berbew | 1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f

Analysis

max time kernel
94s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
Size

104KB
MD5

b71a3db2afc0c8ef33ff9e1a7d4da95b
SHA1

feba237ed2bc958d0977158540c3fc27de4433ce
SHA256

1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f
SHA512

9b18005d31efa7b3bc61f5226abd61233b4491b1da8f311eff745111a22d6513a65c30422a9ccd80895d7632c79c71deda7a1f3fab788e53d404326eba2857b0
SSDEEP

1536:PDYZYci+x458McMJy0iYevDnxXRVkeyyVr3iwcH2ogHq/i352S:7YZYWE8E9iYebN3kremwc/gHq/e

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

pid	Process
2416	Djgjlelk.exe
4672	Delnin32.exe
1640	Dhkjej32.exe
2816	Daconoae.exe
3716	Ddakjkqi.exe
4500	Dogogcpo.exe
3192	Dmjocp32.exe
4536	Dgbdlf32.exe
4620	Dmllipeg.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
428	4620	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 2416	3932	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe	83
PID 3932 wrote to memory of 2416	3932	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe	83
PID 3932 wrote to memory of 2416	3932	1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe	83
PID 2416 wrote to memory of 4672	2416	Djgjlelk.exe	84
PID 2416 wrote to memory of 4672	2416	Djgjlelk.exe	84
PID 2416 wrote to memory of 4672	2416	Djgjlelk.exe	84
PID 4672 wrote to memory of 1640	4672	Delnin32.exe	85
PID 4672 wrote to memory of 1640	4672	Delnin32.exe	85
PID 4672 wrote to memory of 1640	4672	Delnin32.exe	85
PID 1640 wrote to memory of 2816	1640	Dhkjej32.exe	86
PID 1640 wrote to memory of 2816	1640	Dhkjej32.exe	86
PID 1640 wrote to memory of 2816	1640	Dhkjej32.exe	86
PID 2816 wrote to memory of 3716	2816	Daconoae.exe	87
PID 2816 wrote to memory of 3716	2816	Daconoae.exe	87
PID 2816 wrote to memory of 3716	2816	Daconoae.exe	87
PID 3716 wrote to memory of 4500	3716	Ddakjkqi.exe	88
PID 3716 wrote to memory of 4500	3716	Ddakjkqi.exe	88
PID 3716 wrote to memory of 4500	3716	Ddakjkqi.exe	88
PID 4500 wrote to memory of 3192	4500	Dogogcpo.exe	89
PID 4500 wrote to memory of 3192	4500	Dogogcpo.exe	89
PID 4500 wrote to memory of 3192	4500	Dogogcpo.exe	89
PID 3192 wrote to memory of 4536	3192	Dmjocp32.exe	90
PID 3192 wrote to memory of 4536	3192	Dmjocp32.exe	90
PID 3192 wrote to memory of 4536	3192	Dmjocp32.exe	90
PID 4536 wrote to memory of 4620	4536	Dgbdlf32.exe	91
PID 4536 wrote to memory of 4620	4536	Dgbdlf32.exe	91
PID 4536 wrote to memory of 4620	4536	Dgbdlf32.exe	91

C:\Users\Admin\AppData\Local\Temp\1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe
"C:\Users\Admin\AppData\Local\Temp\1bb5ed590c509a0b02039ad6e0f63302c9387d3eb06a36dd82dfda619b66867f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\SysWOW64\Djgjlelk.exe
  C:\Windows\system32\Djgjlelk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\Delnin32.exe
    C:\Windows\system32\Delnin32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\SysWOW64\Dhkjej32.exe
      C:\Windows\system32\Dhkjej32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 408
        11⤵
        Program crash
        
        PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4620 -ip 4620
1⤵
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
104KB

MD5
2e31165c28f196a82215570dd2c2dc42

SHA1
1a8bdd4aa50743507613e9bbffa11678a6779976

SHA256
3d6ef9625db879decd3b9f849c0e6b8f527eb87805b73f66258ed8348d9d1939

SHA512
c75dded8384a7b6f2f19a8ab20f65f0c113c66f2efbf8286c2fcf91be29f1c421c9cee9385edd7b38b655af008dda94f6eff484121ba19dc42daefc46e5cb3c6

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
104KB

MD5
350bc9908a126cc433886bb409219ad1

SHA1
3a97f9b4c1f27a902b4c0ecf1b02c6d7a7a9b917

SHA256
e52aafbee072257926074ec815d67e8b7e5b0ccb813f0f5ad954ff8a85b655e8

SHA512
481d2d40e7f7094c946b7b5b82df20fd611a4dcf9e8ad11a0abf3443b425a307e135db0cbb737c1d61fb59f6a4faaa4af3abbbfd2ce3229d5b2152fe7d79faf7

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
104KB

MD5
daf05cc25e58f423b0a0d7ec05bf271b

SHA1
4711f6ea67a193395a208d916a80c5b084223fe8

SHA256
6f2e1beb0245189965893f156bc30fee15926813ff038ab85d9064c4c98b2e2e

SHA512
2241531feec64c7b3da083000d18ef239bac9826f132a057998244b795bdd8f210ba9c54defa5ec0c925043c4a997bd6b23942ca6957fbe6c839b55375d826b4

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
104KB

MD5
0e9a11b240dd02e14d868dd226db7abc

SHA1
4ef7e36b08dde34699dead6698151c5226b1b100

SHA256
04e9c7499d133ce7287fd60c5696d5ab6b90b93359bdca770a64b0ba4310bf2e

SHA512
2ff30de1ddec23ea85c5d7aa15f1101b414eb2404b4badc956c85f4130235f311fe1c94b8423d1f8e66c3ccd97cb86a4d193d6a4aa3cb746bcc0d9787f0c6a79

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
104KB

MD5
6d48f868878ee4123f355adf0209f7a9

SHA1
0a7555e5f91c0241a413dd958d659b99a344b3ee

SHA256
fffa352c16eea97e4a7f56d196de7073610b64e3271fea411eddc0a12335e967

SHA512
165256cf86f85ac00d01fe9cfd9e184c40f37716b359513e5fec6d1ae4dec8433d89c3e8c97a6b0c0bbfe77883b3d474ffb80315e9ce01ffc389519c55355cc1

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
104KB

MD5
9a8ab11e99919fa97baff0a14ce7b66f

SHA1
fe758aa240b7cc544ed7f023a743bbd761490d70

SHA256
97fe7d27fc862cb9f7d58066d2b6a9547a798422419f2010deb481a7f7b99be3

SHA512
b04a538fac68ab285cfaa2c7a1ccb3e0e7c7032b9dc6d95da00dca81f3b7a4047eb7719ef9534f21b65dc9af3ebfe9d3be1996b478c24a332c585a21aad5ca1d

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
104KB

MD5
c345506ddd5514f1812897f7f21896d8

SHA1
5cd9cfd2f2fa9b3e8be92351df9b6bd4587152e7

SHA256
5d7e6b0d682ae8171e26cac059ca464ac3d390492c1f74cbd3e0a977b33c8a95

SHA512
a4a848737dd3fd7f4b06d119ca770dab7f96114b3f337e2a861723b8d4e2b1a09cc05097f3722d872c02fce34eb53fd651e1d4b7ad4483898b22f389ec3e4738

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
104KB

MD5
3c456d09f9b2a114d07e54533e7d49e6

SHA1
423838a137b06216121fea654f949c92ee60ff6a

SHA256
d45a34b5b8d77a0261f0a4b0f8399cd8377d2e98eba324f6c400b4b66e066392

SHA512
f849ac3a90a2d3d564660623f152fae1cc8b37e60e05a06ac15dce6fff03601fe87586389bb2b5a83b855bf03fdaff6d85c7260a46952f806a2d743024878f77

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
104KB

MD5
9954c55a8a74a4cb238beaa815dda53b

SHA1
78e1f5d51cf83019f45b58991510df9e771832c9

SHA256
62b49bbba7395602d2741756abd8fc29f68dbda16b529e6ef1c15c5cd454a533

SHA512
2dc3bd40490247db54de1f35080d875c23ef53208d3c8c3a6e349e57c4a59f4ab7f61b7197953627c8e0274fd3ba44b513953a6e035460d35b462e7f4ac4f5a1

Download Submit
C:\Windows\SysWOW64\Gifhkeje.dll

Filesize
7KB

MD5
f3e1f9f5db443ec0e15996626ffc22e2

SHA1
0e1ab1d9924d3891db8d60f2475ea1e056ed31ae

SHA256
1667d79bd9aa68b988032edaffca1061e1296f983e2e7e53a57ff6db240ab07d

SHA512
a33fe01132052804a5b7d450430244a1084de00e07b5542406f44a484b8c9069b65de52b9c2f230130dfc45a92bb44a9b69a772581223d77aa134e1aede85741

Download Submit
memory/1640-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1640-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2416-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2816-78-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3192-75-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3192-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3716-77-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3716-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-82-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4500-76-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4536-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4620-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4620-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4672-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads