berbew | de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
Size

465KB
MD5

a11fbcc3e3aeb70f8b77e26b7f8e1060
SHA1

b113c8f6383562706f4277a0d465f0373d31c3b0
SHA256

de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239
SHA512

390d65d3bb4ba9c2d7b8c0749d12a8139eea2717d7043e14c30370abaedc7f26c74e939b82733d64466920987e8cc36e5d6fc99c24a7b569972f248f28550fa9
SSDEEP

12288:oT4wqx3FwnVAVjw7O8S/WNLKlUmpRe94u:oT4wqx3FwnVAVjLh/KKlUmpReeu

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmlhnagm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmlhnagm.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 8 IoCs

pid	Process
2840	Lmlhnagm.exe
2836	Mooaljkh.exe
2540	Mlcbenjb.exe
2212	Mbmjah32.exe
792	Mmldme32.exe
1740	Nplmop32.exe
2124	Ngfflj32.exe
1160	Nlhgoqhh.exe

Loads dropped DLL 20 IoCs

pid	Process
2764	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
2764	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
2840	Lmlhnagm.exe
2840	Lmlhnagm.exe
2836	Mooaljkh.exe
2836	Mooaljkh.exe
2540	Mlcbenjb.exe
2540	Mlcbenjb.exe
2212	Mbmjah32.exe
2212	Mbmjah32.exe
792	Mmldme32.exe
792	Mmldme32.exe
1740	Nplmop32.exe
1740	Nplmop32.exe
2124	Ngfflj32.exe
2124	Ngfflj32.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lmlhnagm.exe	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
File created	C:\Windows\SysWOW64\Mooaljkh.exe	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Mlcbenjb.exe	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Ombhbhel.dll	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Nplmop32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Lmlhnagm.exe	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
File created	C:\Windows\SysWOW64\Njfppiho.dll	Mlcbenjb.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Mbmjah32.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	Mmldme32.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Nplmop32.exe
File opened for modification	C:\Windows\SysWOW64\Mooaljkh.exe	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Diaagb32.dll	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Mbmjah32.exe	Mlcbenjb.exe
File opened for modification	C:\Windows\SysWOW64\Mbmjah32.exe	Mlcbenjb.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Ipjcbn32.dll	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
File opened for modification	C:\Windows\SysWOW64\Mlcbenjb.exe	Mooaljkh.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Nplmop32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2600	1160	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mooaljkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmldme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmlhnagm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcbenjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmjah32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjcbn32.dll"	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll"	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll"	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2840	2764	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe	30
PID 2764 wrote to memory of 2840	2764	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe	30
PID 2764 wrote to memory of 2840	2764	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe	30
PID 2764 wrote to memory of 2840	2764	de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe	30
PID 2840 wrote to memory of 2836	2840	Lmlhnagm.exe	31
PID 2840 wrote to memory of 2836	2840	Lmlhnagm.exe	31
PID 2840 wrote to memory of 2836	2840	Lmlhnagm.exe	31
PID 2840 wrote to memory of 2836	2840	Lmlhnagm.exe	31
PID 2836 wrote to memory of 2540	2836	Mooaljkh.exe	32
PID 2836 wrote to memory of 2540	2836	Mooaljkh.exe	32
PID 2836 wrote to memory of 2540	2836	Mooaljkh.exe	32
PID 2836 wrote to memory of 2540	2836	Mooaljkh.exe	32
PID 2540 wrote to memory of 2212	2540	Mlcbenjb.exe	33
PID 2540 wrote to memory of 2212	2540	Mlcbenjb.exe	33
PID 2540 wrote to memory of 2212	2540	Mlcbenjb.exe	33
PID 2540 wrote to memory of 2212	2540	Mlcbenjb.exe	33
PID 2212 wrote to memory of 792	2212	Mbmjah32.exe	34
PID 2212 wrote to memory of 792	2212	Mbmjah32.exe	34
PID 2212 wrote to memory of 792	2212	Mbmjah32.exe	34
PID 2212 wrote to memory of 792	2212	Mbmjah32.exe	34
PID 792 wrote to memory of 1740	792	Mmldme32.exe	35
PID 792 wrote to memory of 1740	792	Mmldme32.exe	35
PID 792 wrote to memory of 1740	792	Mmldme32.exe	35
PID 792 wrote to memory of 1740	792	Mmldme32.exe	35
PID 1740 wrote to memory of 2124	1740	Nplmop32.exe	36
PID 1740 wrote to memory of 2124	1740	Nplmop32.exe	36
PID 1740 wrote to memory of 2124	1740	Nplmop32.exe	36
PID 1740 wrote to memory of 2124	1740	Nplmop32.exe	36
PID 2124 wrote to memory of 1160	2124	Ngfflj32.exe	37
PID 2124 wrote to memory of 1160	2124	Ngfflj32.exe	37
PID 2124 wrote to memory of 1160	2124	Ngfflj32.exe	37
PID 2124 wrote to memory of 1160	2124	Ngfflj32.exe	37
PID 1160 wrote to memory of 2600	1160	Nlhgoqhh.exe	38
PID 1160 wrote to memory of 2600	1160	Nlhgoqhh.exe	38
PID 1160 wrote to memory of 2600	1160	Nlhgoqhh.exe	38
PID 1160 wrote to memory of 2600	1160	Nlhgoqhh.exe	38

C:\Users\Admin\AppData\Local\Temp\de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe
"C:\Users\Admin\AppData\Local\Temp\de33de104e63dc1a5d657a0c510dd3ace822e6c48488353cddbc70f50ce49239.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\Lmlhnagm.exe
  C:\Windows\system32\Lmlhnagm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\Mooaljkh.exe
    C:\Windows\system32\Mooaljkh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Mlcbenjb.exe
      C:\Windows\system32\Mlcbenjb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\Mbmjah32.exe
        
        C:\Windows\system32\Mbmjah32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mlcbenjb.exe

Filesize
465KB

MD5
d446135539a9bb3dcfd3cb320bb95d6b

SHA1
55b62a9efdcf5cfadc9a71d1d1a3bdc65d7c3190

SHA256
154b838669c9899f9ef8668fb6c7f49c3c9d740ffb374dce61b1ef1e04eb29d7

SHA512
6f372994e32ed050372ef70e6a82bd7c87ee4f2cab8c9580831c3501ec821f16bb600157a1ec2d70ccd7f1f1946029cae4916ff1c3f3ddaf0e97b0f9bf7e02b1

Download Submit
C:\Windows\SysWOW64\Mooaljkh.exe

Filesize
465KB

MD5
bbf42428474215ec3faf54992650ffd0

SHA1
531585c276aaeaf03d045ce92a5721ce27c00bee

SHA256
da3773f42eb5d133e6e78e5733f97d91d59ab9da91b33541ae649640b7d01912

SHA512
24045796d2e3ded59034de61bfca8a9f241d0736a5d9f92b578bb4ca0693b1e0069c3b043540e44b7da0bd950d17ae9dd163ec083858da944ed631fb5f4f0893

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
465KB

MD5
3792ac926194e21b5a0fff71d6c8a6b0

SHA1
3eb1542a2b3c1ce686453fd88ae5b44b8be0239d

SHA256
df46456b4581d7d6afdfa96685fdd27c85a91b206f2a00a62e0843757ee14084

SHA512
76dfb1dccca92844d71ef01065e032b72d0dd8a8120c274e23a7b806db3e5100cb1cca91b7848675dbe7816d680fbc553561b72ee86556adb76822eb300ad5ad

Download Submit
\Windows\SysWOW64\Lmlhnagm.exe

Filesize
465KB

MD5
9a738c86d00baa26596ed30ce442f2b0

SHA1
6d6952ccae949bab29b76faf9b0a95aa7aa18b5f

SHA256
cae585d29bb9c5a9131ffc53211a7ef2f4b93d4ca2562377dec5ee970f003f97

SHA512
507245f5e6acebcbfc73eb60d25b2369501a8e47a6b9854ca26b9cfd269507ecd27946196fbe4cf15eb414f5ce5f9e214ada6bdb30e0fcff88f80d19c45a7bed

Download Submit
\Windows\SysWOW64\Mbmjah32.exe

Filesize
465KB

MD5
53648f44e5c50d283860267f46020a1e

SHA1
aec18e19009110158bbfe30ffe72da4746baaf2f

SHA256
0cd48dfef33316fd0723d9e09c3b50a77fa3d43e333b4633d853c33f8a864ee7

SHA512
32f9ae6dfdd7489dc2ef85a59b8d8a180c810d72a3a1d62cc85f9976faa2a9d608fe15985ea012e77aba292ead8539d8a0307cf3870e9d0443348f8b2cb6b6bd

Download Submit
\Windows\SysWOW64\Mmldme32.exe

Filesize
465KB

MD5
d09e789134b7703950b2a2273cc321d4

SHA1
f21115dc983cc03fdd82cdf24c84aeedf95cd3a3

SHA256
379cf732aaea01aa05c90087fff554543e8bb7a43380c2ecf45081186c60559c

SHA512
e2cdedd601445b010a2939a3fcf5575c6ea667d0e5f4a4ce254eb8380a6be991803da0bb838731d0a7b34037f8d2a977ea0be359a5512f62069ef0343f738b72

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
465KB

MD5
2500fb9966c276588ee17c56a9a00c3e

SHA1
c4d88a21c4c49da20a2623e676caa547bd2be213

SHA256
a568d9dc7d24c72b3de9fa9f7bd0cefa84eec796b36415c2aafb4da1b049b14a

SHA512
62d3ddcedbac7bf0e6b51db5be7098bd3ee77a64eebe9be6af67c1678ad4e490d42f3d15d57cd007fa9d4713ad7791d0cdbe8839369f214f8411b10d381bfb9c

Download Submit
\Windows\SysWOW64\Nplmop32.exe

Filesize
465KB

MD5
d0a33fbe3405624ce637942cc028090c

SHA1
c95caea241d107a70c5a0238ab86c371cf1d651e

SHA256
2e2f81e2dcb17b5c7cd963b94817426d3d9b56dda306f673e47c000de50802f0

SHA512
d88d60746040575c1db7476e7c092923ab9fb6ebfdb2941eeec4ebc9bc67050a17555b1a2da9984ac1f82fbe71c0a64dc7eb6de9a7137fe1a481ab1d8f165ad0

Download Submit
memory/792-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/792-84-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/792-85-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/792-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1160-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-101-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1740-100-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2124-121-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-114-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2124-102-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-70-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2212-71-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2212-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-57-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2540-50-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2540-48-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-13-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2764-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2836-47-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2836-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2836-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-28-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2840-27-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2840-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads