berbew | 93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b

Analysis

max time kernel
67s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
Size

96KB
MD5

5289191f851f989d93f6fe92d3ba07dd
SHA1

78a6a74d5b70ed1e36159aeea79cc236ffb7b003
SHA256

93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b
SHA512

94092736f3d1235a9bee10d7f6ebf0335ee8ad01379b107a15f4875b4220d5e4916aeb825fe9315a16368a8511cf4f61b7360ec9f58657386b78814c5c848daf
SSDEEP

1536:hPH3+1aSB5PVo7U34UVBqH32MTIC+ctmAb0OCr+TjtduV9jojTIvjrH:5EBoUoUVEH32YAcx0Ok+Htd69jc0vf

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfkclf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmmffgn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbdagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckecpjdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpbkhabp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpiaipmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpiaipmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejabqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejabqi32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

pid	Process
2908	Ckecpjdh.exe
3060	Cpbkhabp.exe
1492	Cjmmffgn.exe
2692	Cpiaipmh.exe
1892	Donojm32.exe
2192	Dfkclf32.exe
1980	Dqddmd32.exe
2300	Dbdagg32.exe
1488	Eddjhb32.exe
3024	Ejabqi32.exe
700	Flnndp32.exe

Loads dropped DLL 26 IoCs

pid	Process
1680	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
1680	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
2908	Ckecpjdh.exe
2908	Ckecpjdh.exe
3060	Cpbkhabp.exe
3060	Cpbkhabp.exe
1492	Cjmmffgn.exe
1492	Cjmmffgn.exe
2692	Cpiaipmh.exe
2692	Cpiaipmh.exe
1892	Donojm32.exe
1892	Donojm32.exe
2192	Dfkclf32.exe
2192	Dfkclf32.exe
1980	Dqddmd32.exe
1980	Dqddmd32.exe
2300	Dbdagg32.exe
2300	Dbdagg32.exe
1488	Eddjhb32.exe
1488	Eddjhb32.exe
3024	Ejabqi32.exe
3024	Ejabqi32.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe
564	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cpbkhabp.exe	Ckecpjdh.exe
File opened for modification	C:\Windows\SysWOW64\Donojm32.exe	Cpiaipmh.exe
File created	C:\Windows\SysWOW64\Eddjhb32.exe	Dbdagg32.exe
File created	C:\Windows\SysWOW64\Oamcoejo.dll	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Donojm32.exe	Cpiaipmh.exe
File created	C:\Windows\SysWOW64\Ejnbekph.dll	Donojm32.exe
File created	C:\Windows\SysWOW64\Dqddmd32.exe	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Cpiaipmh.exe	Cjmmffgn.exe
File opened for modification	C:\Windows\SysWOW64\Dfkclf32.exe	Donojm32.exe
File opened for modification	C:\Windows\SysWOW64\Eddjhb32.exe	Dbdagg32.exe
File created	C:\Windows\SysWOW64\Olahgd32.dll	Dbdagg32.exe
File created	C:\Windows\SysWOW64\Ppaloola.dll	Ckecpjdh.exe
File created	C:\Windows\SysWOW64\Cjmmffgn.exe	Cpbkhabp.exe
File created	C:\Windows\SysWOW64\Ddbdimmi.dll	Cpbkhabp.exe
File opened for modification	C:\Windows\SysWOW64\Dqddmd32.exe	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Jbaajccm.dll	Dfkclf32.exe
File created	C:\Windows\SysWOW64\Jcmfjeap.dll	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Ckecpjdh.exe	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
File created	C:\Windows\SysWOW64\Cpbkhabp.exe	Ckecpjdh.exe
File created	C:\Windows\SysWOW64\Ejabqi32.exe	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Bdohpb32.dll	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
File created	C:\Windows\SysWOW64\Hclmphpn.dll	Cjmmffgn.exe
File created	C:\Windows\SysWOW64\Dfkclf32.exe	Donojm32.exe
File opened for modification	C:\Windows\SysWOW64\Ejabqi32.exe	Eddjhb32.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Ejabqi32.exe
File opened for modification	C:\Windows\SysWOW64\Ckecpjdh.exe	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
File opened for modification	C:\Windows\SysWOW64\Cpiaipmh.exe	Cjmmffgn.exe
File created	C:\Windows\SysWOW64\Dbdagg32.exe	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Ejabqi32.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Ejabqi32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmmffgn.exe	Cpbkhabp.exe
File created	C:\Windows\SysWOW64\Egbigm32.dll	Cpiaipmh.exe
File opened for modification	C:\Windows\SysWOW64\Dbdagg32.exe	Dqddmd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
564	700	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Donojm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckecpjdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmmffgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpiaipmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eddjhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejabqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpbkhabp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfkclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbdagg32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmfjeap.dll"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejabqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdohpb32.dll"	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclmphpn.dll"	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbigm32.dll"	Cpiaipmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmmffgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbaajccm.dll"	Dfkclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dbdagg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnbekph.dll"	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamcoejo.dll"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Ejabqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpbkhabp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbdimmi.dll"	Cpbkhabp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eddjhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckecpjdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpiaipmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfkclf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmmffgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Donojm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eddjhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaloola.dll"	Ckecpjdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpiaipmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll"	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejabqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckecpjdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Donojm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfkclf32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2908	1680	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe	30
PID 1680 wrote to memory of 2908	1680	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe	30
PID 1680 wrote to memory of 2908	1680	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe	30
PID 1680 wrote to memory of 2908	1680	93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe	30
PID 2908 wrote to memory of 3060	2908	Ckecpjdh.exe	31
PID 2908 wrote to memory of 3060	2908	Ckecpjdh.exe	31
PID 2908 wrote to memory of 3060	2908	Ckecpjdh.exe	31
PID 2908 wrote to memory of 3060	2908	Ckecpjdh.exe	31
PID 3060 wrote to memory of 1492	3060	Cpbkhabp.exe	32
PID 3060 wrote to memory of 1492	3060	Cpbkhabp.exe	32
PID 3060 wrote to memory of 1492	3060	Cpbkhabp.exe	32
PID 3060 wrote to memory of 1492	3060	Cpbkhabp.exe	32
PID 1492 wrote to memory of 2692	1492	Cjmmffgn.exe	33
PID 1492 wrote to memory of 2692	1492	Cjmmffgn.exe	33
PID 1492 wrote to memory of 2692	1492	Cjmmffgn.exe	33
PID 1492 wrote to memory of 2692	1492	Cjmmffgn.exe	33
PID 2692 wrote to memory of 1892	2692	Cpiaipmh.exe	34
PID 2692 wrote to memory of 1892	2692	Cpiaipmh.exe	34
PID 2692 wrote to memory of 1892	2692	Cpiaipmh.exe	34
PID 2692 wrote to memory of 1892	2692	Cpiaipmh.exe	34
PID 1892 wrote to memory of 2192	1892	Donojm32.exe	35
PID 1892 wrote to memory of 2192	1892	Donojm32.exe	35
PID 1892 wrote to memory of 2192	1892	Donojm32.exe	35
PID 1892 wrote to memory of 2192	1892	Donojm32.exe	35
PID 2192 wrote to memory of 1980	2192	Dfkclf32.exe	36
PID 2192 wrote to memory of 1980	2192	Dfkclf32.exe	36
PID 2192 wrote to memory of 1980	2192	Dfkclf32.exe	36
PID 2192 wrote to memory of 1980	2192	Dfkclf32.exe	36
PID 1980 wrote to memory of 2300	1980	Dqddmd32.exe	37
PID 1980 wrote to memory of 2300	1980	Dqddmd32.exe	37
PID 1980 wrote to memory of 2300	1980	Dqddmd32.exe	37
PID 1980 wrote to memory of 2300	1980	Dqddmd32.exe	37
PID 2300 wrote to memory of 1488	2300	Dbdagg32.exe	38
PID 2300 wrote to memory of 1488	2300	Dbdagg32.exe	38
PID 2300 wrote to memory of 1488	2300	Dbdagg32.exe	38
PID 2300 wrote to memory of 1488	2300	Dbdagg32.exe	38
PID 1488 wrote to memory of 3024	1488	Eddjhb32.exe	39
PID 1488 wrote to memory of 3024	1488	Eddjhb32.exe	39
PID 1488 wrote to memory of 3024	1488	Eddjhb32.exe	39
PID 1488 wrote to memory of 3024	1488	Eddjhb32.exe	39
PID 3024 wrote to memory of 700	3024	Ejabqi32.exe	40
PID 3024 wrote to memory of 700	3024	Ejabqi32.exe	40
PID 3024 wrote to memory of 700	3024	Ejabqi32.exe	40
PID 3024 wrote to memory of 700	3024	Ejabqi32.exe	40
PID 700 wrote to memory of 564	700	Flnndp32.exe	41
PID 700 wrote to memory of 564	700	Flnndp32.exe	41
PID 700 wrote to memory of 564	700	Flnndp32.exe	41
PID 700 wrote to memory of 564	700	Flnndp32.exe	41

C:\Users\Admin\AppData\Local\Temp\93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe
"C:\Users\Admin\AppData\Local\Temp\93b3acc0e619066a3acef632e7ca317446d722ae0fa95b462215b4f91a09c81b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\Ckecpjdh.exe
  C:\Windows\system32\Ckecpjdh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\Cpbkhabp.exe
    C:\Windows\system32\Cpbkhabp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\Cjmmffgn.exe
      C:\Windows\system32\Cjmmffgn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\SysWOW64\Cpiaipmh.exe
        
        C:\Windows\system32\Cpiaipmh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Donojm32.exe
        
        C:\Windows\system32\Donojm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Dfkclf32.exe
        
        C:\Windows\system32\Dfkclf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Dbdagg32.exe
        
        C:\Windows\system32\Dbdagg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Eddjhb32.exe
        
        C:\Windows\system32\Eddjhb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Ejabqi32.exe
        
        C:\Windows\system32\Ejabqi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckecpjdh.exe

Filesize
96KB

MD5
f83d6841a8245480cb7a24e7b77024a6

SHA1
bad8595da627d7da82c48defe69e0667f33c2e42

SHA256
a17ff96e3dd03bfe841d261d1228e43d4fd3fff69c41e30fc328a919474cbe90

SHA512
ebdf9e06df0ea184d25140d455e721e32618afb12c3c3b96d3813d053affedd058437dc285867053789087d770645f297bcfffb2d28dc7eafd7327772c32a663

Download Submit
C:\Windows\SysWOW64\Egbigm32.dll

Filesize
7KB

MD5
e9a9b1e3acb87082bd4aeec997fcb10d

SHA1
e66befba74b8af1a6055ddde1ba1f4be103c56bc

SHA256
bd4267d5687cf37c3f50d2ef14547cbc146d51bef8ab0ca7ff6329f6a9176a70

SHA512
99559ab0792a0d984b4095454222a22436d32455d5cfce834199491f5f51b79e656805783ea7a431b74e8551f2300fca4fbb6aff6aeedd875df4c5b6e21aa277

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
96KB

MD5
d73a4f68a575da0bc727f01b0e1a6b17

SHA1
85f28b95de54ad539cf45eae97f586cb6c8f8f53

SHA256
0e882bcb612b30a05fcc1b18c5803a4f4afabe928aaecbe2823c92733fab393f

SHA512
f319a4b1aa00aae743980a10b6587594565904a9617fcbe227871ad98342d518546a89073d59ab474f339ded0b5c41761c9084dbf1f0e4e153970dd6f24fba18

Download Submit
\Windows\SysWOW64\Cjmmffgn.exe

Filesize
96KB

MD5
7684d2f206edfe75ce6004514b0c5ff2

SHA1
cf43329a9c64ff000648debf8b8148d8f548bd98

SHA256
40c23c89f69f4973eb9a68942bde5b9ccab5d62723645ba84c5abbd877e664f5

SHA512
d49d7bb822a126bcf384eca73275a07af0a675dbbceccbeaf4044a304eb47db8bfbfa08712cac9ac2f5dbbb0bc629dc6c40101121406c9b5c9eed2f42e45ac21

Download Submit
\Windows\SysWOW64\Cpbkhabp.exe

Filesize
96KB

MD5
ee6261b07ce360c231d01cf35a16d259

SHA1
cb8688ec3907112b589523be9ab0a6f76e398b95

SHA256
c786ef7b8a178404bda96f2d10f1d59ece18df910e29e66928ab7f529155d1ce

SHA512
58b33998b7836eab9ae79583ae0163d70d7d4bf8bab6c4599a9aa964b6fdfb4b83b07f5d5251369c0793766e53a0f3277a6a5368b82e31bef09850dbe90e31dc

Download Submit
\Windows\SysWOW64\Cpiaipmh.exe

Filesize
96KB

MD5
d1cb24ecad7edf3b7a21b570225bad5e

SHA1
012f81c0de0f8065a43bfd68524f2bc3a1ceac00

SHA256
a71030916ab4907730f21318c4d2632320bc1f766ff529c08767d66262afa979

SHA512
2ddb3fc1a4495e32adfab8521c153f20d4c42933cd888d7df6847030921919c7f94e48c790ae4b62ef835c9654fe99d874830629a27fb653cc4d908ec68be0b7

Download Submit
\Windows\SysWOW64\Dbdagg32.exe

Filesize
96KB

MD5
c18aab310f41db94452797eac04c82ab

SHA1
89eb18753176a5666495d6c7b36c69ea270fc2cb

SHA256
c6b451a04706c2d655c462778d8fe4890c21d2307e5be41d719b9dd3133bfabd

SHA512
82a8bdd90fef2ff2dfd2b020a8239bd797b6a45102d0148fc56b007c506af9296962215f40f5817225f4c7247310ecac2f71676de533c63209ba158881cd20f7

Download Submit
\Windows\SysWOW64\Dfkclf32.exe

Filesize
96KB

MD5
1040019376934a6321097df7ed0f4408

SHA1
2f8a569eacc2a0ea3374af68b272f4d8e5f1876b

SHA256
86b3fb9c2c18e6fe872435dd8cdcbaafaab22ad721e4008813385585741692ce

SHA512
7bfbdbf0ca2ac1899bbc8f82be43992b7e1905140102880b2402e6f95179f74b54e68a4298b4a4ba0025f54e7b722582e2907be8300246a12ba853a7d4c8b276

Download Submit
\Windows\SysWOW64\Donojm32.exe

Filesize
96KB

MD5
15dd1a8a2ca2a720c19c249ab93c01d2

SHA1
e662ade46244a68f30d234dcf3e64d7df34af1a0

SHA256
a00783eaa7c57df258cbe6defc750394052d25ffff2f6b72d555d02fa6de745f

SHA512
e5846b2d0f8bf2e74f7cd13b45cb95b5e7daacb069d0f48f241f9363cdcc31019fd40bac3c711eb14fc10c0666635295a5d226c1b4cf901f06b31ec0881f15b8

Download Submit
\Windows\SysWOW64\Dqddmd32.exe

Filesize
96KB

MD5
35d0618ee77f1644794ca7f1de9b8932

SHA1
694f6faec0ed1abbf38e81ccde1b1cb1afcd5a73

SHA256
b90ab2ecfa4b8a9b3b2bc11b17a110970079a2b1deefd6330cd8199795709303

SHA512
7278cd34b9a551375a7d9642e184d4bbd04f4f248d76740de4c4bd3e7db56c9d0f4cc8a9faa684401ab12c4f1495c6cc6b3603f6ccea7e690891a04033a57aec

Download Submit
\Windows\SysWOW64\Eddjhb32.exe

Filesize
96KB

MD5
8d3295f3868891af882fb934ba3973c5

SHA1
ca2278dc9576bc9eadaa44624be3b25837f4685f

SHA256
6f8df9a64662318be50e34f821f7144c9e2b3a63b5945b0d3cda0d581f3d4a4d

SHA512
57beb9a59cadc5929de811739177ecdae290d4e625755297f7dad56170f0d109443635582f9281f1c6e0c695f93d8c86d00780b26e52a372d9140d2176c69ffa

Download Submit
\Windows\SysWOW64\Ejabqi32.exe

Filesize
96KB

MD5
3c3c3313512635a12605cace30cbb98a

SHA1
5d3af208f83560e8a7f21f8e57b1eaa3378b4a84

SHA256
d91956134f336a0eec927af39419d66d8500f00ae5b06a2efe5dcc324f914061

SHA512
630431c2593777fe51c8d2acb1fe84013949f3bcf728c0ab812b87159e3efbfafef51913b7a29490cda075e10428959f03a792a60dc0c82380da533adea1b315

Download Submit
memory/700-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/700-155-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-135-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1488-156-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1492-54-0x0000000000610000-0x0000000000652000-memory.dmp

Filesize
264KB

Download
memory/1492-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1492-162-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-158-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-19-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1680-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-20-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1892-75-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1892-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1892-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1980-101-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/1980-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1980-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2192-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2300-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2300-122-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2300-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2300-123-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/2692-163-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2908-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2908-22-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/3024-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3024-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads