Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 02:05
Behavioral task
behavioral1
Sample
ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe
Resource
win10v2004-20241007-en
General
-
Target
ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe
-
Size
378KB
-
MD5
af449da1fd859367d533751e43697f79
-
SHA1
bfed3280a91d02e7bbf8ad92d354524a55f87db1
-
SHA256
ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a
-
SHA512
1d035161875f08f260b439b192738d421e61e85b54adfbf0e026ab91a58aa82aca7f1b7001cb4688ef1f687c94690be98bdb6595a2309f69c5f394560815f72a
-
SSDEEP
6144:Lee/3QDPTCcEfeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42Gp:6b+feYr75lTefkY660fIaDZkY660f2lO
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loaokjjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgfjggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lofifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lekghdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llepen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlqjone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lofifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmpcca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgnklmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekghdad.exe -
Berbew family
-
Executes dropped EXE 12 IoCs
pid Process 2692 Kgcnahoo.exe 2968 Lmmfnb32.exe 2752 Ldgnklmi.exe 2660 Lgfjggll.exe 2620 Lmpcca32.exe 1304 Loaokjjg.exe 2984 Lekghdad.exe 1932 Llepen32.exe 2816 Laahme32.exe 2892 Lhlqjone.exe 1964 Lofifi32.exe 560 Lepaccmo.exe -
Loads dropped DLL 28 IoCs
pid Process 1620 ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe 1620 ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe 2692 Kgcnahoo.exe 2692 Kgcnahoo.exe 2968 Lmmfnb32.exe 2968 Lmmfnb32.exe 2752 Ldgnklmi.exe 2752 Ldgnklmi.exe 2660 Lgfjggll.exe 2660 Lgfjggll.exe 2620 Lmpcca32.exe 2620 Lmpcca32.exe 1304 Loaokjjg.exe 1304 Loaokjjg.exe 2984 Lekghdad.exe 2984 Lekghdad.exe 1932 Llepen32.exe 1932 Llepen32.exe 2816 Laahme32.exe 2816 Laahme32.exe 2892 Lhlqjone.exe 2892 Lhlqjone.exe 1964 Lofifi32.exe 1964 Lofifi32.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe File opened for modification C:\Windows\SysWOW64\Llepen32.exe Lekghdad.exe File opened for modification C:\Windows\SysWOW64\Lhlqjone.exe Laahme32.exe File created C:\Windows\SysWOW64\Lepaccmo.exe Lofifi32.exe File created C:\Windows\SysWOW64\Ppdbln32.dll Llepen32.exe File opened for modification C:\Windows\SysWOW64\Lofifi32.exe Lhlqjone.exe File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe Lofifi32.exe File opened for modification C:\Windows\SysWOW64\Lmmfnb32.exe Kgcnahoo.exe File created C:\Windows\SysWOW64\Cbamip32.dll Lmmfnb32.exe File created C:\Windows\SysWOW64\Llepen32.exe Lekghdad.exe File created C:\Windows\SysWOW64\Laahme32.exe Llepen32.exe File created C:\Windows\SysWOW64\Lmmfnb32.exe Kgcnahoo.exe File created C:\Windows\SysWOW64\Ldgnklmi.exe Lmmfnb32.exe File opened for modification C:\Windows\SysWOW64\Lmpcca32.exe Lgfjggll.exe File created C:\Windows\SysWOW64\Mcbniafn.dll Lekghdad.exe File created C:\Windows\SysWOW64\Jingpl32.dll Lmpcca32.exe File opened for modification C:\Windows\SysWOW64\Laahme32.exe Llepen32.exe File created C:\Windows\SysWOW64\Oopqjabc.dll Lhlqjone.exe File created C:\Windows\SysWOW64\Kgcnahoo.exe ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe File created C:\Windows\SysWOW64\Lmpcca32.exe Lgfjggll.exe File created C:\Windows\SysWOW64\Agpdah32.dll Lgfjggll.exe File opened for modification C:\Windows\SysWOW64\Loaokjjg.exe Lmpcca32.exe File created C:\Windows\SysWOW64\Oldhgaef.dll Lofifi32.exe File created C:\Windows\SysWOW64\Pgodelnq.dll ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe File created C:\Windows\SysWOW64\Lgfjggll.exe Ldgnklmi.exe File opened for modification C:\Windows\SysWOW64\Lgfjggll.exe Ldgnklmi.exe File created C:\Windows\SysWOW64\Hfopbgif.dll Ldgnklmi.exe File created C:\Windows\SysWOW64\Pigckoki.dll Kgcnahoo.exe File created C:\Windows\SysWOW64\Qaamhelq.dll Loaokjjg.exe File created C:\Windows\SysWOW64\Onkckhkp.dll Laahme32.exe File opened for modification C:\Windows\SysWOW64\Ldgnklmi.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Loaokjjg.exe Lmpcca32.exe File created C:\Windows\SysWOW64\Lekghdad.exe Loaokjjg.exe File opened for modification C:\Windows\SysWOW64\Lekghdad.exe Loaokjjg.exe File created C:\Windows\SysWOW64\Lhlqjone.exe Laahme32.exe File created C:\Windows\SysWOW64\Lofifi32.exe Lhlqjone.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 532 560 WerFault.exe 41 -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnklmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfjggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laahme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlqjone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekghdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llepen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepaccmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe -
Modifies registry class 39 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll" Ldgnklmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgfjggll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhlqjone.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Loaokjjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll" Lekghdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdbln32.dll" Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhlqjone.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmmfnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lekghdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lofifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll" Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lekghdad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laahme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll" Lofifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingpl32.dll" Lmpcca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll" Laahme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lofifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll" ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll" Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll" Loaokjjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopqjabc.dll" Lhlqjone.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2692 1620 ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe 30 PID 1620 wrote to memory of 2692 1620 ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe 30 PID 1620 wrote to memory of 2692 1620 ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe 30 PID 1620 wrote to memory of 2692 1620 ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe 30 PID 2692 wrote to memory of 2968 2692 Kgcnahoo.exe 31 PID 2692 wrote to memory of 2968 2692 Kgcnahoo.exe 31 PID 2692 wrote to memory of 2968 2692 Kgcnahoo.exe 31 PID 2692 wrote to memory of 2968 2692 Kgcnahoo.exe 31 PID 2968 wrote to memory of 2752 2968 Lmmfnb32.exe 32 PID 2968 wrote to memory of 2752 2968 Lmmfnb32.exe 32 PID 2968 wrote to memory of 2752 2968 Lmmfnb32.exe 32 PID 2968 wrote to memory of 2752 2968 Lmmfnb32.exe 32 PID 2752 wrote to memory of 2660 2752 Ldgnklmi.exe 33 PID 2752 wrote to memory of 2660 2752 Ldgnklmi.exe 33 PID 2752 wrote to memory of 2660 2752 Ldgnklmi.exe 33 PID 2752 wrote to memory of 2660 2752 Ldgnklmi.exe 33 PID 2660 wrote to memory of 2620 2660 Lgfjggll.exe 34 PID 2660 wrote to memory of 2620 2660 Lgfjggll.exe 34 PID 2660 wrote to memory of 2620 2660 Lgfjggll.exe 34 PID 2660 wrote to memory of 2620 2660 Lgfjggll.exe 34 PID 2620 wrote to memory of 1304 2620 Lmpcca32.exe 35 PID 2620 wrote to memory of 1304 2620 Lmpcca32.exe 35 PID 2620 wrote to memory of 1304 2620 Lmpcca32.exe 35 PID 2620 wrote to memory of 1304 2620 Lmpcca32.exe 35 PID 1304 wrote to memory of 2984 1304 Loaokjjg.exe 36 PID 1304 wrote to memory of 2984 1304 Loaokjjg.exe 36 PID 1304 wrote to memory of 2984 1304 Loaokjjg.exe 36 PID 1304 wrote to memory of 2984 1304 Loaokjjg.exe 36 PID 2984 wrote to memory of 1932 2984 Lekghdad.exe 37 PID 2984 wrote to memory of 1932 2984 Lekghdad.exe 37 PID 2984 wrote to memory of 1932 2984 Lekghdad.exe 37 PID 2984 wrote to memory of 1932 2984 Lekghdad.exe 37 PID 1932 wrote to memory of 2816 1932 Llepen32.exe 38 PID 1932 wrote to memory of 2816 1932 Llepen32.exe 38 PID 1932 wrote to memory of 2816 1932 Llepen32.exe 38 PID 1932 wrote to memory of 2816 1932 Llepen32.exe 38 PID 2816 wrote to memory of 2892 2816 Laahme32.exe 39 PID 2816 wrote to memory of 2892 2816 Laahme32.exe 39 PID 2816 wrote to memory of 2892 2816 Laahme32.exe 39 PID 2816 wrote to memory of 2892 2816 Laahme32.exe 39 PID 2892 wrote to memory of 1964 2892 Lhlqjone.exe 40 PID 2892 wrote to memory of 1964 2892 Lhlqjone.exe 40 PID 2892 wrote to memory of 1964 2892 Lhlqjone.exe 40 PID 2892 wrote to memory of 1964 2892 Lhlqjone.exe 40 PID 1964 wrote to memory of 560 1964 Lofifi32.exe 41 PID 1964 wrote to memory of 560 1964 Lofifi32.exe 41 PID 1964 wrote to memory of 560 1964 Lofifi32.exe 41 PID 1964 wrote to memory of 560 1964 Lofifi32.exe 41 PID 560 wrote to memory of 532 560 Lepaccmo.exe 42 PID 560 wrote to memory of 532 560 Lepaccmo.exe 42 PID 560 wrote to memory of 532 560 Lepaccmo.exe 42 PID 560 wrote to memory of 532 560 Lepaccmo.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe"C:\Users\Admin\AppData\Local\Temp\ae4e69a727be703ed8d3e33543fd5d2ccbf02263c03630b7f8faf872fbd10b4a.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Kgcnahoo.exeC:\Windows\system32\Kgcnahoo.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Lgfjggll.exeC:\Windows\system32\Lgfjggll.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Lmpcca32.exeC:\Windows\system32\Lmpcca32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lhlqjone.exeC:\Windows\system32\Lhlqjone.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Lepaccmo.exeC:\Windows\system32\Lepaccmo.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 14014⤵
- Loads dropped DLL
- Program crash
PID:532
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5dde79d8d5b2d53ca9f99aff225d05891
SHA1bc7880ed97b49c18c737af8aa1cc6e6d6a2f5c61
SHA256f6ffa8e8d1d4b6147e7e2f5a987565e30eb3be7083457a36614ebddb2af2c183
SHA5128182bfcf639f63d705fe8ddc2cf0c0cb61b73201bd730f34ff2f6458ac94fcc48cbc891c4d83daed9aa608e9a86af278d39aaeed6c8fa07927c92389b96498e5
-
Filesize
378KB
MD5a6ea4a5bc17b1d50981b4c26349fea48
SHA1d40894306660b65b4441f763617c8553f9e3b32a
SHA2563e2275d12b47ae776bbe628af450ce1847ca0784cae72f5c5b90a354dc6c53e4
SHA5121acfdeaf8abb3ea8a7aca0cb5f03a50b25f6a6213574765ef422eab3bb7ffba4243a9ac4b1ef20bbcf1b5377bc698458e6baf6405bf74ab409c205e7556f2159
-
Filesize
378KB
MD50f14430b0c2cb5e958c698dc5920f6bf
SHA19053ccdd4586d160e090b08db6f2ff7e9e5e8a1d
SHA2561374ebe9062628242e5d9e121ffc1fdb9ece1d2ff6a0d30622c3a3043f9345c6
SHA512b8b49228e5164db6ec40a5389275a28303ea88b88d53257dae086bc1f4dc1c17ef9a268c007ea49d9178b6481e804339ec877ad1061733a5f46d1128250c56d4
-
Filesize
378KB
MD52e2370a9263f4f23011a488d6d48bdf3
SHA1ff6a83a6642533de253cef2912dd90e48d02fe8f
SHA25678e1151ee9fd578b88439b805bef4e5affbe5ad43d45065403ab57c8a906aafa
SHA5121c14cb10847e260834ca5998a79a1dda27af4fc2f42c74984f67763a40377e02bae00cabf3cca913c404c469ebb69ebf394a1cbe42fa25e80648f3a8cc62844b
-
Filesize
378KB
MD54b9ac8190bfdec6ff2868af11f3c3312
SHA1e0d71b1bc6a1404a29b6bb5c49350eb8a99d9c75
SHA256f4beed2d71919f187c9742001802a921c46f149240364f2a9be31d31b9830a4f
SHA51254b7944d40edcba1f46b63cd7419dcf66759107d299dcdc6639f8736b61581903f9f862aefa45f3a942b4e9b935772e244a53fb6e1bcf021e792662bd6355b02
-
Filesize
378KB
MD5781eb8297372a35a33b27540a9dd6bfb
SHA1c813cd06d5c4b2a243b2f2e5e2ccb026a6cb4572
SHA25653c5923368e213aabeb421d7188621232f6b54cc9647f938c230dd3ea4bab8cf
SHA51218b338ddd6100ae27e4f79feaf96dd4a399297303ace46f75366ec06871b0886d0e76124d73157e445e45516b0f5bf55330d08ff7df92fa41d19de5bcf21ace2
-
Filesize
378KB
MD591cdae9859a091b8dd37c4880735a1a8
SHA1a52a0c84f4880cea6fc2bac2a820f9e1e22f436c
SHA25691b9e2c565001d1c1133a801ddbe83266b74fe9def9eaa4227f8963464d03b62
SHA5126fb7295c60f5b1810c90ce6dc6dfb3c2e1f0bf1bf8bbee5876d2a5141e8cac382aa1dc97abe18c4d36a4c4d8bb829b073209459b3c972ea3aa83291602a2738b
-
Filesize
378KB
MD56a03ed289e9f499de6733fa1ff3abc14
SHA1838a28c228d6db91b43510cbc691d3c69e2dfe09
SHA256ecc0222ab41e375ac65c567874aeb503d7ee1f20607a1e7aeb45efb86d81da61
SHA512a9fa624e97fa1eabf39bcd3957cf84e9478a481654f3a7fedd1faa094f901848f87808713188a6b6e90975d758739b775a9e652d98193701956bc6e2ef7f6b97
-
Filesize
378KB
MD5a347effda40f8f1d04b9098efea8ba60
SHA17fa123acc0ab5ae0ba19b054bf048f1a5f746b74
SHA256e923a2ea19b1451ea6bd523fdc41d23d631e7b011c9fb164b434e6653cbb5d6b
SHA512f8cbaeca262fa883e0d29f71ea3ff1df0131c9cb9d5c7b8506ce4bb397a831b9d51db5d0b444df0429d247571d4ba33590066dd533321223bc8435d2e5c5a740
-
Filesize
378KB
MD594723bcd6abf00233054ec1e4cae2ce0
SHA192f8edb6acb1874d3e8e5141f518c697f2a5e97e
SHA25680ae4ab5ee20fc4ec7b06102ee05cf64746aa93e66b96dd3000f6b5fa6ca7b82
SHA512f1d9b112bd99589e763e3cc9ce5e5977e2633f2b8994fa553bfaf1d134599533a4324a81aba60b3c1b4e441c00d49d247eba72d8a09037d52d88c9260904840b
-
Filesize
378KB
MD5c136200986e91f5dc270614d93e30dc8
SHA1e0eb2f86a469284c7afd4253bbd57c06c3565f3c
SHA25603c3d8852f563c03d6fe2db1fab9697a163b08b1c01e8b1c5712a6599fcee0f4
SHA5126827dc1a9256e3f0a2565350c504631de19fbaa1a0d09dd18aba5fb461cf10d2280a6d88e149dd409fb39a43f0963d3090be8c29a7d5a3f2767ce854fdcc4a23
-
Filesize
378KB
MD575fa6e601e3ebd923aac3e286577f201
SHA1695e5e42d0c2a2931408cf8e2aed2f06814e524c
SHA256d50968e753624e3dec4a47566f62c0df322079689790df7360ce3150eda80396
SHA51209a72f2af0284d1d48285b90cbeb5c4980147af52d109272114412c4fb11827e44eaab1c98ffb5a0c224aba47c8839be76c785177e688b3db3c6bdf09efad1f4
-
Filesize
378KB
MD5bd1becde2faf8908ac11fd4478f77a57
SHA1788af82a74cd210acbe3931a66b5fc9e49638057
SHA25690ee912ccb2de205a31961678dd7531a99b0d7f37ef4139f4d1c4f60f83f2cc6
SHA512fcfe9293fb255418a1b88f26e4c27e5b5b2fc89bb0fe5b2dce8638d26e57dc8d2087d242a3f420d5f39711bce7a05183e5879da31c8e100b87d2562b532349e7