berbew | b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
Size

128KB
MD5

8b0a3338054b4ebb8aa308a48039b521
SHA1

7f9e38664c2212ae6748185bf771d1c531529434
SHA256

b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4
SHA512

7bff8358664de4d8722aa01d5984e0c6dab96a0cb7a65a7d3185027cf0665c251204046fb14deb113e8433c96edb7348843f1a2647e498763d5f2356b4f4487f
SSDEEP

1536:j4PBYU+9/cjVYumDNZvyA2QjILQ9FKGXllUDtM60TD4ruhiZlrQIFiglF9xZ95Q:jMl+Z4VMvy0KG7UDd0pCrQIFdFtLQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laahme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laahme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmklh32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 8 IoCs

pid	Process
2728	Lidgcclp.exe
2688	Lmpcca32.exe
2820	Lcmklh32.exe
2692	Lghgmg32.exe
2700	Laahme32.exe
2800	Liipnb32.exe
1044	Lhlqjone.exe
2120	Lepaccmo.exe

Loads dropped DLL 20 IoCs

pid	Process
2412	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
2412	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
2728	Lidgcclp.exe
2728	Lidgcclp.exe
2688	Lmpcca32.exe
2688	Lmpcca32.exe
2820	Lcmklh32.exe
2820	Lcmklh32.exe
2692	Lghgmg32.exe
2692	Lghgmg32.exe
2700	Laahme32.exe
2700	Laahme32.exe
2800	Liipnb32.exe
2800	Liipnb32.exe
1044	Lhlqjone.exe
1044	Lhlqjone.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogegmkqk.dll	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Laahme32.exe	Lghgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Liipnb32.exe	Laahme32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Lidgcclp.exe	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
File created	C:\Windows\SysWOW64\Lmpcca32.exe	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Ppdbln32.dll	Lghgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Lhlqjone.exe	Liipnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lhlqjone.exe
File opened for modification	C:\Windows\SysWOW64\Lidgcclp.exe	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Lghgmg32.exe	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Lghgmg32.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Laahme32.exe	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Lhlqjone.exe	Liipnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Liipnb32.exe	Laahme32.exe
File created	C:\Windows\SysWOW64\Iaimld32.dll	Laahme32.exe
File created	C:\Windows\SysWOW64\Onkckhkp.dll	Liipnb32.exe
File created	C:\Windows\SysWOW64\Dneoankp.dll	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
File opened for modification	C:\Windows\SysWOW64\Lmpcca32.exe	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Agpdah32.dll	Lidgcclp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1576	2120	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhlqjone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpcca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laahme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liipnb32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll"	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll"	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laahme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmpcca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liipnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdbln32.dll"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll"	Liipnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhlqjone.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2728	2412	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe	30
PID 2412 wrote to memory of 2728	2412	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe	30
PID 2412 wrote to memory of 2728	2412	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe	30
PID 2412 wrote to memory of 2728	2412	b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe	30
PID 2728 wrote to memory of 2688	2728	Lidgcclp.exe	31
PID 2728 wrote to memory of 2688	2728	Lidgcclp.exe	31
PID 2728 wrote to memory of 2688	2728	Lidgcclp.exe	31
PID 2728 wrote to memory of 2688	2728	Lidgcclp.exe	31
PID 2688 wrote to memory of 2820	2688	Lmpcca32.exe	32
PID 2688 wrote to memory of 2820	2688	Lmpcca32.exe	32
PID 2688 wrote to memory of 2820	2688	Lmpcca32.exe	32
PID 2688 wrote to memory of 2820	2688	Lmpcca32.exe	32
PID 2820 wrote to memory of 2692	2820	Lcmklh32.exe	33
PID 2820 wrote to memory of 2692	2820	Lcmklh32.exe	33
PID 2820 wrote to memory of 2692	2820	Lcmklh32.exe	33
PID 2820 wrote to memory of 2692	2820	Lcmklh32.exe	33
PID 2692 wrote to memory of 2700	2692	Lghgmg32.exe	34
PID 2692 wrote to memory of 2700	2692	Lghgmg32.exe	34
PID 2692 wrote to memory of 2700	2692	Lghgmg32.exe	34
PID 2692 wrote to memory of 2700	2692	Lghgmg32.exe	34
PID 2700 wrote to memory of 2800	2700	Laahme32.exe	35
PID 2700 wrote to memory of 2800	2700	Laahme32.exe	35
PID 2700 wrote to memory of 2800	2700	Laahme32.exe	35
PID 2700 wrote to memory of 2800	2700	Laahme32.exe	35
PID 2800 wrote to memory of 1044	2800	Liipnb32.exe	36
PID 2800 wrote to memory of 1044	2800	Liipnb32.exe	36
PID 2800 wrote to memory of 1044	2800	Liipnb32.exe	36
PID 2800 wrote to memory of 1044	2800	Liipnb32.exe	36
PID 1044 wrote to memory of 2120	1044	Lhlqjone.exe	37
PID 1044 wrote to memory of 2120	1044	Lhlqjone.exe	37
PID 1044 wrote to memory of 2120	1044	Lhlqjone.exe	37
PID 1044 wrote to memory of 2120	1044	Lhlqjone.exe	37
PID 2120 wrote to memory of 1576	2120	Lepaccmo.exe	38
PID 2120 wrote to memory of 1576	2120	Lepaccmo.exe	38
PID 2120 wrote to memory of 1576	2120	Lepaccmo.exe	38
PID 2120 wrote to memory of 1576	2120	Lepaccmo.exe	38

C:\Users\Admin\AppData\Local\Temp\b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe
"C:\Users\Admin\AppData\Local\Temp\b6a0a7d2e54c15acbfc30d59d3ad1402ed67418afc1d8669595973503842c3a4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\Lidgcclp.exe
  C:\Windows\system32\Lidgcclp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\Lmpcca32.exe
    C:\Windows\system32\Lmpcca32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Lcmklh32.exe
      C:\Windows\system32\Lcmklh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\Lghgmg32.exe
        
        C:\Windows\system32\Lghgmg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Laahme32.exe
        
        C:\Windows\system32\Laahme32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Liipnb32.exe
        
        C:\Windows\system32\Liipnb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Lhlqjone.exe
        
        C:\Windows\system32\Lhlqjone.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
128KB

MD5
2dcfc9b268e9bd540dfd7c817f13cb4b

SHA1
addf774a5468646ec6cd2f8886b1d3aa74996ed9

SHA256
3e9528390188b079584c6b24402f1e7eac586f3ab298b9f4e2205d7968d5cd03

SHA512
266cbf968123b2649b8c804d3d4b31b4996adc0c6644f996bc83cde9223404fd615886800d3d3a92cc065edc4cfd87bc46eb535a31f4f5aa6a8644469942ef2f

Download Submit
C:\Windows\SysWOW64\Lhlqjone.exe

Filesize
128KB

MD5
e6d0d5cfde93e70a08f15927b6a92ff7

SHA1
696a85136e53533d3ac52a3c0995c74ed731d48a

SHA256
541e04ce20bf138fab3d8292a9af12616437edfed0ef27f571efc7e052021642

SHA512
aae09b13168567879752d857f3008ca45b3993ced1dd06f28b6f1264c1b499ef08da024c6a2c0492813909608863a1b18a99fe1e214d3fff740a661295cb6f9e

Download Submit
C:\Windows\SysWOW64\Lidgcclp.exe

Filesize
128KB

MD5
7899cfb4e1c5bc3bf36d43d9a2ec0092

SHA1
a35018587de53c9b9cd575995c7d693902e7f165

SHA256
33f4d81afabf81d4c8c38c78944ba38f84172de85179d6854380ccd07e292f43

SHA512
1a3cf0b98128b3156a92b15c7bdd4f77d23423c8e7965f96a227b8693dc5a50d9cccd6df3b5534921289f42b07d684385911403d171ff230eabbbcd5dc5b0b9d

Download Submit
C:\Windows\SysWOW64\Liipnb32.exe

Filesize
128KB

MD5
946e5ad5b2049fa5f33fdf19c15a291b

SHA1
75ea9da369891a97a2b2e6fc8caa04f2f60f2a26

SHA256
0d199c1e56a462a76308c23bea86d956e534e609e400c42798db8e6e78f476b7

SHA512
836e4542e388741d5b9ae3989206522b14d386a43d50521175540903124ee5ac40dd5eea2c1f78a29539cc3a889f0179a43657575dd852593e7c37f7e78d0e16

Download Submit
C:\Windows\SysWOW64\Lmpcca32.exe

Filesize
128KB

MD5
564984103c3ae3863030fed4fee9466f

SHA1
e8678d5f7d7714b505356c4d888e15ca14d4ceee

SHA256
9a8c823c1dcb1bd21312129939038907721e4f86ed22754372405e5205954de9

SHA512
09cf996e9018c8486691b265d03d85ea891a256554c310a4cc760e3d88f90bebd309d365b702018bb298114682e62a1261173704553bc4e47a9e7d6e6e79d4b2

Download Submit
\Windows\SysWOW64\Laahme32.exe

Filesize
128KB

MD5
08455e16923146146c7d95aa899c3f03

SHA1
f723946ce229f63493295215c82d1abcd7a9b901

SHA256
6d9f881733ac94a5eb57cb58649225f84590f6b631ec40a5d0d365062d88b879

SHA512
14aae9d11988ea0ae40b4507e91b63c5c9fe44d616ca29cb6ac1ef88f2d0450595dbc3648f03c91a4a50146e70ba57c07ce9927e0339eca2dc3a6dbbfaa876f9

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
128KB

MD5
d20ab2203ce4009f39cdece434c4e08e

SHA1
414e032d2cc85f06206ffefe9cca8e9e3ae2256a

SHA256
4c005384442839bf9bef84d2ca78a692cb8105ca25ec648d3bab4635bfdb5643

SHA512
07668bd220d482e6db4c5fabd1e5f1b174275e2fead2c4a85e65def5fa6c2b72b063c11c6cad4aa1ef0664b9924f9304211f086c60ab6056522b0ff9823916ed

Download Submit
\Windows\SysWOW64\Lghgmg32.exe

Filesize
128KB

MD5
37d4c7948ec38a30603b8820fefef637

SHA1
aa13761d1d9b7a3d68dd995436f8f2e5189fc8af

SHA256
d19b0b5984d8e477e36e37c72fd333857ea4c69ada20e8ea6c8b3396b7d3b93f

SHA512
3acdf9d45b0e2292b4728d7e4fb825ce0927a7486c007e8045cc3ce277d6c558607ebb2c30ceae09ce28b1e0ea3d26e5e19dedc32e573a1fdc76e379819665c2

Download Submit
memory/1044-113-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1044-95-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2120-116-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2120-108-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2412-117-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2412-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2412-17-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2412-18-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2688-118-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2692-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2692-114-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2692-68-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2700-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2728-21-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2728-26-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2728-27-0x0000000000440000-0x000000000047B000-memory.dmp

Filesize
236KB

Download
memory/2800-93-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2820-48-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2820-46-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads