkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbppnbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll" Cbppnbhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbndpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Djdgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" Cocphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" Cmpgpond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" Bmbgfkje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgcnghpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" Cgcnghpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll" Boogmgkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdgic32.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2320 2448 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe 31 PID 2448 wrote to memory of 2320 2448 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe 31 PID 2448 wrote to memory of 2320 2448 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe 31 PID 2448 wrote to memory of 2320 2448 3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe 31 PID 2320 wrote to memory of 1816 2320 Bjbndpmd.exe 32 PID 2320 wrote to memory of 1816 2320 Bjbndpmd.exe 32 PID 2320 wrote to memory of 1816 2320 Bjbndpmd.exe 32 PID 2320 wrote to memory of 1816 2320 Bjbndpmd.exe 32 PID 1816 wrote to memory of 2708 1816 Boogmgkl.exe 33 PID 1816 wrote to memory of 2708 1816 Boogmgkl.exe 33 PID 1816 wrote to memory of 2708 1816 Boogmgkl.exe 33 PID 1816 wrote to memory of 2708 1816 Boogmgkl.exe 33 PID 2708 wrote to memory of 2720 2708 Bmbgfkje.exe 34 PID 2708 wrote to memory of 2720 2708 Bmbgfkje.exe 34 PID 2708 wrote to memory of 2720 2708 Bmbgfkje.exe 34 PID 2708 wrote to memory of 2720 2708 Bmbgfkje.exe 34 PID 2720 wrote to memory of 2588 2720 Cbppnbhm.exe 35 PID 2720 wrote to memory of 2588 2720 Cbppnbhm.exe 35 PID 2720 wrote to memory of 2588 2720 Cbppnbhm.exe 35 PID 2720 wrote to memory of 2588 2720 Cbppnbhm.exe 35 PID 2588 wrote to memory of 2728 2588 Cocphf32.exe 36 PID 2588 wrote to memory of 2728 2588 Cocphf32.exe 36 PID 2588 wrote to memory of 2728 2588 Cocphf32.exe 36 PID 2588 wrote to memory of 2728 2588 Cocphf32.exe 36 PID 2728 wrote to memory of 2632 2728 Cileqlmg.exe 37 PID 2728 wrote to memory of 2632 2728 Cileqlmg.exe 37 PID 2728 wrote to memory of 2632 2728 Cileqlmg.exe 37 PID 2728 wrote to memory of 2632 2728 Cileqlmg.exe 37 PID 2632 wrote to memory of 3044 2632 Cebeem32.exe 38 PID 2632 wrote to memory of 3044 2632 Cebeem32.exe 38 PID 2632 wrote to memory of 3044 2632 Cebeem32.exe 38 PID 2632 wrote to memory of 3044 2632 Cebeem32.exe 38 PID 3044 wrote to memory of 1324 3044 Cjonncab.exe 39 PID 3044 wrote to memory of 1324 3044 Cjonncab.exe 39 PID 3044 wrote to memory of 1324 3044 Cjonncab.exe 39 PID 3044 wrote to memory of 1324 3044 Cjonncab.exe 39 PID 1324 wrote to memory of 1988 1324 Cgcnghpl.exe 40 PID 1324 wrote to memory of 1988 1324 Cgcnghpl.exe 40 PID 1324 wrote to memory of 1988 1324 Cgcnghpl.exe 40 PID 1324 wrote to memory of 1988 1324 Cgcnghpl.exe 40 PID 1988 wrote to memory of 560 1988 Cmpgpond.exe 41 PID 1988 wrote to memory of 560 1988 Cmpgpond.exe 41 PID 1988 wrote to memory of 560 1988 Cmpgpond.exe 41 PID 1988 wrote to memory of 560 1988 Cmpgpond.exe 41 PID 560 wrote to memory of 1152 560 Djdgic32.exe 42 PID 560 wrote to memory of 1152 560 Djdgic32.exe 42 PID 560 wrote to memory of 1152 560 Djdgic32.exe 42 PID 560 wrote to memory of 1152 560 Djdgic32.exe 42 PID 1152 wrote to memory of 1116 1152 Dpapaj32.exe 43 PID 1152 wrote to memory of 1116 1152 Dpapaj32.exe 43 PID 1152 wrote to memory of 1116 1152 Dpapaj32.exe 43 PID 1152 wrote to memory of 1116 1152 Dpapaj32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe"C:\Users\Admin\AppData\Local\Temp\3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Djdgic32.exeC:\Windows\system32\Djdgic32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 14414⤵
- Loads dropped DLL
- Program crash
PID:1116
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5946aa7104b7d806ee58bbf7521d9773f
SHA1c8dc9571cabde2036a27e5e3d0da333a5008afcd
SHA256dd4ab32aba9e01376eb04ee8b6160f3fd8bb0b2f7e569487805245e166848d57
SHA5123bcbe9741180f4a0badf45542d313ac36ff59796835b988f43c460f869a30da73a4c1a9709620709ae81f8fbaa5860cae9d9068b5130f85f98192f6d3f256e55
-
Filesize
93KB
MD55c6f44c19a875391c5cffa61660243a2
SHA1c32ef9265be36b76380dd3572338603d5da18de0
SHA256cc1947035f73ac0c97d99770f37637f7cb281ae322ee2a0efe689b837f4f055a
SHA512908ec2932f9aabcde31d315340a608d836d20a98d2a5eede5faad9e201cc4b819cb28c8168b8041dff742d703f2de66d3c28fbf35e4e7cfb67da9bb9560177f2
-
Filesize
93KB
MD57e0a5c70b131528895b5af922db93a4b
SHA1bd34c88857c63f1b165249bbcfa45f3d16c95f94
SHA2569743d61de0076145ea27e3623e7f9493c76280ef292ba1386a4ed09559ecca6a
SHA5125551a67b87671b71402512907b1313563c61fa411a55801ed45ed08f9f0e9bf0535942ba093e47b2fd9e8bab61ec470841815520df50c1c772457b7905f284be
-
Filesize
93KB
MD54e30bc87122de1e3d222af30bfdfea53
SHA124ca2976c0faee9d128c2b0a6ad59701220271e6
SHA2564e3409136abb4e49913fc4198b6d5215d25263dfbcfca3cb891f26be43dd096d
SHA512cc671d69f87c810cfb4890a131d50ec48a6d415ec014beb9b82cefcc7777aae7e23ebfac5f3d971fff4b09f9b39e57d3ab36b0f5ed3748d8cd8aa7c141396c48
-
Filesize
93KB
MD516ece42c8b1def2ffe6635ebd087bc17
SHA1b3884e5070f1521b72b0ea53e567ccdb8fe642d3
SHA25646482c316c250d3863fdf60c54a39591a16a679cf9bddc5f4614d0651a0c90a1
SHA512cf7981688d0b09c1ea63f44a93e977fc16f044f2ab0403254cc65683a11af8cc7a9edf3653209002751bafa7ecd6cada3bff4a24fc758a4ebabafcfaf6b010dd
-
Filesize
93KB
MD55184d5f710605cf0fa734e6f099c7a7d
SHA139d1f3c1e53d245a6e2682f1974bb3ee94c2815b
SHA25652e9dfd9b941475dfe40a5ed005a5b449bf03f758a56feec12cd7ca229390ca2
SHA5123e19525c1e531fc1c641b235539da44d82c808adb1f446faf020d5ffaaf49c7959754b838d0dc7ebd85c36f2f636701563db62c28435f80a391e1d0753caead2
-
Filesize
93KB
MD502bdf2dc181ab10ef363c731780b6802
SHA18a5c4f094e85107180d39835ec98a931f741867f
SHA256292123e516cf085680ce4012e91981fbf88d9c28df67cfd3d77660e37c4e59c4
SHA512aa295754230c17cea7bb6d08fa6a19c58f99ec3ebaf48978dfcc29713823598df6c0123c31529e800c2b56356dde1e5bd83c5374503aa23d020ffd7696dd7b13
-
Filesize
93KB
MD55d34bc4c21ce7367013b02f49c6ebaee
SHA114deb9aa894bb4c4398d2b9a6faa07ffc1d7a5c7
SHA2561a0b02c790a993c687804b8b6d00f8ab10ae1eed45ee620e9b3d3a55e332ebc7
SHA512e6540e846269fa3c7a1c8cc0b576337e609deb6121523bc2ba3e4859a86e492272704dd20df5ab2a6c487e3ea54570f38f9952d62d7456f0144cf20ea98caaaa
-
Filesize
93KB
MD532e84713abd8f14c78f60476735af72c
SHA18310642648278829bee4f8caf40d2001b55e12d7
SHA25665ae26eeb4eb4b0dc90392860ebc9b64bd60579e5f8ada4ad3e9c7b51e5a5b84
SHA512640a1dd11889daf7c9cdc8fe72ff5b63ad31d338550b96cadceaf61ac42ba781078509e0ca402e90f5b3efdf44df5c83fa224c30df05ed4fccc640462c0856bc
-
Filesize
93KB
MD5548755e9093869e5797a4eba439bc5f7
SHA1e1486019f86a504859c026ed885ec8c0f2bc446d
SHA25692225a71211387810a430f9c43da04f5cc149a04cf67f0c5f2957888eb0b6fe7
SHA512a7b5cf43f403693953d6808747ed12a9a0cb0722ae3b2dafd7c92bf6930e57489d173a60c32643d2096402f03bdcd7e7162b65be89708db537fc69be1be96dd8
-
Filesize
93KB
MD5d6686b03c98c3c5dabb44e136d4425b5
SHA1597dc89cfb2c19b112782acfcb553fed61a7dc1c
SHA25679e0e3ea8c77e0f766ad52d1dbd0696bcd907f9f181aaaf8717e8dcdc2eb4abf
SHA5129a0486ec885c71ba2ad88a45e39ac6c64f3390f8fda7688241f67eb4f6b4d14aad9358a00cb4c5849b041e78fc2b9c910616fd8e4030f17fddaec582b324c446
-
Filesize
93KB
MD594b8b00bcd457eec336216090048f56a
SHA1fc307ce0dc96432aee6f964c8e7ee8232136871e
SHA256d9d66a5cc54df8862a74c0e106ca0bc21c66844e3e07c1f92d3318ed7ee87ee5
SHA5123a53a90e6539adc1b471fe5495fe5c01914e67dcfbdc0677a034c54ea631d27c7b5336e57e4d6051147658bb413aca2afd909d1eca4215b7ca44065d4de730ad