berbew | 7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
Size

512KB
MD5

a675d53c8e17e9c30ae216ba6852e2d2
SHA1

8e4dd80adefbb0a0301c0ddd28944b081a263d12
SHA256

7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87
SHA512

f07ea38880f84e0ad743f26ae8a80b1d555552064fc5926ba4c6b79f1d4cca76638417890b0cfc1301bb7649af54756398ab4abd6c4e93135f6a364511aa9f05
SSDEEP

6144:vBndfdrMJO853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:5dfdKOQBpnchWcZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
1596	Beihma32.exe
2476	Belebq32.exe
2168	Cabfga32.exe
2584	Cdabcm32.exe
1948	Caebma32.exe
4468	Cdfkolkf.exe
1704	Cajlhqjp.exe
1556	Cegdnopg.exe
4208	Dmcibama.exe
4676	Dfknkg32.exe
1564	Dmefhako.exe
3808	Dkifae32.exe
5060	Daekdooc.exe
2324	Dmllipeg.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Daekdooc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1732	2324	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkifae32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 1596	3396	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe	83
PID 3396 wrote to memory of 1596	3396	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe	83
PID 3396 wrote to memory of 1596	3396	7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe	83
PID 1596 wrote to memory of 2476	1596	Beihma32.exe	84
PID 1596 wrote to memory of 2476	1596	Beihma32.exe	84
PID 1596 wrote to memory of 2476	1596	Beihma32.exe	84
PID 2476 wrote to memory of 2168	2476	Belebq32.exe	85
PID 2476 wrote to memory of 2168	2476	Belebq32.exe	85
PID 2476 wrote to memory of 2168	2476	Belebq32.exe	85
PID 2168 wrote to memory of 2584	2168	Cabfga32.exe	86
PID 2168 wrote to memory of 2584	2168	Cabfga32.exe	86
PID 2168 wrote to memory of 2584	2168	Cabfga32.exe	86
PID 2584 wrote to memory of 1948	2584	Cdabcm32.exe	87
PID 2584 wrote to memory of 1948	2584	Cdabcm32.exe	87
PID 2584 wrote to memory of 1948	2584	Cdabcm32.exe	87
PID 1948 wrote to memory of 4468	1948	Caebma32.exe	88
PID 1948 wrote to memory of 4468	1948	Caebma32.exe	88
PID 1948 wrote to memory of 4468	1948	Caebma32.exe	88
PID 4468 wrote to memory of 1704	4468	Cdfkolkf.exe	89
PID 4468 wrote to memory of 1704	4468	Cdfkolkf.exe	89
PID 4468 wrote to memory of 1704	4468	Cdfkolkf.exe	89
PID 1704 wrote to memory of 1556	1704	Cajlhqjp.exe	90
PID 1704 wrote to memory of 1556	1704	Cajlhqjp.exe	90
PID 1704 wrote to memory of 1556	1704	Cajlhqjp.exe	90
PID 1556 wrote to memory of 4208	1556	Cegdnopg.exe	91
PID 1556 wrote to memory of 4208	1556	Cegdnopg.exe	91
PID 1556 wrote to memory of 4208	1556	Cegdnopg.exe	91
PID 4208 wrote to memory of 4676	4208	Dmcibama.exe	92
PID 4208 wrote to memory of 4676	4208	Dmcibama.exe	92
PID 4208 wrote to memory of 4676	4208	Dmcibama.exe	92
PID 4676 wrote to memory of 1564	4676	Dfknkg32.exe	93
PID 4676 wrote to memory of 1564	4676	Dfknkg32.exe	93
PID 4676 wrote to memory of 1564	4676	Dfknkg32.exe	93
PID 1564 wrote to memory of 3808	1564	Dmefhako.exe	94
PID 1564 wrote to memory of 3808	1564	Dmefhako.exe	94
PID 1564 wrote to memory of 3808	1564	Dmefhako.exe	94
PID 3808 wrote to memory of 5060	3808	Dkifae32.exe	95
PID 3808 wrote to memory of 5060	3808	Dkifae32.exe	95
PID 3808 wrote to memory of 5060	3808	Dkifae32.exe	95
PID 5060 wrote to memory of 2324	5060	Daekdooc.exe	96
PID 5060 wrote to memory of 2324	5060	Daekdooc.exe	96
PID 5060 wrote to memory of 2324	5060	Daekdooc.exe	96

C:\Users\Admin\AppData\Local\Temp\7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe
"C:\Users\Admin\AppData\Local\Temp\7a63d49d2f24988139914fd42971236fb82d7520578778e7453d757d7b2bbd87.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\Beihma32.exe
  C:\Windows\system32\Beihma32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\Belebq32.exe
    C:\Windows\system32\Belebq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\Cabfga32.exe
      C:\Windows\system32\Cabfga32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 396
        16⤵
        Program crash
        
        PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2324 -ip 2324
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beihma32.exe

Filesize
512KB

MD5
138ec5692df4374e8a55a04bcebdec05

SHA1
e76644d0692af855e9894c8a29b70517eceb36ce

SHA256
3cb1de01ae9c6185239aa5fcaaeecc9ecb097c204123a5fdfd6b39a92ad94529

SHA512
9bfd6eb7a76949b8a8530be9a415a2eec0bab83ea8e3b98c5036bcb7cdf4f3ec1462ee729be4f8b5fe753cac27741186caf3446a81766e119e39e98248b47df5

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
512KB

MD5
0d855762ffc75dc548d6ccdf6306ca9e

SHA1
06996ac65df125a73543cb48dc0bec634f106d40

SHA256
2d2dafa161d8a1b107e26bcb48109d6a77be246e0fd99c973f4773b1af731408

SHA512
d9ed196ed2d06d139dc7c1c7432122c6a7c67dbcf210f08fc570231d1a5cf7accd78cd75fb08baf428735168178e46aca44ce0b2d40091376f66092e2b479ae4

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
512KB

MD5
9e5464e23d140478317fedbbbf1eab2a

SHA1
8a3fe89bfe112c8e3f24c8f923bb1a653ac5ba0c

SHA256
dbaf1d30f1880d7ab78984b499a29cbdebce978a1fbde5ca96ac8d0e968349ae

SHA512
28ebaa659da409203417303019f45e3be0f25f4ef00f2efc685c00dc9d98ba258b4c5d36b80f347123fe1f408e7745f1a6417eb57ac9e70774d7b08f42af9672

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
512KB

MD5
f965654cf6ccdad19e929ce5d7f9ca8a

SHA1
2c05090d67c9d1e1bf9bdc172113997a83a8fec8

SHA256
a565b53269611fcf14718e0a811154e6a8d8b85b3aed7e1f38dd12f6d75b12a7

SHA512
293a68bd17d49a877f1ef79b128d4012c12e71bd11f83b09d8ed90e122281572b0dcc93c6ed6608b5909fb369e4d05e809fe3da2e00d20fb4a09941dfba02014

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
512KB

MD5
199d1ddf3fd2a9aa775511638ab1ad9d

SHA1
1c9bf4f15088516452abe0f45bea89bd68ec7f00

SHA256
c0e27679e51e90336e423b243d1f6ee177ae858bd61548c58b08507d0c71912a

SHA512
af828ec49a2a8a5bb9f3b403c479c66bd29af2a8e4f180b8464967f6d0df3c137cac6c156aaa411329ec864a02e803d26c5398e32337eade4d8a9dbeeccae8f2

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
512KB

MD5
6deae1431a2664078b741ce49c367074

SHA1
09b6087fb62165b975a6e8212f1a39f1713043ef

SHA256
3f9e7924fadc658b4be59aeeff836f8fab20943d2563b132bbd03b28e92ad0db

SHA512
31405a2ff575f97f83319543eea694a693fd1ceaf1e3676b52cf1c3d6ff989e099ffc5fc9d1f15b68230470c94917cc7477c72545db3f88452c13989e929a6da

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
512KB

MD5
3c8e78764ea6575f07b530873e4fcb84

SHA1
e4759d46d600b9c8dabb1cc0ec271246dbe65552

SHA256
fbc792d5500e16dcb629bcdee5392d2ac976a67954aed60f80957bb50d07f275

SHA512
2b684900cab15605b01adcb6e89ff6b4ba4c1a16e56031a1a4fcb7216dd29cdd5eae45efb94a2dd52046f48ff936d717998a1f312d885a96332140e5f118de45

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
512KB

MD5
0dfcac16fa6b0b00c678840df99a16fc

SHA1
94056e78c3548cd594517389f979cc134960a824

SHA256
3d3ad0fb6ebde9afc6e4cb1dbfa0b6db2ca7d780fc266378e52761ede7314479

SHA512
ec0a36aab5177b81f6dacb0def10168b4e80c428972348d669ceb6d5a1b3f464a695ff98a0cb65038f829b2ddd4dbc92222bde5023d116adc5acd52a8c1bb720

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
512KB

MD5
1c0a9f686ec48cf6327b968f4d78fdaa

SHA1
941dc13ceb04bb6bb0eecca60fb068be1d0e2267

SHA256
baea98e11cfd88660a44d8cb6e2f3cbc1f600a7e6fefa7f59b8df80d2a27decd

SHA512
8ffb4e188aaaa4f581099e42ede6d7f011a1eed041a191397f169a47347ce701d1b230839915236e14d9e2459752f7f27bdb15e83d4869517e3724e93519e519

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
512KB

MD5
0cf293462226a20ce1c45b4292ce75d6

SHA1
db914d3fc0aa4ad3a04b55fa2d6527071495371f

SHA256
60b76866bd2ce2b6e2c7d0decb96c99127dac1d564f7483e648771f2ecaf951e

SHA512
1ed1c99387321d26aebe9167b913d0cc9bc64e7bce03e882d104fe477870ab5139b3ed5cff536ec424007d0e7b9ffefe9d874edf465fc516e7be1022952aeb15

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
512KB

MD5
2baa832796f48772e82996ff05320d56

SHA1
cfdfcedd0de5308ffa91adc1a63750dbfd902ad6

SHA256
a4271099d4cb73c12bcdb44b2a6bfbfae27293fc24ad5b423a1c968a0c8e74a7

SHA512
6bbd910eff8d5f71bf09b9ae41f23c756cf4ba6b69185949c4791ea181011b4c61545fee2674266247ec2441719ca6797811060f13cd9585fb25b3330464dc28

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
512KB

MD5
9121fd49df0315db09b02dff504eba9a

SHA1
a5643ecd56545f952a2eca431bbc221d68fef473

SHA256
73c56fc0ab0e76e698db15de33e11521be4eec3d87d55a1eef3517313a36d136

SHA512
b43024f9db97ee658968c8691aea3594ec1f0e90bb4816cb261a52fcbeac008065cb758e52e8de0a43857645404be25b8545c6286f751d22b5730e2427992c57

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
512KB

MD5
dc154467202a61d6f7f8ec2ed33753bd

SHA1
2b3d27f60e8d6f96559debb5159ebf44d810cfa5

SHA256
4977bec1152fe518729d2adc56eed8f5e60112d6fd409ec5fc0cac110410af2e

SHA512
508b2967d351979d02680536fe4ffc3b65aed52d04ac584b217a3a8c724ad9ecb077abc8f0b87c2f0c43d6cf92b3ecf04ea297f2fbb7d84f7c2f577d306de884

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
512KB

MD5
8fe8ba2c99233c388c44fa81d972c6d0

SHA1
1e67570012c2874c5442d7d855471869f38f5701

SHA256
e7b40c6b769c6d50576af8406f574ae2cd8f1e3a37b0652eea92bcb6416b4341

SHA512
ba9761a183a02e7434e3a624152d9973db2f96bd665f754e1b93b07f2fafb8a07a54c10726730cec90295164d279c2af1e3fca81dfb096b34a2d7fa3cdb3e2f7

Download Submit
memory/1556-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1556-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1704-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1948-118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-106-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3396-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-130-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4468-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-121-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads