berbew | 888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
Size

144KB
MD5

e23f54cece45c16a6b2fbf04d435e3b1
SHA1

1e3a9bf2724068b11204437381d2b5da7f06e1a0
SHA256

888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1
SHA512

ab464db6081c16fdbdbf6f4d81f99cf19024817c02a15b9eceac60aa134884f867609856ef9b5e527b1c7fcc4816ed1c0d0187d77ca572e88163cde266ca1156
SSDEEP

3072:gGw5hH4UhVMgAexynIEzGYJpD9r8XxrYnQg4sIq:kfhIuGI2GyZ6Yuq

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khldkllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 7 IoCs

pid	Process
2760	Kbmome32.exe
2896	Kekkiq32.exe
2768	Khldkllj.exe
852	Kdbepm32.exe
2704	Kageia32.exe
1436	Libjncnc.exe
2572	Lbjofi32.exe

Loads dropped DLL 18 IoCs

pid	Process
2164	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
2164	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
2760	Kbmome32.exe
2760	Kbmome32.exe
2896	Kekkiq32.exe
2896	Kekkiq32.exe
2768	Khldkllj.exe
2768	Khldkllj.exe
852	Kdbepm32.exe
852	Kdbepm32.exe
2704	Kageia32.exe
2704	Kageia32.exe
1436	Libjncnc.exe
1436	Libjncnc.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkehop32.dll	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
File created	C:\Windows\SysWOW64\Agioom32.dll	Kbmome32.exe
File created	C:\Windows\SysWOW64\Khldkllj.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Kekkiq32.exe	Kbmome32.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Khldkllj.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Kekkiq32.exe	Kbmome32.exe
File opened for modification	C:\Windows\SysWOW64\Khldkllj.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Kbmome32.exe	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
File opened for modification	C:\Windows\SysWOW64\Kbmome32.exe	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
File created	C:\Windows\SysWOW64\Eghoka32.dll	Kekkiq32.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kdbepm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2268	2572	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khldkllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khldkllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkehop32.dll"	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2760	2164	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe	30
PID 2164 wrote to memory of 2760	2164	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe	30
PID 2164 wrote to memory of 2760	2164	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe	30
PID 2164 wrote to memory of 2760	2164	888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe	30
PID 2760 wrote to memory of 2896	2760	Kbmome32.exe	31
PID 2760 wrote to memory of 2896	2760	Kbmome32.exe	31
PID 2760 wrote to memory of 2896	2760	Kbmome32.exe	31
PID 2760 wrote to memory of 2896	2760	Kbmome32.exe	31
PID 2896 wrote to memory of 2768	2896	Kekkiq32.exe	32
PID 2896 wrote to memory of 2768	2896	Kekkiq32.exe	32
PID 2896 wrote to memory of 2768	2896	Kekkiq32.exe	32
PID 2896 wrote to memory of 2768	2896	Kekkiq32.exe	32
PID 2768 wrote to memory of 852	2768	Khldkllj.exe	33
PID 2768 wrote to memory of 852	2768	Khldkllj.exe	33
PID 2768 wrote to memory of 852	2768	Khldkllj.exe	33
PID 2768 wrote to memory of 852	2768	Khldkllj.exe	33
PID 852 wrote to memory of 2704	852	Kdbepm32.exe	34
PID 852 wrote to memory of 2704	852	Kdbepm32.exe	34
PID 852 wrote to memory of 2704	852	Kdbepm32.exe	34
PID 852 wrote to memory of 2704	852	Kdbepm32.exe	34
PID 2704 wrote to memory of 1436	2704	Kageia32.exe	35
PID 2704 wrote to memory of 1436	2704	Kageia32.exe	35
PID 2704 wrote to memory of 1436	2704	Kageia32.exe	35
PID 2704 wrote to memory of 1436	2704	Kageia32.exe	35
PID 1436 wrote to memory of 2572	1436	Libjncnc.exe	36
PID 1436 wrote to memory of 2572	1436	Libjncnc.exe	36
PID 1436 wrote to memory of 2572	1436	Libjncnc.exe	36
PID 1436 wrote to memory of 2572	1436	Libjncnc.exe	36
PID 2572 wrote to memory of 2268	2572	Lbjofi32.exe	37
PID 2572 wrote to memory of 2268	2572	Lbjofi32.exe	37
PID 2572 wrote to memory of 2268	2572	Lbjofi32.exe	37
PID 2572 wrote to memory of 2268	2572	Lbjofi32.exe	37

C:\Users\Admin\AppData\Local\Temp\888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe
"C:\Users\Admin\AppData\Local\Temp\888ca5fbde4675a42becfbb0825f81744e07b0e426c70575b1ed94b7edc452b1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\Kbmome32.exe
  C:\Windows\system32\Kbmome32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\Kekkiq32.exe
    C:\Windows\system32\Kekkiq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Khldkllj.exe
      C:\Windows\system32\Khldkllj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
      - C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 140
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jlflfm32.dll

Filesize
7KB

MD5
04459c4e85f7cd23c0044067b82040fe

SHA1
441482ef44a07602a8d9081a5590a8a60ed1fb4f

SHA256
5865b392647d16ac4f205f22459061aa216119f8a959d73ab8cd432e89c08a69

SHA512
0c318d608f7292ec80c27d2d02d68628f8146fb4a4cbd20a5c2a60f485007176ed9679d4b46699498a8ad344a9d2a2d04c8a40f3d76069c566fbfe8b0859a6c0

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
144KB

MD5
1bcd6ea2a3c058aa2c205262cb4737db

SHA1
788b45d3a9e14f3c0d3564d2eb486b12b32063d4

SHA256
576acbad79ffd75de8a7b9aaf732cc4fdff4468fdb6315c67b0bb6d740d41c00

SHA512
a3fb7f01be0367fac9bf4d0e6095130bdd90dbe62cb3f047f36fccc574c4fecdebeac5fecc317ba4954e2d18f32e99a7882b131f663af79accf0fbc0b8e80bff

Download Submit
\Windows\SysWOW64\Kbmome32.exe

Filesize
144KB

MD5
96e65e941fbdff75bc402ae514028baa

SHA1
b4b5a071a542e1a877d9b7ef33a1a4a203543ebe

SHA256
e25ae49f900f86f6ced509d95451fb6127f132e2ce9cb450842630e9e13dcaff

SHA512
b3852ec3054ceeb01fae290a3d9aee1234c62aaabf620330dbef6ca92736ea68488413f5a91d2b5ae99104f32491a60fa8a1e6868bde5aeac37d45898e5ef46d

Download Submit
\Windows\SysWOW64\Kdbepm32.exe

Filesize
144KB

MD5
00d7b6617b7148e94891773999ebdca8

SHA1
2cb5394c8f3773cfa3cd15cc58ebffa4c684e0c6

SHA256
deec32063efd5f9cfb3c334c046621db6ecd6ea648de659d9d7927fc003ddcb8

SHA512
1391472205637f41199a13213d843a6c6d026227fc31df499c4eaffc817a13599c25b7831ad2278da2f4c820b1a5c741e428447c2170b89a19ccfb6fc6f5659b

Download Submit
\Windows\SysWOW64\Kekkiq32.exe

Filesize
144KB

MD5
6cb07fc3a769e931f6a2de0cf7f2acf6

SHA1
eaf7f71fc1054423ccb69873f537cfd3d53ce0f3

SHA256
7329ebc7f520f0819204cc5c278e15ee58c077df3ed950f9546efaafefb187cf

SHA512
a4c12820e46f0dd7085038a783c5e47b7daf25d57544866ee3d2d5d527ee44fe1ec1d67fb2837d1a1d3f3e15b5b129cbe1eabe6bb501756219bc5b06166e5212

Download Submit
\Windows\SysWOW64\Khldkllj.exe

Filesize
144KB

MD5
8f43f6287ecebf224830fefae1eeaa56

SHA1
8244bf98683df40c0a3abdf5adc7a72358716e5b

SHA256
3feb9af39b980b96861947d791b47aab7e0eadbdd85b26f72e1e6da23de73450

SHA512
d8221899c3847406efd103119c761cb31a61ee9296124028a8d643e1e26f35d587feef630278fea5e6ee69ee67b001db8f6c6c6f41e7c899a8a2555e8c69cc5f

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
144KB

MD5
ef0d57ed486e86ad5426ea2e3899a97d

SHA1
bb7147f7ab4f950a518f5fb2395de1898ed993a6

SHA256
0fed82d2457be84a5517e7e06cebc38c71903f9f523248ef68b213d54da6bab6

SHA512
da4d08f379ba9bcda59ffe33db970c1e24889102a43ea52ffcbae7d825466aa0eccdb4f98fd69108a06db86993aeb4cdb5ba13ea97f7983f333015d3db31aaaf

Download Submit
\Windows\SysWOW64\Libjncnc.exe

Filesize
144KB

MD5
bd81e371cf0b955cf7a02331a0d84bfa

SHA1
6a993610ac0ee614e9f8c5f779d93b167b54f1f4

SHA256
6203945474b1bf6e84df22292fb81dd5f98be57272b0c77e7b008bb05e7911b0

SHA512
009977fafd5d00064de3ae42178fbacb914d5b449b386c26878b87d9ee8053e303280fdbf651f7ebf9b97b5d4fe6e4f2956545b4b84f9a240e86f0e5772d1e0b

Download Submit
memory/852-71-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/852-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-70-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1436-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-12-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2164-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-13-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2572-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2704-79-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2760-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-22-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2760-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-55-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2768-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-41-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2896-42-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2896-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads