berbew | 9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
Size

63KB
MD5

e3a33c3df09d09d6f68fd57768a6871b
SHA1

d4ee729feed9b5297cb8aa5175e3877dd3c4b822
SHA256

9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c
SHA512

bee0ac873bc2174eed31b9b45e7ffaea704696d153d1ec83f5fe3d0f88b732239a4c55cb1fec6f8fb49d96f214d0679bd5104e7c8c9b885030933421a5ea7dcc
SSDEEP

768:9uTv/VquzENJwZ5RV9/X+FTAVcxaw74diBKjn/f75kncg4/1H5/oCXdnhg20a0kn:ITQq6gUAl4KjnX7infy3H1juIZo8

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 8 IoCs

pid	Process
2772	Cagienkb.exe
2900	Cinafkkd.exe
3008	Cjonncab.exe
2580	Cbffoabe.exe
2620	Cgcnghpl.exe
2920	Ccjoli32.exe
2168	Djdgic32.exe
2840	Dpapaj32.exe

Loads dropped DLL 19 IoCs

pid	Process
2396	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
2396	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
2772	Cagienkb.exe
2772	Cagienkb.exe
2900	Cinafkkd.exe
2900	Cinafkkd.exe
3008	Cjonncab.exe
3008	Cjonncab.exe
2580	Cbffoabe.exe
2580	Cbffoabe.exe
2620	Cgcnghpl.exe
2620	Cgcnghpl.exe
2920	Ccjoli32.exe
2920	Ccjoli32.exe
2168	Djdgic32.exe
2168	Djdgic32.exe
2960	WerFault.exe
2960	WerFault.exe
2960	WerFault.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cjonncab.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cagienkb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2960	2840	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2772	2396	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe	31
PID 2396 wrote to memory of 2772	2396	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe	31
PID 2396 wrote to memory of 2772	2396	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe	31
PID 2396 wrote to memory of 2772	2396	9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe	31
PID 2772 wrote to memory of 2900	2772	Cagienkb.exe	32
PID 2772 wrote to memory of 2900	2772	Cagienkb.exe	32
PID 2772 wrote to memory of 2900	2772	Cagienkb.exe	32
PID 2772 wrote to memory of 2900	2772	Cagienkb.exe	32
PID 2900 wrote to memory of 3008	2900	Cinafkkd.exe	33
PID 2900 wrote to memory of 3008	2900	Cinafkkd.exe	33
PID 2900 wrote to memory of 3008	2900	Cinafkkd.exe	33
PID 2900 wrote to memory of 3008	2900	Cinafkkd.exe	33
PID 3008 wrote to memory of 2580	3008	Cjonncab.exe	34
PID 3008 wrote to memory of 2580	3008	Cjonncab.exe	34
PID 3008 wrote to memory of 2580	3008	Cjonncab.exe	34
PID 3008 wrote to memory of 2580	3008	Cjonncab.exe	34
PID 2580 wrote to memory of 2620	2580	Cbffoabe.exe	35
PID 2580 wrote to memory of 2620	2580	Cbffoabe.exe	35
PID 2580 wrote to memory of 2620	2580	Cbffoabe.exe	35
PID 2580 wrote to memory of 2620	2580	Cbffoabe.exe	35
PID 2620 wrote to memory of 2920	2620	Cgcnghpl.exe	36
PID 2620 wrote to memory of 2920	2620	Cgcnghpl.exe	36
PID 2620 wrote to memory of 2920	2620	Cgcnghpl.exe	36
PID 2620 wrote to memory of 2920	2620	Cgcnghpl.exe	36
PID 2920 wrote to memory of 2168	2920	Ccjoli32.exe	37
PID 2920 wrote to memory of 2168	2920	Ccjoli32.exe	37
PID 2920 wrote to memory of 2168	2920	Ccjoli32.exe	37
PID 2920 wrote to memory of 2168	2920	Ccjoli32.exe	37
PID 2168 wrote to memory of 2840	2168	Djdgic32.exe	38
PID 2168 wrote to memory of 2840	2168	Djdgic32.exe	38
PID 2168 wrote to memory of 2840	2168	Djdgic32.exe	38
PID 2168 wrote to memory of 2840	2168	Djdgic32.exe	38
PID 2840 wrote to memory of 2960	2840	Dpapaj32.exe	39
PID 2840 wrote to memory of 2960	2840	Dpapaj32.exe	39
PID 2840 wrote to memory of 2960	2840	Dpapaj32.exe	39
PID 2840 wrote to memory of 2960	2840	Dpapaj32.exe	39

C:\Users\Admin\AppData\Local\Temp\9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe
"C:\Users\Admin\AppData\Local\Temp\9f47ca05400ba4a7182513e56addbc5921f6ece0e9f7fef779a1bebfd3dbf91c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\Cagienkb.exe
  C:\Windows\system32\Cagienkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\Cinafkkd.exe
    C:\Windows\system32\Cinafkkd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\Cjonncab.exe
      C:\Windows\system32\Cjonncab.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cagienkb.exe

Filesize
63KB

MD5
420000a347f31f3d2fb37c1ede746f1b

SHA1
f2eddd9144ed1dcd25654f8482b6eff2fcc5a040

SHA256
24ee48fcde4f6f8b90e944e5499aa77b1e41a8f6c920ddfa446ceeb3eaa618ea

SHA512
5c53f144c4488746aca4538f08d9c4663cbfe24f2a75e2cb85b51e87065c3cf8ad3cb8a3ae50fd1e1c1ca6846b67a230230fcfd4f294cef4df7ad951b8eef86d

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
63KB

MD5
aaa694f4b7210d639d33e654852715f0

SHA1
f6da092f0b852986b408c05ccaa4e6b6d5f0603d

SHA256
cf4af6dd3d7d9f14209f3a2aca9bbbc1e9ac219b5cdd4d5d7e61747abb36dd41

SHA512
9182b268bc5e48849d614cac7a5af8dff6c19a2f7d8498d1b6dc2fb78d47da731a22985286092a121c25a37af56914b7301d8fd9d116ab0c3fa114d19a060b89

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
63KB

MD5
6ff5d2044ef787f27b7847e772090330

SHA1
5d6547e04edd0abc914cb64cce1ec2ef25ab91aa

SHA256
e24ad73552ed729226faf11164eb01d973ec48322430f92fdd287b71ef6b51ef

SHA512
f4eb48c4bcc70fdac5e8d809aaa0f3ba92e94aafefb529eaf25a12c7e67914b25bdb9b05b0d4684bc162ed63482f82a400f071b5999833449ad040f98279f101

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
63KB

MD5
fa2b536c91ab71cfba54340420f4e4cf

SHA1
308644c6d58181327991447e1ecb3cb657f2cc56

SHA256
2e4623fba43e713d5ccc8fc343014bdc4c18089c0ab25e7a4869ab48712ead47

SHA512
c48ccf26defa06b4c8f4b718c96fabf6cb08a357b97cdcaef29804d073df01f03de82341ec5a41541bc589557106231dbc9475785a4524cfe2afc774881b7955

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
63KB

MD5
7c0f65d1af73a7924d006b0125ba928a

SHA1
3702c030197964394136246e3650f89e1b566484

SHA256
a034227f7758fa6e20437dd3e5426e40dc630ed3856d897ba4c60475789e6023

SHA512
f24d816fb2bd9a823a0dd98deb3941b8fd4dcf335bbf0216a505297a46bb65f859abeaba3518c7b50c8486ae46c54309167b9f53e73d1b14fb01373f1da951ac

Download Submit
\Windows\SysWOW64\Ccjoli32.exe

Filesize
63KB

MD5
44a965567ac7e04bccd0ccdef8d28000

SHA1
3dec6bb43191e0d712d560dcf3d7415b07a79259

SHA256
ddd71274436c63b92589e51557563c72998b4c15c76ce7bb6ed8b6a40744e241

SHA512
2494593225b8f8cb96de8743c2996e0efe64039171eae7b84b8a2d7f7261a8e43884a29be040af456f1e935b0ebd3cb0a46fb44c23ed4c1e30a043c393223f50

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
63KB

MD5
da9dc63d8098ac6b645a5b80da533acc

SHA1
a2a6294924091afa823cf16d0232bb92bc196a65

SHA256
bc2f5f6307043d0f5a174ce152d259364826372d787edc8ea4644543858fd4d8

SHA512
effe34e1d0139f56d2804f822b35ecaed4f1f85af408305af21cded8396afde3ad6aac26641bb0abb2d57f7493a27bc72e7a320ae93efdb4cf8421fa4d83e3c6

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
63KB

MD5
1bf7f270c31a0a116e9b5be6d4dce42a

SHA1
6e4cfab9f08bcbf7dd6768ef2f984f4bcaf6a83a

SHA256
885196b44ae2294082226e25d0e317798c9ee4fe73eed9373db9c6f548009516

SHA512
4a317e177974bb68ed2d491adeebd8a8af6d38ce19cc7723bdbdaac274498c8b1da67c615530c75ac060f415c1fe17d7223414109761bc871e2a356e1c6048b1

Download Submit
memory/2168-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-107-0x0000000001F60000-0x0000000001F95000-memory.dmp

Filesize
212KB

Download
memory/2168-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-12-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/2396-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2396-13-0x0000000001F30000-0x0000000001F65000-memory.dmp

Filesize
212KB

Download
memory/2396-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2580-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-79-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2620-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-67-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2772-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2840-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2900-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2900-36-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2900-125-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2920-94-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2920-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3008-58-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads