berbew | 2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318e

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
Size

2.3MB
MD5

acc5f10587a09964ae3afdbd94ee25f0
SHA1

eb986f3a001665cefd323b3d96240398688ab8e8
SHA256

2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318e
SHA512

03eff191d40cb7e293e4b08c1a673402329db7b9c7b87074cd6217112a3c6e6df9798f24b5679a554bafce53e6cedd120ba273eac702c0fbc024d03c0046f5f7
SSDEEP

3072:vzaCcJhvPxb6KBUz4vlcZ0I/I0Q5OPIN+/cuTQ2TgRX7Jg3A9z:vzWPxvlcZVgp54tRo7KA9z

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 12 IoCs

pid	Process
3900	Bjddphlq.exe
1376	Banllbdn.exe
2572	Chjaol32.exe
3256	Cmiflbel.exe
2416	Cdcoim32.exe
3624	Cjmgfgdf.exe
1340	Cmlcbbcj.exe
3792	Dfiafg32.exe
4244	Dkifae32.exe
440	Dmjocp32.exe
404	Dgbdlf32.exe
212	Dmllipeg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1092	212	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bjddphlq.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 3900	1544	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe	83
PID 1544 wrote to memory of 3900	1544	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe	83
PID 1544 wrote to memory of 3900	1544	2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe	83
PID 3900 wrote to memory of 1376	3900	Bjddphlq.exe	84
PID 3900 wrote to memory of 1376	3900	Bjddphlq.exe	84
PID 3900 wrote to memory of 1376	3900	Bjddphlq.exe	84
PID 1376 wrote to memory of 2572	1376	Banllbdn.exe	85
PID 1376 wrote to memory of 2572	1376	Banllbdn.exe	85
PID 1376 wrote to memory of 2572	1376	Banllbdn.exe	85
PID 2572 wrote to memory of 3256	2572	Chjaol32.exe	86
PID 2572 wrote to memory of 3256	2572	Chjaol32.exe	86
PID 2572 wrote to memory of 3256	2572	Chjaol32.exe	86
PID 3256 wrote to memory of 2416	3256	Cmiflbel.exe	87
PID 3256 wrote to memory of 2416	3256	Cmiflbel.exe	87
PID 3256 wrote to memory of 2416	3256	Cmiflbel.exe	87
PID 2416 wrote to memory of 3624	2416	Cdcoim32.exe	88
PID 2416 wrote to memory of 3624	2416	Cdcoim32.exe	88
PID 2416 wrote to memory of 3624	2416	Cdcoim32.exe	88
PID 3624 wrote to memory of 1340	3624	Cjmgfgdf.exe	89
PID 3624 wrote to memory of 1340	3624	Cjmgfgdf.exe	89
PID 3624 wrote to memory of 1340	3624	Cjmgfgdf.exe	89
PID 1340 wrote to memory of 3792	1340	Cmlcbbcj.exe	90
PID 1340 wrote to memory of 3792	1340	Cmlcbbcj.exe	90
PID 1340 wrote to memory of 3792	1340	Cmlcbbcj.exe	90
PID 3792 wrote to memory of 4244	3792	Dfiafg32.exe	91
PID 3792 wrote to memory of 4244	3792	Dfiafg32.exe	91
PID 3792 wrote to memory of 4244	3792	Dfiafg32.exe	91
PID 4244 wrote to memory of 440	4244	Dkifae32.exe	92
PID 4244 wrote to memory of 440	4244	Dkifae32.exe	92
PID 4244 wrote to memory of 440	4244	Dkifae32.exe	92
PID 440 wrote to memory of 404	440	Dmjocp32.exe	93
PID 440 wrote to memory of 404	440	Dmjocp32.exe	93
PID 440 wrote to memory of 404	440	Dmjocp32.exe	93
PID 404 wrote to memory of 212	404	Dgbdlf32.exe	94
PID 404 wrote to memory of 212	404	Dgbdlf32.exe	94
PID 404 wrote to memory of 212	404	Dgbdlf32.exe	94

C:\Users\Admin\AppData\Local\Temp\2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe
"C:\Users\Admin\AppData\Local\Temp\2e0a86d78eadd3ed57374f4d0cba6736f78491f27ce0b963ee18245454b9318eN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\Bjddphlq.exe
  C:\Windows\system32\Bjddphlq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\SysWOW64\Banllbdn.exe
    C:\Windows\system32\Banllbdn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\Chjaol32.exe
      C:\Windows\system32\Chjaol32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
      - C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 396
        14⤵
        Program crash
        
        PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 212 -ip 212
1⤵
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Banllbdn.exe

Filesize
2.3MB

MD5
94e7326f5f614211c36bc4d7ca1f8d1a

SHA1
33d4c79ee38f8727d29953d3659ff76a6f048cc9

SHA256
703e9fa7ff7d21f5fb6d346c2debc372396d11431e496a1155ef8d8f86119140

SHA512
6779c277b8da26a661558b6870379f919b3cf494e2a082cfe520ecdb3da20c7bcee05750a10c0f9113fa459bdf052cd8d546e700a01eb6d9a488e027618d0ee0

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
2.3MB

MD5
198ac2d71b9f4bd2cdaf3789ddd9e61c

SHA1
674f5d01d6a26ad3e195eb624bea38aaf19c4df1

SHA256
5efc516b1f1eba5905af06d16cc56940ec6c97f8fb15f1e708f4a522c6040761

SHA512
94d4fde2bb4eef2fba1337c6403da7894da3e01f2d479bd3c87487e87a09d2cc7e0c52e5e29abe97de99c6b049762e6fa13d72c5df62b1d377a626966fc406d6

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
2.3MB

MD5
7540870e44965985761bbd7953c8f171

SHA1
0640451e439d570bc5c98391b0948899b9afc248

SHA256
520af04bcdb0e7e2aef609c79a90eebca69664fa58cc8096a690ee3873402880

SHA512
e4b9f52937906cf71401a3b9430e4084be84e38c49ca1224d2af585763862223b0eff12cdfded6b3228b4e317ce4b4d4b8f9237009e643168564d7cec64c67d7

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
2.3MB

MD5
0c8d667445f8d5c5d6fca1bff1b363ff

SHA1
760c5d6e2dc61e8a42ea393175b35756fc0f1784

SHA256
4710683eaaa6773043f634064d9652ca2a663ce75886618e6deed995408b02cb

SHA512
fb7bc0541c483c1701c1bbd04c217c2752c7e60578357f97e3df15162bca90d2c8178a695ad0531689e0b0ca99b88c7fd69859b9c6c0db60fb5ea20daaf6f8e3

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
2.3MB

MD5
d3be9b4f981a105e12543bc5e6e48587

SHA1
105158716aafff2d319e377b90528879822e8b34

SHA256
bc6f65cabbfe82ee243ff856226414baa891f1b5e9ef5617a4fdb7f58144418b

SHA512
ed3dd6ec3b09da72ae31502332f0191db5daadc87cfe668252f746ba72e2d46f8d11cfcd9bd3eed364293d149d3f4ead5b1cf2e939a5c2d1564ed0f7a1e39eaf

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
2.3MB

MD5
2692a501535f4a25562353517968b47b

SHA1
db188cb50e2a7c76d6201fc5863e3af093a5f83f

SHA256
c476dd1196a23b0b2d5ebb118325d7d3b96a3fc9df4f36cd806faf641cf8e1ed

SHA512
ef7bcd7376ce51bf78682809c5e8846e89d1249d0368390ec701ecbf07d85053ed1be9822b497642ac7f289475427dd7123d66a83bb5f1e0acc8ee1f78cb8bbd

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
2.3MB

MD5
b187627f6ad79d4cc2b93ac2a5030d69

SHA1
6db1b9f18f8ef36554120d5671a344d3485039d9

SHA256
83250c4e07f490bc263113639642953c67b81ad5b1cbe17a65d93d17d822be6f

SHA512
c1a36ba66d5454384f9a4bbfa4808233547a7a60e932286aef0446c24c96aabb5e17ff46637164fa84ec1958bf3cb47793746549d891a9a40efd707d0a4fe51a

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
2.3MB

MD5
21ff674ab4fbb3e06d489a48c7d4effd

SHA1
b1608d1bf23a4d5815b9e1be050ad6aa27d02e16

SHA256
448007c1c87f203656f043e2277f9154fdda68f1e6109da2dca3dd46b644b09d

SHA512
874c2e498155f069624af92b3532d8538ae30c64f690f40cbc181c297231d6c3d391ec01e0b52eb99509321162ec1621c82f3da04452b48cb44ca01dc4e82f43

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
2.3MB

MD5
5d446bcf565f61c2f61340237215c5da

SHA1
2f5ad5508e4325d2d40c03430eb8dbcc3e6c5076

SHA256
3ea57c5955d1b271b7950d8c9cc46033ca561d88962b008d4b6e8d006abbf7e5

SHA512
14d21d4f30470c824ac42e7c1a4479f24cff2835552dcec024885a5131915b84e0e5c8343a5e26ee20183ce190f38cfea3d0593802ae0ab7fa537712fd83060e

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
2.3MB

MD5
df2ab316c39c708b524ffaf7c7b47036

SHA1
7100fd087b2c07f8f1256d3c43e18becb7a3e004

SHA256
28283243350b3666d62c3abf7f1432d89c95bab73701733400cf035519ce2376

SHA512
3d9b5a954034ffb91a6bb2831766aa21cfcaaab2896bcff03397d8ed5ec0c22ff8e4475593dddb90bdffa1505e050850279c40292c3cfc3e917959a1489ba565

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
2.3MB

MD5
932bbcff6e9f2ce8e6556b8496834113

SHA1
785e1432652e6db9962643da58411e8f00432793

SHA256
d64e16c6ce2512c1ad66ca83bc0429f17a6a9e2d892fd2a8320ff0aac6ee7daa

SHA512
0c93efd6518b24c4c7f5753fa20a8e1b5a5c3c1a5537384165a6a3213ae55f727801ff7e4f13e46102bf55e7d4782ec06c4481a39bc4dcf94a16779fc875c1c2

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
2.3MB

MD5
26031321ef5aecd2b53a9791b7635180

SHA1
d695a0c03f8f238aecdc4c6643921a5a85d1b436

SHA256
6375c41766b5cb22a5bd3e283d5eeb676139bce8b1985423cf69e1e6c6497f0e

SHA512
e77e93be9534ddd12e2931395d6eea2b0d02acc5ba77ea715a331d508807748d2d3a413ec09a6e20e22214ca3690493b21d2230301889c5f1059295740ad1819

Download Submit
memory/212-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2416-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3256-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3624-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3792-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads