berbew | 5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
Size

226KB
MD5

08e5a516e3bacde98ebe0e6a8e178d09
SHA1

f365f0c5805001329ad53a6c3044880084417747
SHA256

5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590
SHA512

54a9441b062a6b00dfad77ab1148d9286db7f99e93c207be89b23fffe960f05396393e1a8ccd126a68e662a215199cec15e3210b951968840d9c9e0370c1e45a
SSDEEP

3072:ksYvg3Vim1Qrs0gv4ums0DKcWmjRvDKcpDKcWmjRrzNtQtjDKcWmjRrzNtp:7YOjWEVxEtQtsEtp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 8 IoCs

pid	Process
4568	Dmefhako.exe
2484	Dhkjej32.exe
4576	Dfnjafap.exe
2116	Ddakjkqi.exe
2876	Dfpgffpm.exe
2932	Daekdooc.exe
4748	Dgbdlf32.exe
1288	Dmllipeg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3252	1288	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 4568	976	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe	82
PID 976 wrote to memory of 4568	976	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe	82
PID 976 wrote to memory of 4568	976	5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe	82
PID 4568 wrote to memory of 2484	4568	Dmefhako.exe	83
PID 4568 wrote to memory of 2484	4568	Dmefhako.exe	83
PID 4568 wrote to memory of 2484	4568	Dmefhako.exe	83
PID 2484 wrote to memory of 4576	2484	Dhkjej32.exe	84
PID 2484 wrote to memory of 4576	2484	Dhkjej32.exe	84
PID 2484 wrote to memory of 4576	2484	Dhkjej32.exe	84
PID 4576 wrote to memory of 2116	4576	Dfnjafap.exe	85
PID 4576 wrote to memory of 2116	4576	Dfnjafap.exe	85
PID 4576 wrote to memory of 2116	4576	Dfnjafap.exe	85
PID 2116 wrote to memory of 2876	2116	Ddakjkqi.exe	86
PID 2116 wrote to memory of 2876	2116	Ddakjkqi.exe	86
PID 2116 wrote to memory of 2876	2116	Ddakjkqi.exe	86
PID 2876 wrote to memory of 2932	2876	Dfpgffpm.exe	87
PID 2876 wrote to memory of 2932	2876	Dfpgffpm.exe	87
PID 2876 wrote to memory of 2932	2876	Dfpgffpm.exe	87
PID 2932 wrote to memory of 4748	2932	Daekdooc.exe	88
PID 2932 wrote to memory of 4748	2932	Daekdooc.exe	88
PID 2932 wrote to memory of 4748	2932	Daekdooc.exe	88
PID 4748 wrote to memory of 1288	4748	Dgbdlf32.exe	89
PID 4748 wrote to memory of 1288	4748	Dgbdlf32.exe	89
PID 4748 wrote to memory of 1288	4748	Dgbdlf32.exe	89

C:\Users\Admin\AppData\Local\Temp\5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe
"C:\Users\Admin\AppData\Local\Temp\5b5fe1a4110670fd409c587cf4a7b2ab69bdf0cadab19a253d44bc5c22cc3590.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\Dmefhako.exe
  C:\Windows\system32\Dmefhako.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\Dhkjej32.exe
    C:\Windows\system32\Dhkjej32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\SysWOW64\Dfnjafap.exe
      C:\Windows\system32\Dfnjafap.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 404
        10⤵
        Program crash
        
        PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1288 -ip 1288
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
64KB

MD5
9dfb7312edb5b6df7fd5ea2736f665c7

SHA1
535dc1a4648946b3a7cdffdc387f1efea46179a8

SHA256
bd96e1e9d89b468dcceb1b44358a71388517dc4b8d01d8d66a634994f2c078af

SHA512
8fbb54422976223a57241419f8d70f3f950a6102fc6648cba71520ab3e88be36b186839927ebc0b2b7ef9126b2e29c4678ab5f102e052869d7cdac524ba66d39

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
226KB

MD5
28dd9f87ea4e9fc5c1b2bffff9a8cb30

SHA1
e416bd1428a5babb587d627f638c20284a070dad

SHA256
b105fd5ec636c7f37331567a69010c6b8ee9e78a6749472a856685d0f42060e9

SHA512
fb165a8ff3bae55a9bc6cf647b3fccaf9fab6149b78e011ba8abd55a688e34337b0bd5d11f60e37920d7d37b9c5c245c92a243fff765d468913cc5149dc5a225

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
226KB

MD5
789c1aa5343b21cca5374567d30f14dd

SHA1
2b9afe76dad317504ce89bdaae9543a6d1b56404

SHA256
dd7740330ad362b2aff5724f82b818be8ccbb8d0e58c6e4afd7703d6a5dc3ba1

SHA512
64ed8e7a841033ff3da749a128fd7ec3e93e0d3a7584878a47b96209d8fc0598bb86bd674e7909eadc9f75b84b15ebfcd796c5ab0d0d0b7be2322d2bb05912b3

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
226KB

MD5
a3951b7807d8000b4bd6c1883d9592a5

SHA1
acb56635a5f162e4d02a299e9a34b17d74e085c0

SHA256
234f5471b6c0202572ed7d1f7b2d04ba906063f455032757b6fa47795d5f6dbc

SHA512
ebb6ccb55401e76634a4f8f19ed8d47be6723ff3b6b37259269577c56627d52f254d8ebc5f8307b9f7e048e3d38ba0d1907548e8177cfdf0c22f04b9925546c4

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
226KB

MD5
41a46b65faa5032bb523079d180bc9fb

SHA1
e077d37175fe6a567aaf3b48a4adb6356c3293ab

SHA256
bd3853b870807fde60905e6983ca6f021806379b5e4e6c7c68051a5d059515a3

SHA512
49b864af33e5a78678884b6a71db45a0d2e3e8ec1f55fa83dfc086d3bbd27a176bbb180824e9a421e9b50a882998b988df6d0596abf05f8ac7015c73b0b74791

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
226KB

MD5
34e29418fa2280f05819f610afdf5af2

SHA1
bc2316696065f75ad32f2f226076cd7ba9a9f2ba

SHA256
bc8b1134ab4c80d930503c1ca276e9aa774466dc922913f0a2abf5489af2bab6

SHA512
3b445d7a340ba3c67052c8cb0c4494d225f262354f21df8c618d33a5c1dc394a0a88d3d879b419552a6a492396bfa9e389277bb55b9fb59c355d54c274c455cd

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
226KB

MD5
7b1e659589174fcaadae8c2cbd00817c

SHA1
85022d470dfdad2828f84089e0e6f6882bc1a873

SHA256
5d00dde973e53675ff72f21fa09e6a3f8627d9557cad9c621644442108e31950

SHA512
f5906701ea62ecf9a4165c32b45b5b008c8421476afb2610ab03e1d81f393dc3a92a1b34af6ddb110b5f33878fd6ed7b255301ed05b75e03c9aff158bc416ce8

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
226KB

MD5
7d907223409cfebd4559414cfabc9bc0

SHA1
e66a7499a9edb4f38668b1ef58ef15cf96aa360f

SHA256
7de8249e470356c2214087d9ae7d48f225db4669118f8a865019736ee9a2d89a

SHA512
8acb16a5f2068b7111aa5a1642542a97e080f9a279832bf3f210679746f4e7d8fa099f23d7e33781c8c03deae28e79f1efc3dae543df05139120d9014df6840b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
226KB

MD5
5f29be92cfff05105d9fb6d92ff94c90

SHA1
7626bbe6377c7d62898575b39cd093756147e708

SHA256
76a98f0bb64797864783fe69d84508bcc4774c66ea0b74377dcfd3a5469e9214

SHA512
b41ae51d1afe574753c55313e9d112cffd1dc426bdee4295f7f4235ffdc1abfc0161d4464a0e150752df48927bf0ac380438e96d352d132faa85c75dc9699c5e

Download Submit
memory/976-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/976-80-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/976-81-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1288-63-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1288-68-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2116-31-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2116-73-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2484-82-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2484-20-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2876-39-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2876-74-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2932-47-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2932-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4568-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4568-79-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4576-76-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4576-24-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4748-55-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4748-67-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads