berbew | 11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
Size

64KB
MD5

fdb20da21d876991baeff89b0980c20a
SHA1

46044030dd50775e70dd18a5032a9f50b21fb1ff
SHA256

11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db
SHA512

a6d79655a88029dd1b0ceb82bf4dd3759ddc8717dec198963dee3e4647584fd438a0895edfefa2b0f2445fa5ea3b2dbf6c389849cf43c7edbcdd588502e405a1
SSDEEP

768:yutwmI0IPaQ/dCBbc0qyrDPMnIKhw1wmPZ40gUXDCscG5AD/1H55XdnhgOPuM1Dg:8mIQbc+rDSIFwmB40ZzCscjFZuYDPY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bccmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

pid	Process
2052	Adnpkjde.exe
1976	Bbbpenco.exe
2772	Bccmmf32.exe
2784	Boljgg32.exe
2748	Bcjcme32.exe
2264	Ciihklpj.exe
2644	Cepipm32.exe
2472	Cagienkb.exe
2956	Cjonncab.exe
2968	Cchbgi32.exe
1884	Dpapaj32.exe

Loads dropped DLL 25 IoCs

pid	Process
2064	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
2064	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
2052	Adnpkjde.exe
2052	Adnpkjde.exe
1976	Bbbpenco.exe
1976	Bbbpenco.exe
2772	Bccmmf32.exe
2772	Bccmmf32.exe
2784	Boljgg32.exe
2784	Boljgg32.exe
2748	Bcjcme32.exe
2748	Bcjcme32.exe
2264	Ciihklpj.exe
2264	Ciihklpj.exe
2644	Cepipm32.exe
2644	Cepipm32.exe
2472	Cagienkb.exe
2472	Cagienkb.exe
2956	Cjonncab.exe
2956	Cjonncab.exe
2968	Cchbgi32.exe
2968	Cchbgi32.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
File opened for modification	C:\Windows\SysWOW64\Bccmmf32.exe	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
File created	C:\Windows\SysWOW64\Jcojqm32.dll	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Bifbbocj.dll	Bbbpenco.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bccmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Bbbpenco.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Bbbpenco.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Bccmmf32.exe	Bbbpenco.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bccmmf32.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Boljgg32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cepipm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1900	1884	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bccmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbbpenco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bccmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll"	Bbbpenco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbbpenco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2052	2064	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe	30
PID 2064 wrote to memory of 2052	2064	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe	30
PID 2064 wrote to memory of 2052	2064	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe	30
PID 2064 wrote to memory of 2052	2064	11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe	30
PID 2052 wrote to memory of 1976	2052	Adnpkjde.exe	32
PID 2052 wrote to memory of 1976	2052	Adnpkjde.exe	32
PID 2052 wrote to memory of 1976	2052	Adnpkjde.exe	32
PID 2052 wrote to memory of 1976	2052	Adnpkjde.exe	32
PID 1976 wrote to memory of 2772	1976	Bbbpenco.exe	33
PID 1976 wrote to memory of 2772	1976	Bbbpenco.exe	33
PID 1976 wrote to memory of 2772	1976	Bbbpenco.exe	33
PID 1976 wrote to memory of 2772	1976	Bbbpenco.exe	33
PID 2772 wrote to memory of 2784	2772	Bccmmf32.exe	34
PID 2772 wrote to memory of 2784	2772	Bccmmf32.exe	34
PID 2772 wrote to memory of 2784	2772	Bccmmf32.exe	34
PID 2772 wrote to memory of 2784	2772	Bccmmf32.exe	34
PID 2784 wrote to memory of 2748	2784	Boljgg32.exe	35
PID 2784 wrote to memory of 2748	2784	Boljgg32.exe	35
PID 2784 wrote to memory of 2748	2784	Boljgg32.exe	35
PID 2784 wrote to memory of 2748	2784	Boljgg32.exe	35
PID 2748 wrote to memory of 2264	2748	Bcjcme32.exe	36
PID 2748 wrote to memory of 2264	2748	Bcjcme32.exe	36
PID 2748 wrote to memory of 2264	2748	Bcjcme32.exe	36
PID 2748 wrote to memory of 2264	2748	Bcjcme32.exe	36
PID 2264 wrote to memory of 2644	2264	Ciihklpj.exe	37
PID 2264 wrote to memory of 2644	2264	Ciihklpj.exe	37
PID 2264 wrote to memory of 2644	2264	Ciihklpj.exe	37
PID 2264 wrote to memory of 2644	2264	Ciihklpj.exe	37
PID 2644 wrote to memory of 2472	2644	Cepipm32.exe	38
PID 2644 wrote to memory of 2472	2644	Cepipm32.exe	38
PID 2644 wrote to memory of 2472	2644	Cepipm32.exe	38
PID 2644 wrote to memory of 2472	2644	Cepipm32.exe	38
PID 2472 wrote to memory of 2956	2472	Cagienkb.exe	39
PID 2472 wrote to memory of 2956	2472	Cagienkb.exe	39
PID 2472 wrote to memory of 2956	2472	Cagienkb.exe	39
PID 2472 wrote to memory of 2956	2472	Cagienkb.exe	39
PID 2956 wrote to memory of 2968	2956	Cjonncab.exe	40
PID 2956 wrote to memory of 2968	2956	Cjonncab.exe	40
PID 2956 wrote to memory of 2968	2956	Cjonncab.exe	40
PID 2956 wrote to memory of 2968	2956	Cjonncab.exe	40
PID 2968 wrote to memory of 1884	2968	Cchbgi32.exe	41
PID 2968 wrote to memory of 1884	2968	Cchbgi32.exe	41
PID 2968 wrote to memory of 1884	2968	Cchbgi32.exe	41
PID 2968 wrote to memory of 1884	2968	Cchbgi32.exe	41
PID 1884 wrote to memory of 1900	1884	Dpapaj32.exe	42
PID 1884 wrote to memory of 1900	1884	Dpapaj32.exe	42
PID 1884 wrote to memory of 1900	1884	Dpapaj32.exe	42
PID 1884 wrote to memory of 1900	1884	Dpapaj32.exe	42

C:\Users\Admin\AppData\Local\Temp\11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe
"C:\Users\Admin\AppData\Local\Temp\11a894eda03c9f0f6f988a19072ae05f2b64566e72df57ac8513eef6363ea0db.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\Adnpkjde.exe
  C:\Windows\system32\Adnpkjde.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\Bbbpenco.exe
    C:\Windows\system32\Bbbpenco.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\Bccmmf32.exe
      C:\Windows\system32\Bccmmf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 144
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbbpenco.exe

Filesize
64KB

MD5
31b607e9002a4fa9dcbcb253d1b77dba

SHA1
ada020a669641d02220e234d4056c1c1fbdb91f6

SHA256
d829d9f574755d648e6f520659eb46b4758bb929fb8a04f8a61dddcb650ac018

SHA512
b2dd0b7ba6ce815dcc41b0301c3cf9efc7de06e2f19856b81e412393c5b8795dbc7c6d8517dd35ac540e15cb5be88f526a208336fb922ce1c9f0268a3dcff943

Download Submit
C:\Windows\SysWOW64\Bccmmf32.exe

Filesize
64KB

MD5
eaa0c53645c122c557053da7cd1244f4

SHA1
ce374d171b76dbf13f78f7d482a716e204af7904

SHA256
14eafcc8a76f5d81b81f0394a08787af655413b2142be7b99f0a291338bfd1b7

SHA512
90d7b24df696f809c3885d5d3c7f2a9ed697a599ecb56007e2034b4ebaeab7396babf9e37e9d34fa2b58a58f0a2522ffbea1340aa03758f08d1a22fa721a77ce

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
64KB

MD5
82da17a783e112b2f0f6ed4d976ac74a

SHA1
d20e5660b26dd9afc2d87e9c0f23fa1038102541

SHA256
c2e81e19cf39ac371086d301e5c9f8c9e25bb1d07407e740c9a719d2af37728b

SHA512
598cd40be65660e17267c446eaa07c2e30876b71c38930fa6a69c6395aabecae4ee65df7097623800f7ea3fb7202678127ea7a1e56126013f12397cac66101ea

Download Submit
\Windows\SysWOW64\Adnpkjde.exe

Filesize
64KB

MD5
13e7795f7bb4a28cb43e4709956d6fc0

SHA1
8fd480d9ef6c9bee9008378f492747e515629733

SHA256
28bdb69eb0203346eb0f405bfdfc60bd7d75a79f7fd407fd297109f17162d84c

SHA512
7500dde05cda2a2053528a783728f49cb344bed03c43c449cebd77e04ebc60fbfd00491aa2920045df5ac3a0446a4c084bfa4df37254048bfd8f5b5de35bf0ba

Download Submit
\Windows\SysWOW64\Bcjcme32.exe

Filesize
64KB

MD5
b81d1095cfc23fa1bba3c6c6047e1915

SHA1
2d110ffc0b8f6e964969d05354cb233c284bebc2

SHA256
61789590039335e01b3f4f0ce5f255bcb4c38d32e3f44ffc2d92ff2bb3923450

SHA512
add49c0fca81de0fadc6f860d7fd1d24830f3c041faa3070a4edfabb314d8968d8a8312c6370a6e81afe813fd0f8eb46037b0a013652eb56a895340729f36f88

Download Submit
\Windows\SysWOW64\Boljgg32.exe

Filesize
64KB

MD5
d965e688441d4f1b388f0a231b347229

SHA1
49a072892a09d3721fcf6833ea7c23a397f888c6

SHA256
9741ea7e9ded315920fec75467ce58138393e48e82321270c0b478d9f145aa68

SHA512
f795b4460963c26bc5f4d11823c6cb56695104e6e95432531f03b46a1e70c9af3a07bb25b033d25d467590bd5c4949dd7c180838668bf9b9db5f6c3c399030f8

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
64KB

MD5
7fc97bf0d22bb51b73d8512f0bee79a0

SHA1
60562bcdaa46b3971e672a5b7c702f7009cf95a6

SHA256
c51586ac5029c160f4584931446a098f043cbac43cc2d040ca76300010b23fec

SHA512
962a808d4b2d706ab7603519b254cb74ac8da52d6af0bd8d0f16acbef2e5595c74360f586ee74d9cd37d4660660b12781441aec8ce3c83942ee09c1566b1e7b3

Download Submit
\Windows\SysWOW64\Cchbgi32.exe

Filesize
64KB

MD5
fdf9f414ce21838669f302905f511690

SHA1
a024e17e32fcb5c6e3aed163acab1e49b3e4e583

SHA256
5632d2218624670e93b36d0f2a357490af717cf147710d59e8017d2052f125c0

SHA512
50fe25e1317072631b0a1e92048d15793db5487f6fed626a2a964796e30cee48f245c1b5fc4bebc3347aeb204bad278c512c5fa7d9a875ffebd6c9b938dbb338

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
64KB

MD5
547ad5e66c48b4aab420380300bbabba

SHA1
251a086c1859718defcfaba2d889c1e369ed096b

SHA256
fd681fe6ba81a533e7858eeff052b5bb25849505cef5f750bfc60a236ca7ce96

SHA512
df141610eb4eda930ed406d1650f44a1f5a4e947bb3ccd73b5219aa57506ca5977800e1d659c710e8d2030558e6f9bd53cc9fd015f9aba8c8110e99c7d033533

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
64KB

MD5
fe74728c0e0590209ad672c90df3ec2b

SHA1
0e040941ff00b75edafd7fbdeae02b4a60342d4c

SHA256
d5efedd1217a0f007d38f8f33d91db5c98873e64777a985622dca28b5bb5129b

SHA512
8395157c0a040a1f0c74d706233a0f781aca20757715972778434707d907215a9390befde28d5dc38048ffb9fafe17a4c9a840d9758e423550de40d7b92ca4db

Download Submit
\Windows\SysWOW64\Cjonncab.exe

Filesize
64KB

MD5
fb4f84d74164085321c55d91b810c13d

SHA1
2b03a6428c0c4f43c956b81b32224c04157005b8

SHA256
e76a822b360a6122c7a7351c07b761a2fe91fce8c2b76ca3bf97d551fd0aac8a

SHA512
fc9a4c0b1bdf49e38b2673542336a0132da68db69138abc62834f3163002dba43e479baa5befbe7e3c239726eb1a1562791f3933572218089127699df77ae67d

Download Submit
memory/1884-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-32-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2052-33-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2052-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2064-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-7-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2264-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-120-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2472-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-77-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2748-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-50-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2784-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2956-128-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/2968-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-143-0x00000000002C0000-0x00000000002F3000-memory.dmp

Filesize
204KB

Download
memory/2968-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads