berbew | 27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
Size

74KB
MD5

ec7ad68f8a09122c7366b28cd72034c6
SHA1

97bdf2532905279ee34e03a8f0d29df9a5f6c859
SHA256

27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3
SHA512

f30a677344ace98b4010b2ed72cbae015d64c8732573b8dc4b902fdb02abccd51f9a7b3b4bd38a6716f9743e6264bfe3a52398fa22c808278fafd765166aae52
SSDEEP

1536:FEbdtV3Zh7tO6m/9y+v2KdmFazdsulDNNE6h/dal4fvfjmAnO:FEl30h92K4kdsulDNNE6rTfvfyAnO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
4568	Dhkjej32.exe
2340	Dodbbdbb.exe
2756	Dmgbnq32.exe
1300	Ddakjkqi.exe
2844	Dfpgffpm.exe
2160	Dogogcpo.exe
3616	Daekdooc.exe
3712	Dhocqigp.exe
2664	Dknpmdfc.exe
4836	Dmllipeg.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2044	4836	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4568	5072	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe	82
PID 5072 wrote to memory of 4568	5072	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe	82
PID 5072 wrote to memory of 4568	5072	27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe	82
PID 4568 wrote to memory of 2340	4568	Dhkjej32.exe	83
PID 4568 wrote to memory of 2340	4568	Dhkjej32.exe	83
PID 4568 wrote to memory of 2340	4568	Dhkjej32.exe	83
PID 2340 wrote to memory of 2756	2340	Dodbbdbb.exe	84
PID 2340 wrote to memory of 2756	2340	Dodbbdbb.exe	84
PID 2340 wrote to memory of 2756	2340	Dodbbdbb.exe	84
PID 2756 wrote to memory of 1300	2756	Dmgbnq32.exe	85
PID 2756 wrote to memory of 1300	2756	Dmgbnq32.exe	85
PID 2756 wrote to memory of 1300	2756	Dmgbnq32.exe	85
PID 1300 wrote to memory of 2844	1300	Ddakjkqi.exe	86
PID 1300 wrote to memory of 2844	1300	Ddakjkqi.exe	86
PID 1300 wrote to memory of 2844	1300	Ddakjkqi.exe	86
PID 2844 wrote to memory of 2160	2844	Dfpgffpm.exe	87
PID 2844 wrote to memory of 2160	2844	Dfpgffpm.exe	87
PID 2844 wrote to memory of 2160	2844	Dfpgffpm.exe	87
PID 2160 wrote to memory of 3616	2160	Dogogcpo.exe	88
PID 2160 wrote to memory of 3616	2160	Dogogcpo.exe	88
PID 2160 wrote to memory of 3616	2160	Dogogcpo.exe	88
PID 3616 wrote to memory of 3712	3616	Daekdooc.exe	89
PID 3616 wrote to memory of 3712	3616	Daekdooc.exe	89
PID 3616 wrote to memory of 3712	3616	Daekdooc.exe	89
PID 3712 wrote to memory of 2664	3712	Dhocqigp.exe	90
PID 3712 wrote to memory of 2664	3712	Dhocqigp.exe	90
PID 3712 wrote to memory of 2664	3712	Dhocqigp.exe	90
PID 2664 wrote to memory of 4836	2664	Dknpmdfc.exe	91
PID 2664 wrote to memory of 4836	2664	Dknpmdfc.exe	91
PID 2664 wrote to memory of 4836	2664	Dknpmdfc.exe	91

C:\Users\Admin\AppData\Local\Temp\27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe
"C:\Users\Admin\AppData\Local\Temp\27c1a09e84c7b2f76c716f7b1818d0f7c10e9d2ae98ce78cc417087d83d3c4a3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\Dhkjej32.exe
  C:\Windows\system32\Dhkjej32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\Dodbbdbb.exe
    C:\Windows\system32\Dodbbdbb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\Dmgbnq32.exe
      C:\Windows\system32\Dmgbnq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3616
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 408
        12⤵
        Program crash
        
        PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4836 -ip 4836
1⤵
PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
74KB

MD5
3a83e432a382210be59d842655236f85

SHA1
4c05bc617d12f9498af15ca1cc0f370c4b638c20

SHA256
4bbd0e880d4c7fc5540839071efc89f88a49db9db17f20684aa06d15d6a1c3da

SHA512
8860c03c1573f9f2e60aeec35e5b85afb5b719a13f97ce8e4f703d770fb50cd8afe310ab9718d0402c1dca367702ace2163261be761438876ab721ba23906185

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
74KB

MD5
dd9c315222ea956e2ab79209f309015e

SHA1
5b168446bc5439007a2838d0a1f3e6d772f53a85

SHA256
d2c7400fc41dd3a0a346adf1d22485e59586b5781afb87dc928a969347959916

SHA512
1e27e262b04e350947e8764ecc67df333817362594108aa197dd5c31e326c9733e06bc5a57c0cede49cbc5936e313af46b44a5a919938326096acf95fe480f20

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
74KB

MD5
c42f8b8bc863f5f84f0d2565c6640b22

SHA1
45ebb7241cf3b632cb116e24617174353bafaec2

SHA256
cf30ffbc3bbbc901f01b246972405ae2e8e1aee0010722d76cb9a6bc90a19857

SHA512
d7b76f9f94e7fc99f967ef07e6d2fbc0232173363d5ad0fd68b0bed2865720006b8a3be3822ee90528f85308086912b008bcd8e3a0382cc279da1768be9fc7f0

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
74KB

MD5
461480fdf11d119b2871d127752c357e

SHA1
9315b3ee7d69c332f4b4740b4eea3dca6a5f0dbc

SHA256
43287cb979ba055c2984a1b9a21c3ab8fbdd7132ee76e877057bec4e4e495aa6

SHA512
17d0894ed1cd82de64ec649e324801cad632800a8374a6e6706144454d9b8a7b99ed05ec09f00c634dbff95e5ca0b082f0a9c26ee94bcf57532ad5e19e195bb3

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
74KB

MD5
722490762152570dd54edb03056f1063

SHA1
d591da5819052db3054c98898d7ab45c74c6e023

SHA256
d7eef97a9b6cd798c9a1ffb31da29c872b84df0fc96910f712e1b9a1db1010c1

SHA512
85f9119dd5af956d08049037e80f51ada8476b0baa0323d1edde697f586e0da27c54a38279be8f9fec3cd38eb49fabe3105959aeb81a080fb4f43ebcf4cac221

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
74KB

MD5
ed548c7355d5c1fb0f48dcd34c464a50

SHA1
477e9c3f3ef68834c63f075d9b5e1098a5bdb4bd

SHA256
84ca9eb8ad0f2bda817e46d63c449b073640b99f10af66b9271854b5bfe8c395

SHA512
ccfe6ce9ae17a177540d560f2a360609d02131c8c0f704be3b8081c4a80f13d833df9a094c5dc8ffad4998ead2994e68bd23ee187b2f6cc861b6829e91e537c2

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
74KB

MD5
780369ff3e8881ab0863071930e5e51e

SHA1
3a7c88fd5b35cd118e016611fad6d98d7e62404c

SHA256
ca19a1966b6faf8c25b38de8280448c448b03ad4ea8f24064d155e9a0dbc3a20

SHA512
8a1a02798e739c5724c065637b8813ba350f48fcbfb5e365dbe22ab444922ceb332355a78276a40a4c86b69d129beb8a38efbc4e5f2469dca5efdfd793083149

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
74KB

MD5
9481b7324142bc0010b04959c6b93ce5

SHA1
33e72193a3bff6b5e72478ae533bfc40e986d1a4

SHA256
578179c1e6f2b5b13d2b95f5ca34f85eda1c64a68a3315eaab45dc658fc77b05

SHA512
2615bf6cae4c2106a3a5891011064977b5f3b53154a7e8b3aeb42ca371916d0f9d0aa4fed4adeb519c47da318e231b209fe4310d506f03c89c8d622e0b22dd5f

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
74KB

MD5
aa969b56d2c330106bfa73ac44b3f597

SHA1
7680983aee5ea0f2442886a93c3a15048554a165

SHA256
bdecc823916bab04ce142b823462f3fb5cc2cc43c1f646a04cf28fccecf68b75

SHA512
cb0cf57b72ea2e320f10efc49024d78aad90a36e089af40bf6a7f0a984f90f2087c2effcc3c67ee9fdc833d4dada7452a4ed3de378c409f3ed088211d2ec1dd4

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
74KB

MD5
4b849d346dd71fd220b0c4335751b460

SHA1
9ebaef360b4634d6f6c1bf8686bfdccf246a601b

SHA256
a2605d6c2dd656ec0acd034ccd67bf8c330d24c5dca2bf7e5ce01caebbfcc499

SHA512
9735a248de17923bbd92d52d99e04c746f0657d58072e015e3e9c0b2f0af5225986050af70107d4bd93339ee11e3c5d73236a0e9665abada49a4d9383d78127a

Download Submit
C:\Windows\SysWOW64\Kmdjdl32.dll

Filesize
7KB

MD5
9086996791bcddb61840bfeb31eab8dc

SHA1
d200bed0ab81fba0ca797e6e8e5c422398bba613

SHA256
98d37c9e99514c7b8736099ecbe27a4973c0dbd2857b9bbe67483d53bd20b44b

SHA512
4792adebf047ce7b92a698009b110686a50ceaeb9b986fa26639444475d8d0b9409d240c9747dfe252be465410a684eb1e7e1b4fe616d803922ddd4df439a26b

Download Submit
memory/1300-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1300-89-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2160-85-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2160-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2340-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2340-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2664-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2664-82-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2756-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2756-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-86-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3616-83-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3616-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3712-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3712-84-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4568-90-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4568-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4836-81-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4836-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5072-91-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5072-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads