berbew | 3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Size

87KB
MD5

f5a49610f8d29d0e57d900346f66776c
SHA1

a64ce067c85f0594dee08a6e73f28c7c45006acf
SHA256

3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6
SHA512

6266d30c7f2aa2d565ffc13ae55d1745a3838587eb22e48f628d2a3188f80c75e64e677549bfb1698b1f6d0456d01d4c39837c8342165939efd327a4aec6378a
SSDEEP

1536:/HlT0DBqocKg4shVjGvk2iqVHrIXqIvruQFm6qQ/zY4RQ4+RSRBDNrR0RVe7R6Rj:/hABxeZVjpIH2dFm6jefAnDlmbGcGFDA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 12 IoCs

pid	Process
4560	Dfiafg32.exe
2776	Danecp32.exe
1152	Dhhnpjmh.exe
4408	Dobfld32.exe
4668	Ddonekbl.exe
1688	Dhkjej32.exe
2800	Dmgbnq32.exe
1924	Ddakjkqi.exe
2692	Dogogcpo.exe
1092	Dddhpjof.exe
492	Dgbdlf32.exe
3720	Dmllipeg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Ddakjkqi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2268	3720	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4560	4440	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe	83
PID 4440 wrote to memory of 4560	4440	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe	83
PID 4440 wrote to memory of 4560	4440	3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe	83
PID 4560 wrote to memory of 2776	4560	Dfiafg32.exe	84
PID 4560 wrote to memory of 2776	4560	Dfiafg32.exe	84
PID 4560 wrote to memory of 2776	4560	Dfiafg32.exe	84
PID 2776 wrote to memory of 1152	2776	Danecp32.exe	85
PID 2776 wrote to memory of 1152	2776	Danecp32.exe	85
PID 2776 wrote to memory of 1152	2776	Danecp32.exe	85
PID 1152 wrote to memory of 4408	1152	Dhhnpjmh.exe	86
PID 1152 wrote to memory of 4408	1152	Dhhnpjmh.exe	86
PID 1152 wrote to memory of 4408	1152	Dhhnpjmh.exe	86
PID 4408 wrote to memory of 4668	4408	Dobfld32.exe	87
PID 4408 wrote to memory of 4668	4408	Dobfld32.exe	87
PID 4408 wrote to memory of 4668	4408	Dobfld32.exe	87
PID 4668 wrote to memory of 1688	4668	Ddonekbl.exe	88
PID 4668 wrote to memory of 1688	4668	Ddonekbl.exe	88
PID 4668 wrote to memory of 1688	4668	Ddonekbl.exe	88
PID 1688 wrote to memory of 2800	1688	Dhkjej32.exe	89
PID 1688 wrote to memory of 2800	1688	Dhkjej32.exe	89
PID 1688 wrote to memory of 2800	1688	Dhkjej32.exe	89
PID 2800 wrote to memory of 1924	2800	Dmgbnq32.exe	90
PID 2800 wrote to memory of 1924	2800	Dmgbnq32.exe	90
PID 2800 wrote to memory of 1924	2800	Dmgbnq32.exe	90
PID 1924 wrote to memory of 2692	1924	Ddakjkqi.exe	91
PID 1924 wrote to memory of 2692	1924	Ddakjkqi.exe	91
PID 1924 wrote to memory of 2692	1924	Ddakjkqi.exe	91
PID 2692 wrote to memory of 1092	2692	Dogogcpo.exe	92
PID 2692 wrote to memory of 1092	2692	Dogogcpo.exe	92
PID 2692 wrote to memory of 1092	2692	Dogogcpo.exe	92
PID 1092 wrote to memory of 492	1092	Dddhpjof.exe	93
PID 1092 wrote to memory of 492	1092	Dddhpjof.exe	93
PID 1092 wrote to memory of 492	1092	Dddhpjof.exe	93
PID 492 wrote to memory of 3720	492	Dgbdlf32.exe	94
PID 492 wrote to memory of 3720	492	Dgbdlf32.exe	94
PID 492 wrote to memory of 3720	492	Dgbdlf32.exe	94

C:\Users\Admin\AppData\Local\Temp\3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe
"C:\Users\Admin\AppData\Local\Temp\3c48b9c17af352863fa399c867f761063e5c87506424d73ccf26e846f68345c6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\Dfiafg32.exe
  C:\Windows\system32\Dfiafg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\Danecp32.exe
    C:\Windows\system32\Danecp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Dhhnpjmh.exe
      C:\Windows\system32\Dhhnpjmh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 408
        14⤵
        Program crash
        
        PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3720 -ip 3720
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Danecp32.exe

Filesize
87KB

MD5
d1b56ff18375e9d165d791f4b47d0489

SHA1
534405e04b7e7a73b8a4e56649f05c748c96a352

SHA256
cd51d997e4f00028a49cb5a1196b2d32b45dcac9c8d8c907bf10ac81965dbb1e

SHA512
cd606d87c5d65ca492683613256116b2ccedec4a189d0a05f6cd609303ba67629801ca3c6bf717336d529129165770e23d808ed83a61ca437137062af8d353e1

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
87KB

MD5
e1378937b8f11c072a2fcccafd4c00c4

SHA1
9540f4d9c0ede7c291c26946abf651b7be2a74bb

SHA256
663c4cc59615d4c4ce3ca672f1c8deeb1c7a0339c8e279eee7d48993b07303de

SHA512
ebea386c7f8e4c7b6eddb07bfe13f48fcc68c1b8040f7670c1064e41b95c7845eb686b881271d711f3d39ac9d33ce0168afa8d10616c89a602942f977978ae41

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
87KB

MD5
10494df78d10a84c1f7d3bd634a30d24

SHA1
7907da55f08c3c3b14ea3e3e38543470dbce0daa

SHA256
7cb79e3ac86645f70dcbcb0f13df2b9311648684f4ffdacd4250528817d2ab38

SHA512
116bbd83f35d6a963b32a57228f8178a59aeb6ea86e6c04e51b79bd25fc7d0860beae02a29e59f07949bfcf40429078cba98a0469b6795b975363d1bd125cc7d

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
87KB

MD5
245b595221e89c9ace32acf7b74559ed

SHA1
dbec66fd2da2e81c2c3c9006f169d6604d6bd337

SHA256
60722db07e9c5b3a4c4f808b03beeae351146ef815be8880853c147270719198

SHA512
7788753fd4da10592079928d4f545ba10be5fdd2456430abc25d2672c5aff7c1c100b043a4f8e09baca00f58e8b58ddc0c62bf98b499323eee3d4e587567fc93

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
87KB

MD5
c41427dcd101cbc9832e3978473e9c90

SHA1
03f6d7398a0fba5e8e3fa7ed3e55f4bb19ba9077

SHA256
cc4d67ffbe37f3ecc8e29039779f1167626935985f86c2702e7bd942b1107c8f

SHA512
2e44f2cae518a6a5b45e26beed7b1fd419f7794e50ea0b714c9f46a3ee06038a8ffc2e1df80bbc3a4854195bdf54d33cbeba75a11683caa9a882d1e75d96295d

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
87KB

MD5
f429c55b2d84c2bf494ccb27c715673d

SHA1
9168477eed92c3e35531a14823627a4d0bbba6e7

SHA256
1cb3e06ede13901879d82eba6292314116b30777bfda75bd6eaeec18b16f2c12

SHA512
e48a9fcb18015cd410c1724a9c7c8134e7398355ddfe94dc2176e8150d22e0ae5368c8ff583ca15e2836774c037afdc77e7e773d95b3b3996839df46839f7881

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
87KB

MD5
8874018777167866b432a58acbcccbd1

SHA1
ed14ce6de49b656b56fe7c3de102855f6b50b7c6

SHA256
73a100d433cdf522e6e366294954f32d5c621fac437c906b066fa6774c23e1a5

SHA512
12fed2236b0c1c69cae66b83dfdfd1fd0f90397c0ac960329f0b5776f1287dcd268052b68940e2f3587ea3b6e680bf3df48231f095ecbf0c5edb92be0329d28e

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
87KB

MD5
b1e10238c24d63791c343352b72b6da9

SHA1
87223ee4dc52e4f561c4108bf8d7c09b5c4ae80f

SHA256
2a7ac043ff39915e11ce249c03e71e570760d00f04fcd0738490466e241f4b39

SHA512
b351c1fca6cde54e4bfa22b50d32c3f468dd2aea5b4be977d94bede3b188a13189c8ffc74f4949b41a1d430b2553fecb96e88937813ba448fb5359dbd7411565

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
87KB

MD5
06ce8175e8d0dd382f4737d868b15e1b

SHA1
862a4982a324a8a23a046ceb0dc2716468150bae

SHA256
7d5720c926b765f464d2f2285997cd31ead2d6627e8007ab3f1816eccf6855a5

SHA512
a120773cc2472199faf1a15d874727397485511447411385826097e554747075d3c84fa4ba6a9d79dc1352dc00bf5c29ba510bed39831101595f59c658c1c919

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
87KB

MD5
5c3fa79b8d309deb9f453bfeabefca2f

SHA1
7e8a08050f8c0659bab3f1b37eee53aa86b25579

SHA256
9d1452e1dc2c3d6094e49c1d12e0720c5c5c06b3d8f435164ae8f65c4ba1abc0

SHA512
f96bf717fbcd31f7b3e111d77e9df4e90cc632994c4c087b6943de567367e35859beae2692919c9503b6b6bd8456ef65458c64ed4a994322d4be9ab54d7cd7b0

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
87KB

MD5
fe648d04a630ed355645e9f37aa5ad1f

SHA1
6f1036e3e5539769277e289dde534532f51bfc45

SHA256
0b207df7d4bab203fc407efa00c12d226c31ee967b999d4bb807eacf63cefb15

SHA512
a94f1c46c3563e7c96cd8274933f715f19a3687ad4779059ce42251e8d434402fc3237fc9ce114e4b86526e1fd1217186844d5756af000a753e45f653b2f98fa

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
87KB

MD5
b6aeb8e0c0dbc246d8c9cb13acb4fca5

SHA1
bba37b71cb16aa2399c8e688101744ff9122eb4d

SHA256
df0aab49dde927cba1b25b6381bdb23855604029d394906a98abbf96d0dfe5a7

SHA512
fdb62d58502c94b65facd4e68d5687cdbcc27ec45c449131e0b0944283a3477b9f6500df24ce11b71e6ab0990206d307ad3a134deabf5a667b7d6b4dfb3568ed

Download Submit
C:\Windows\SysWOW64\Mjelcfha.dll

Filesize
7KB

MD5
57526697b2b2d06cd9b849c92d0851f0

SHA1
63a9a818d47486ef8c8de22de81bcf56fe1800b7

SHA256
1908eda5068281840f0b7c9709e3a27e44d5104941a7c7cfad753eed45db4b86

SHA512
2bee3bdebb104d54313022ec964ed5832c464e3de823d699c97e859901d71dfb5742e74dcb695266315cfeb15cfa2b254394fb362c3d821883005d7bb81fae84

Download Submit
memory/492-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/492-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1688-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2692-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2692-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2776-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-101-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3720-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4408-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4668-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4668-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads