berbew | 0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
Size

80KB
MD5

d2cf7b8dab392115619a9095be7d2e85
SHA1

a7814834caef0ff752adbfe249337c75e53ca91c
SHA256

0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb
SHA512

0baa02bfeeb0581e791d001c96a4ce6ea2dc5411ce2192a78caac2e39c8d384845e2c6c86b0d8ce698d7b551a428395554933f2393146055d91f465f6731dca4
SSDEEP

1536:alngT8LgI7/Pr5KJfYa0Gldku3A2L3J9VqDlzVxyh+CbxMa:2omgILa0fu3x3J9IDlRxyhTb7

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danpemej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjonncab.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

pid	Process
2128	Cbdiia32.exe
2356	Cagienkb.exe
2800	Cjonncab.exe
2240	Caifjn32.exe
2968	Ceebklai.exe
2536	Cjakccop.exe
3008	Cmpgpond.exe
268	Calcpm32.exe
1656	Ccjoli32.exe
1088	Danpemej.exe
1204	Dpapaj32.exe

Loads dropped DLL 25 IoCs

pid	Process
1880	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
1880	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
2128	Cbdiia32.exe
2128	Cbdiia32.exe
2356	Cagienkb.exe
2356	Cagienkb.exe
2800	Cjonncab.exe
2800	Cjonncab.exe
2240	Caifjn32.exe
2240	Caifjn32.exe
2968	Ceebklai.exe
2968	Ceebklai.exe
2536	Cjakccop.exe
2536	Cjakccop.exe
3008	Cmpgpond.exe
3008	Cmpgpond.exe
268	Calcpm32.exe
268	Calcpm32.exe
1656	Ccjoli32.exe
1656	Ccjoli32.exe
1088	Danpemej.exe
1088	Danpemej.exe
1960	WerFault.exe
1960	WerFault.exe
1960	WerFault.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cbehjc32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Danpemej.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cjonncab.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cjonncab.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Danpemej.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
File created	C:\Windows\SysWOW64\Cjonncab.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Ceebklai.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Danpemej.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cjonncab.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Danpemej.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Oeopijom.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Ceebklai.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1960	1204	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjonncab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danpemej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cjonncab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeopijom.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danpemej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danpemej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjonncab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjonncab.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2128	1880	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe	31
PID 1880 wrote to memory of 2128	1880	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe	31
PID 1880 wrote to memory of 2128	1880	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe	31
PID 1880 wrote to memory of 2128	1880	0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe	31
PID 2128 wrote to memory of 2356	2128	Cbdiia32.exe	32
PID 2128 wrote to memory of 2356	2128	Cbdiia32.exe	32
PID 2128 wrote to memory of 2356	2128	Cbdiia32.exe	32
PID 2128 wrote to memory of 2356	2128	Cbdiia32.exe	32
PID 2356 wrote to memory of 2800	2356	Cagienkb.exe	33
PID 2356 wrote to memory of 2800	2356	Cagienkb.exe	33
PID 2356 wrote to memory of 2800	2356	Cagienkb.exe	33
PID 2356 wrote to memory of 2800	2356	Cagienkb.exe	33
PID 2800 wrote to memory of 2240	2800	Cjonncab.exe	34
PID 2800 wrote to memory of 2240	2800	Cjonncab.exe	34
PID 2800 wrote to memory of 2240	2800	Cjonncab.exe	34
PID 2800 wrote to memory of 2240	2800	Cjonncab.exe	34
PID 2240 wrote to memory of 2968	2240	Caifjn32.exe	35
PID 2240 wrote to memory of 2968	2240	Caifjn32.exe	35
PID 2240 wrote to memory of 2968	2240	Caifjn32.exe	35
PID 2240 wrote to memory of 2968	2240	Caifjn32.exe	35
PID 2968 wrote to memory of 2536	2968	Ceebklai.exe	36
PID 2968 wrote to memory of 2536	2968	Ceebklai.exe	36
PID 2968 wrote to memory of 2536	2968	Ceebklai.exe	36
PID 2968 wrote to memory of 2536	2968	Ceebklai.exe	36
PID 2536 wrote to memory of 3008	2536	Cjakccop.exe	37
PID 2536 wrote to memory of 3008	2536	Cjakccop.exe	37
PID 2536 wrote to memory of 3008	2536	Cjakccop.exe	37
PID 2536 wrote to memory of 3008	2536	Cjakccop.exe	37
PID 3008 wrote to memory of 268	3008	Cmpgpond.exe	38
PID 3008 wrote to memory of 268	3008	Cmpgpond.exe	38
PID 3008 wrote to memory of 268	3008	Cmpgpond.exe	38
PID 3008 wrote to memory of 268	3008	Cmpgpond.exe	38
PID 268 wrote to memory of 1656	268	Calcpm32.exe	39
PID 268 wrote to memory of 1656	268	Calcpm32.exe	39
PID 268 wrote to memory of 1656	268	Calcpm32.exe	39
PID 268 wrote to memory of 1656	268	Calcpm32.exe	39
PID 1656 wrote to memory of 1088	1656	Ccjoli32.exe	40
PID 1656 wrote to memory of 1088	1656	Ccjoli32.exe	40
PID 1656 wrote to memory of 1088	1656	Ccjoli32.exe	40
PID 1656 wrote to memory of 1088	1656	Ccjoli32.exe	40
PID 1088 wrote to memory of 1204	1088	Danpemej.exe	41
PID 1088 wrote to memory of 1204	1088	Danpemej.exe	41
PID 1088 wrote to memory of 1204	1088	Danpemej.exe	41
PID 1088 wrote to memory of 1204	1088	Danpemej.exe	41
PID 1204 wrote to memory of 1960	1204	Dpapaj32.exe	42
PID 1204 wrote to memory of 1960	1204	Dpapaj32.exe	42
PID 1204 wrote to memory of 1960	1204	Dpapaj32.exe	42
PID 1204 wrote to memory of 1960	1204	Dpapaj32.exe	42

C:\Users\Admin\AppData\Local\Temp\0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe
"C:\Users\Admin\AppData\Local\Temp\0312de6f2b5a594b44ea1ebbeecbac3ae1bbba20e5726d432f26e2f467e0acdb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\Cbdiia32.exe
  C:\Windows\system32\Cbdiia32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\Cagienkb.exe
    C:\Windows\system32\Cagienkb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\Cjonncab.exe
      C:\Windows\system32\Cjonncab.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Danpemej.exe
        
        C:\Windows\system32\Danpemej.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 144
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caifjn32.exe

Filesize
80KB

MD5
5c3fddfd43c81768b440d5d25101d862

SHA1
a85f9f75d0f4a836c675cccbb2dda497b40a55c2

SHA256
2e94636832f5d720b8aa98f6ff42c1abfbdfafac5b05132636cd9ca7af229d40

SHA512
6f1757573678cda7f268c1df35560149a3059c34b20cce16d1b2f5bfe90cbfff7773923236d214fef993b5d80d7b68c91eecb8718d34f4b2382c2e947724a996

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
80KB

MD5
7485edc7e88fa1c2292c8338dfb4f763

SHA1
b76a5b61bc66116c6697898a76d63bdef0c05c95

SHA256
6ba5ea771eb3622107762e39099ed163816e90b781116cc9f2a976729f2073de

SHA512
b6fec09ee661bb5473898f1227247de3c43a879515d9744e24ed6b7a617645efbd134ab80b67ba2573cd5b43ed1b8571f375ad14ee93ecc1566238f67396ff1f

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
80KB

MD5
2b9d4a8f22f8f7e852017d3272d41e4f

SHA1
9e40b51af2a69072f874a8ec246fb2db9c73bb10

SHA256
9d39741620d70de585e2eeb6c4d5fd25178c84b67c386da586038557c730c63d

SHA512
2b8048e2300813e95da923b14ede065122d744fb97e9be68c1697986fa76edad24f6c7f094eca4aa17b577ad533b5563ad954218bbde1daec730d0b606ab9f09

Download Submit
C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
80KB

MD5
e1685ec1d682756fd862bba0fe9ca1fd

SHA1
968921e5f801cc87b1430bbbb29217760edb956d

SHA256
3b09b99d0f1ad683ff1b2fe52497df92ea6840fd38f0cf77ade1540888b0cb29

SHA512
c6015bbe029a798d6abdcd6ac22f1fe6b4fa11bcfd466fb93bc86797fe6f644f64522905694854bdcff74333ad1adad4ddb7c3afffe719171aaa73f3066eafa0

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
80KB

MD5
0fd32b0a1d0163e5e55ada0072b171fd

SHA1
b2c47c569edb12291ea05798f9b6df2ba901829c

SHA256
e12ce3e62c8966786dacf2af854696c4265e0308e5b9b7edead7b72c7505d688

SHA512
7584d4e76e8c4b27bac1539879a69780795c545cd1e32ec9b2285c83ae29655b94f36fa4e571b3d130aa0505bc560b5e6219ad741747b4faa1a2745110b33843

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
80KB

MD5
0e2b261fdd83ba9351a47fc34a8a975b

SHA1
961b0ca428d4222942755afe033285b69876f52d

SHA256
9b45f1df1cb364fca16039c1155b0a12b16edbdc07b998dab6fc2c455201aae9

SHA512
d7ad71086af0f6cf892ab78a0903b3dc3faabfa267d27989afbc28f98da9cd451d224e8e30953d523f71a68cfc2ccf0e974898045b78da3de4db70c7ace84652

Download Submit
\Windows\SysWOW64\Ceebklai.exe

Filesize
80KB

MD5
a50015a71b77c1fe049b22d4853ef579

SHA1
e7e68aced9057ded0ae2a6826088ec78cbacc212

SHA256
d7c8d3c74ccc40caba791e40f05c3398add63d268f8a798af06c42b8ee05e1c5

SHA512
322bdc38a2292d5d9159f77ca38c61e809956956a74243e0ecfceb6149c96e976b5c8c3dccd6ce44ac38b8e40e7ee1c5cfe052ac3ce509ee60a50a5490040628

Download Submit
\Windows\SysWOW64\Cjakccop.exe

Filesize
80KB

MD5
28169eacb3f26ee1cde4c1c5e6b73c5c

SHA1
9966e57e7040a007f97d06ede92bd5efb498d435

SHA256
610e33ee01e375f44f20ca5c1528cba76f7bb83010fcf29f98ebfc919911a6d3

SHA512
4b67cf7067c4580b70395f2281d739ab5e393262e7f035376619b8f1b7d54e3df0f62ffea5766de438cb72d7aa50dc9d4f596ceda3eea5c42b491433279be444

Download Submit
\Windows\SysWOW64\Cjonncab.exe

Filesize
80KB

MD5
b8f746f023d669d1acac193f6f0bb5cb

SHA1
3a90ca63923582c5f27f00fe1364177fd7c517cd

SHA256
7e7d842818e31c2cbd90f623b89d2ab0d9bd11150c242f4dbb6e1b821d2d0217

SHA512
127349017ab48ad56bfa012561746885c6b10f1dd3aa43eb785bf0898a921c6505b63dcb6bca5bb1fe0ef2f1b5afd973a99212dd4cdfe04e140ea60a23aacf51

Download Submit
\Windows\SysWOW64\Danpemej.exe

Filesize
80KB

MD5
0a115e7ebcab0598ada3b60cafe8f571

SHA1
d7fe74eeac6628ff8da76d92291f5952c44c3fd0

SHA256
ca9999f85eb58b3486f0fa6942b5d4373c3b003a2ecadf1adf013aaae4fb2fde

SHA512
a9f673e07ae60692135bcd4791c9019db3b19c9b8db7f30ed0dc0b4e539c643aff7f0632b21b525f88d1382726114999bad0ef51334d97b4dbc65016de64668e

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
80KB

MD5
3f0092e6359f9b3de09209906743020e

SHA1
d1fbd32d622a18cabf3d345c8f3f3c5458a566b0

SHA256
c2c6d3333c39e30e9369a7cbd2016866fc9bf27f195502df87fc59dd3d633090

SHA512
34e134d277ef8eb63edfb7af9a303926d2532e739820340bef12db53fecb99885b8bde8b454a5bda51cc976f36a735722a3d2cf0456f69763432b8b06f8691ec

Download Submit
memory/268-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/268-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-142-0x0000000001F40000-0x0000000001F80000-memory.dmp

Filesize
256KB

Download
memory/1204-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-129-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/1656-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1880-12-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1880-13-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2128-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2128-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-40-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2356-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2356-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2536-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-79-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2968-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-67-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-106-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads