berbew | 424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
Size

305KB
MD5

ef39f114e76f086fd5293b0b2fc89ad1
SHA1

c77a5fc80a4382964ef3f6784081eff1951f1277
SHA256

424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087
SHA512

22bedfe2d7de26368f1694f0b100f60f6b2b592b8545198a5ca11ee22ae158dc97b0ad5c3c77969cde0b59b526b86ecdf241ab5eed0c179e76fd7ef48c4b3314
SSDEEP

6144:082Ro1g3IsddypUlc85dZMGXF5ahdt3b0668:r2RnxLXFWtQ668

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lifcib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lifcib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgfjggll.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 16 IoCs

pid	Process
2228	Jfmkbebl.exe
2776	Jbclgf32.exe
2708	Jcciqi32.exe
2868	Jpjifjdg.exe
2612	Jefbnacn.exe
1876	Khgkpl32.exe
2324	Kjeglh32.exe
2100	Kablnadm.exe
1884	Kmimcbja.exe
1800	Kpgionie.exe
2096	Kbhbai32.exe
2140	Kkojbf32.exe
772	Lgfjggll.exe
340	Lifcib32.exe
2144	Lcohahpn.exe
2092	Lepaccmo.exe

Loads dropped DLL 36 IoCs

pid	Process
2188	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
2188	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
2228	Jfmkbebl.exe
2228	Jfmkbebl.exe
2776	Jbclgf32.exe
2776	Jbclgf32.exe
2708	Jcciqi32.exe
2708	Jcciqi32.exe
2868	Jpjifjdg.exe
2868	Jpjifjdg.exe
2612	Jefbnacn.exe
2612	Jefbnacn.exe
1876	Khgkpl32.exe
1876	Khgkpl32.exe
2324	Kjeglh32.exe
2324	Kjeglh32.exe
2100	Kablnadm.exe
2100	Kablnadm.exe
1884	Kmimcbja.exe
1884	Kmimcbja.exe
1800	Kpgionie.exe
1800	Kpgionie.exe
2096	Kbhbai32.exe
2096	Kbhbai32.exe
2140	Kkojbf32.exe
2140	Kkojbf32.exe
772	Lgfjggll.exe
772	Lgfjggll.exe
340	Lifcib32.exe
340	Lifcib32.exe
2144	Lcohahpn.exe
2144	Lcohahpn.exe
924	WerFault.exe
924	WerFault.exe
924	WerFault.exe
924	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kablnadm.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Lcohahpn.exe	Lifcib32.exe
File created	C:\Windows\SysWOW64\Annjfl32.dll	Lifcib32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Jbclgf32.exe	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Jpjifjdg.exe	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Khgkpl32.exe	Jefbnacn.exe
File created	C:\Windows\SysWOW64\Hfopbgif.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Kjeglh32.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Bodilc32.dll	Kablnadm.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lcohahpn.exe
File opened for modification	C:\Windows\SysWOW64\Jfmkbebl.exe	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
File created	C:\Windows\SysWOW64\Ebenek32.dll	Jcciqi32.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Jpjifjdg.exe	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Pcdapknb.dll	Jefbnacn.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Jfmkbebl.exe	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
File created	C:\Windows\SysWOW64\Ljnfmlph.dll	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
File opened for modification	C:\Windows\SysWOW64\Jbclgf32.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Lgfjggll.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Gkeeihpg.dll	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Ccmkid32.dll	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Kmnfciac.dll	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Khgkpl32.exe	Jefbnacn.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Lifcib32.exe	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lcohahpn.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Khgkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Kmimcbja.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Lifcib32.exe	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Jcciqi32.exe	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Aaqbpk32.dll	Jbclgf32.exe
File opened for modification	C:\Windows\SysWOW64\Jefbnacn.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Kmimcbja.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Lcohahpn.exe	Lifcib32.exe
File created	C:\Windows\SysWOW64\Jcciqi32.exe	Jbclgf32.exe
File created	C:\Windows\SysWOW64\Jefbnacn.exe	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kjeglh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
924	2092	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcohahpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcciqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbnacn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lifcib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbclgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbclgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll"	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lifcib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbclgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkeeihpg.dll"	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmkid32.dll"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll"	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lcohahpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll"	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Annjfl32.dll"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcohahpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll"	Jbclgf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2228	2188	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe	30
PID 2188 wrote to memory of 2228	2188	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe	30
PID 2188 wrote to memory of 2228	2188	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe	30
PID 2188 wrote to memory of 2228	2188	424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe	30
PID 2228 wrote to memory of 2776	2228	Jfmkbebl.exe	31
PID 2228 wrote to memory of 2776	2228	Jfmkbebl.exe	31
PID 2228 wrote to memory of 2776	2228	Jfmkbebl.exe	31
PID 2228 wrote to memory of 2776	2228	Jfmkbebl.exe	31
PID 2776 wrote to memory of 2708	2776	Jbclgf32.exe	32
PID 2776 wrote to memory of 2708	2776	Jbclgf32.exe	32
PID 2776 wrote to memory of 2708	2776	Jbclgf32.exe	32
PID 2776 wrote to memory of 2708	2776	Jbclgf32.exe	32
PID 2708 wrote to memory of 2868	2708	Jcciqi32.exe	33
PID 2708 wrote to memory of 2868	2708	Jcciqi32.exe	33
PID 2708 wrote to memory of 2868	2708	Jcciqi32.exe	33
PID 2708 wrote to memory of 2868	2708	Jcciqi32.exe	33
PID 2868 wrote to memory of 2612	2868	Jpjifjdg.exe	34
PID 2868 wrote to memory of 2612	2868	Jpjifjdg.exe	34
PID 2868 wrote to memory of 2612	2868	Jpjifjdg.exe	34
PID 2868 wrote to memory of 2612	2868	Jpjifjdg.exe	34
PID 2612 wrote to memory of 1876	2612	Jefbnacn.exe	35
PID 2612 wrote to memory of 1876	2612	Jefbnacn.exe	35
PID 2612 wrote to memory of 1876	2612	Jefbnacn.exe	35
PID 2612 wrote to memory of 1876	2612	Jefbnacn.exe	35
PID 1876 wrote to memory of 2324	1876	Khgkpl32.exe	36
PID 1876 wrote to memory of 2324	1876	Khgkpl32.exe	36
PID 1876 wrote to memory of 2324	1876	Khgkpl32.exe	36
PID 1876 wrote to memory of 2324	1876	Khgkpl32.exe	36
PID 2324 wrote to memory of 2100	2324	Kjeglh32.exe	37
PID 2324 wrote to memory of 2100	2324	Kjeglh32.exe	37
PID 2324 wrote to memory of 2100	2324	Kjeglh32.exe	37
PID 2324 wrote to memory of 2100	2324	Kjeglh32.exe	37
PID 2100 wrote to memory of 1884	2100	Kablnadm.exe	38
PID 2100 wrote to memory of 1884	2100	Kablnadm.exe	38
PID 2100 wrote to memory of 1884	2100	Kablnadm.exe	38
PID 2100 wrote to memory of 1884	2100	Kablnadm.exe	38
PID 1884 wrote to memory of 1800	1884	Kmimcbja.exe	39
PID 1884 wrote to memory of 1800	1884	Kmimcbja.exe	39
PID 1884 wrote to memory of 1800	1884	Kmimcbja.exe	39
PID 1884 wrote to memory of 1800	1884	Kmimcbja.exe	39
PID 1800 wrote to memory of 2096	1800	Kpgionie.exe	40
PID 1800 wrote to memory of 2096	1800	Kpgionie.exe	40
PID 1800 wrote to memory of 2096	1800	Kpgionie.exe	40
PID 1800 wrote to memory of 2096	1800	Kpgionie.exe	40
PID 2096 wrote to memory of 2140	2096	Kbhbai32.exe	41
PID 2096 wrote to memory of 2140	2096	Kbhbai32.exe	41
PID 2096 wrote to memory of 2140	2096	Kbhbai32.exe	41
PID 2096 wrote to memory of 2140	2096	Kbhbai32.exe	41
PID 2140 wrote to memory of 772	2140	Kkojbf32.exe	42
PID 2140 wrote to memory of 772	2140	Kkojbf32.exe	42
PID 2140 wrote to memory of 772	2140	Kkojbf32.exe	42
PID 2140 wrote to memory of 772	2140	Kkojbf32.exe	42
PID 772 wrote to memory of 340	772	Lgfjggll.exe	43
PID 772 wrote to memory of 340	772	Lgfjggll.exe	43
PID 772 wrote to memory of 340	772	Lgfjggll.exe	43
PID 772 wrote to memory of 340	772	Lgfjggll.exe	43
PID 340 wrote to memory of 2144	340	Lifcib32.exe	44
PID 340 wrote to memory of 2144	340	Lifcib32.exe	44
PID 340 wrote to memory of 2144	340	Lifcib32.exe	44
PID 340 wrote to memory of 2144	340	Lifcib32.exe	44
PID 2144 wrote to memory of 2092	2144	Lcohahpn.exe	45
PID 2144 wrote to memory of 2092	2144	Lcohahpn.exe	45
PID 2144 wrote to memory of 2092	2144	Lcohahpn.exe	45
PID 2144 wrote to memory of 2092	2144	Lcohahpn.exe	45

C:\Users\Admin\AppData\Local\Temp\424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe
"C:\Users\Admin\AppData\Local\Temp\424a7224f54dd0e425776fa53dabaccb96d135291095041f42e5561104930087.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\Jfmkbebl.exe
  C:\Windows\system32\Jfmkbebl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\Jbclgf32.exe
    C:\Windows\system32\Jbclgf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Jcciqi32.exe
      C:\Windows\system32\Jcciqi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\Jefbnacn.exe
        
        C:\Windows\system32\Jefbnacn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Kmimcbja.exe
        
        C:\Windows\system32\Kmimcbja.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Lifcib32.exe
        
        C:\Windows\system32\Lifcib32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\SysWOW64\Lcohahpn.exe
        
        C:\Windows\system32\Lcohahpn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jefbnacn.exe

Filesize
305KB

MD5
94c4188bff967a80547ae4bfd8129cdc

SHA1
0e0b1275ef46d0d7083b92d313a971ded4ec5dae

SHA256
21d964a3c3cfdd325242e2d519357cefbf7790883c325fca3756c9751384e946

SHA512
e2f4908ed22fc740276838301d61882e94645d2149009aabded5aafd20d5d86c3e2252648345c31919af42f62743198444d4d7fd6ae770d3e0395386c4a54276

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
305KB

MD5
9d770bf19a3bb718629bee6ef58571ff

SHA1
1b18d50eafdee76e5fc1b31b563e1639d1775698

SHA256
a8f178ff2e5a50eb0a90a26b39cdc99672830b8fa0b2916a2b3677568a4d0a5d

SHA512
646aca0a67d92882d0d2e990bdd900a7f13ef1de23eaddd1b8c1abc2b3b5740a3833766e6322906eeeff09231549e354533854f822c9be6c62d86b57cd52c815

Download Submit
C:\Windows\SysWOW64\Kjeglh32.exe

Filesize
305KB

MD5
55a11deb57bbec0a4b6ef5da19c0a60f

SHA1
9c680e9d1efa25107cbe4916eed3c93ad2fa4906

SHA256
50a1b776b20a20e11a4d0c1d697f8d8c3d30d0a71c3a1ba03ede1dddf7338f38

SHA512
763ea001fb8662d57c40e6a19d199be045dd8b464c64de7ef8d35c31a3d713d5c3a0d0701ca8154d3b35c8a7d36f808f6911b1370bf2327ab6e8577ffdf9e1f7

Download Submit
C:\Windows\SysWOW64\Kmnfciac.dll

Filesize
7KB

MD5
f55585a2a1c537ad0b95a09b52988931

SHA1
bc7928c173912c2a35d658e49bee36b679f856eb

SHA256
eb05ffee55735fbb97b36aef39528c6c46c5183f8e33212cb52e21efaeea41d3

SHA512
ac5701f3cb281fb6a2f8a32241dee4fcf6b44d105a8bd92c4824409c57059ff42547446117c9eca28fb83eea73210ba2aa3d47daee1b13cd25d75266c5ebe84a

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
305KB

MD5
a01957868e512560c7bb979d097b67cb

SHA1
e8e2f58680cf0956cab6ae3b06b068dee940f64f

SHA256
dd3ddef297775a56b2a7b0535623a51944621b5e791270557ef1a2786a295bef

SHA512
fe34fbe9a849d7ae866d3c623040d64c375687c401edb91ecc7a898aa093680d7c6d9e69f59c7d07166ae6b231824027288dd4e9f746f00c1f92739dd512ca81

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
305KB

MD5
a8ede84cf7415ff2ff7e668af535efe1

SHA1
3f39aeeedf2d53eaba8e1f473caa1ec26522e305

SHA256
bb53573f8de8a60ee35cf974e013968f27928df3b4590614f51b2ea2406c69b4

SHA512
d7210a9ce86ccac2762f38842fb53d78adc906a2497fb16924d4b72c3e9a192a91e170db4b770768a028992c85588dda5cfa4f412119c29d9397d8d7f4b08d3c

Download Submit
\Windows\SysWOW64\Jbclgf32.exe

Filesize
305KB

MD5
6568208d7d234f2eb1e23ce2fb36daef

SHA1
5c3c0d894d07baad63b69a981cd3064317d013f8

SHA256
50b49380b323cba526cc68e457500f617173607551dda6272d4cfcab9665c7c4

SHA512
9f0cba08440b86cca53f389c5b4fab51b92fa967e24eaf7c8669e76e0dd9fb9f5ef2bcbec60173555eb31387cff2a6433d53f8ce231efc739b7c95bb7309f293

Download Submit
\Windows\SysWOW64\Jcciqi32.exe

Filesize
305KB

MD5
b43665485a9ad207ea277218b2ab2d4b

SHA1
0447ffbd1f3ddac7deb7cc4295781d4a91eec12c

SHA256
22cbfc102914417e92278e3527956507b830f6bd9acf172f0cb704dea4c04258

SHA512
6de9aaa1dab28de6bcb5605f6efe35777ee8df4580919ba381ec5ac185b090773be87f148582186bb0247c426ca05c49df3372481f12eabca50f649782618500

Download Submit
\Windows\SysWOW64\Jfmkbebl.exe

Filesize
305KB

MD5
8b5ba3d1592d64cf46e8bb691cb2f334

SHA1
11ecdceb4662f907bce98eb0b8518cc8fce71b99

SHA256
e173a85cbb1af84b9d770082a63d7ef37df25b0669031cfe9ac173f9a262e89a

SHA512
291ed786ac40c7c3003c945e8a68945abcb2add8c48d3466cef8a61ee01e2cb3d37104344de556af401ca3846b16e621b04aa04749b1d45d4ac9837d9b905697

Download Submit
\Windows\SysWOW64\Jpjifjdg.exe

Filesize
305KB

MD5
b41d8b3543d18c2c7ca1aee53c8766fd

SHA1
07eaa328cd8596eadbe2dfc1f3937ae89779a5b4

SHA256
264484dc98c7c51c1066832a183be193eeb1042a09670135be7a262a13e08de8

SHA512
31c976694564a9b3b32093c3757766426af101d2253e86223b375ee2214087b02b43b099d0e1c7f74bdf76f3a545079cc765a8e03d6138910004fba6610ccd65

Download Submit
\Windows\SysWOW64\Kablnadm.exe

Filesize
305KB

MD5
cc98d55bf5e8c47c084a1ad4f02ad9dd

SHA1
1a3a1eb7b73bc10f05c2d97861ccc855d9d16f41

SHA256
bb42f14bf7da7e9c22bb7d1c25b657388e80c3d8f9ab18c81492992d97e883f5

SHA512
b9ed5ee7b40d5545f17b2fff115533ab6205749bc5f257f8e6d46fbd3acff08ae2bec78d8b9e95902b653262cb918a2c99832a5588d6b0fe9f5a364853186998

Download Submit
\Windows\SysWOW64\Khgkpl32.exe

Filesize
305KB

MD5
46a99851062bda173105407d1d4838de

SHA1
80571f24e81ac6cbda9ad759f9059859f80c9055

SHA256
80fcbe774345955138b26270d18914af521eb43e59638c7eb5cd58f9d2503b1c

SHA512
73cb6b8bc383df2d944b772e16f700d9903cb557d74d0f0f35edfb706280037b568770dcec9a020ca042502a96abdeb31266e72ca9673308ed9019fbe4a389fe

Download Submit
\Windows\SysWOW64\Kkojbf32.exe

Filesize
305KB

MD5
25744644230e61d13955f1536b844f28

SHA1
b9ea415e098905b18278c8cfe922d85c6a392241

SHA256
343a8a53e807c4f6108cf0fdd6b025afb2cd3dcfa42b95b3e171314d336d95d9

SHA512
4d2ca5e1ad0db9d744b94b2e83967ace22fc0c3b5ac611fef7b8cf0c09001a92d4cd77bb592ad0b8b0267537b887ecf5bf1bce94c11addf526aae71856ba4796

Download Submit
\Windows\SysWOW64\Kmimcbja.exe

Filesize
305KB

MD5
431513b9e6601a0651f77eb7cbb5e466

SHA1
861285c5b8093e0e366f20398bee28e1d16647e9

SHA256
1d4d20ca91f4f96b3a8e97da8e8f87cf0b85a3f372dc2d203a9305f3989754e1

SHA512
8194e5995c62cc8a30a34e73fded3273aecbec79396574051c5bd85b2ae5f9ff6efb8b08a5ebb0aaf164812e0cbb4c9e97d2ca89dc013ef23377cb636be6501e

Download Submit
\Windows\SysWOW64\Lcohahpn.exe

Filesize
305KB

MD5
df3dafe8c76af494eeef63d774913fd9

SHA1
492e901bd70936e9ae4e614ed1986b8158edc474

SHA256
0fb98fb58a99f03a248e8e58c36427e8c22e30bd6b5aa634057dcc992afe18fc

SHA512
77eb07411d175c8956a62b15601a7c85ea3e592c6270a95649db4c74d19464be482fe50d7b46d0456789654bfbfd3586ed191757449a3a5ac8f08a8e77ab3bca

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
305KB

MD5
7ccad3e43851231d61bbc9335fa8a5b4

SHA1
1f6e72a582354c6205b344031792012fc68a1bfd

SHA256
3c3424583ec6103ca039f5cd7359b53d36e3e3ac626631cca5b9c4d859921361

SHA512
743b22ae0690ebfb4f3ce50a35ff8d98347f4a145bf60495e70a4ca49fc95b4ec7b2a71ccc194c6808d44483cfd38e9bb03703589b76e153ebaeaa9dbdc15e9c

Download Submit
\Windows\SysWOW64\Lifcib32.exe

Filesize
305KB

MD5
5eb19af8baf6a39afb4898fb371bb1c8

SHA1
f8fbc276c861b709ccebb292e44418549042c0b7

SHA256
4afc5d4f2bb29b66156000a4f547fd05db03ea58f15c50d5b1cbb9b91e4db930

SHA512
8fd41fad72e7a5211d1a5e6237f4aebe625edef9162bea44d4b4ea4e5df080d2ee44cc817406d55db6c848f5423bdb8e55a1160316b9b7ed30f9d473bdd33cfe

Download Submit
memory/340-227-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/340-208-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/340-196-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/772-181-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/772-189-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/772-226-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1800-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1800-152-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1800-139-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-84-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-97-0x0000000000340000-0x0000000000383000-memory.dmp

Filesize
268KB

Download
memory/1876-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-231-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2092-242-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2092-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2096-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2096-161-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2096-229-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-125-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2100-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2140-180-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2140-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2140-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2144-216-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2144-241-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2144-223-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2144-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-236-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2188-13-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2188-12-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2188-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2228-27-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2228-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2228-237-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-106-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2612-83-0x0000000001F90000-0x0000000001FD3000-memory.dmp

Filesize
268KB

Download
memory/2612-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2612-70-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-42-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-235-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2708-50-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2776-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2776-41-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2868-234-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2868-69-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2868-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads