berbew | e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
Size

79KB
MD5

7d4d537fc730537616b6e682e43859a9
SHA1

6d3bce24445940ab7d54a6203a106abc37b4a6f0
SHA256

e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c
SHA512

ca22d1a85c66906a2621fc6e658feee6a49755b5ac94a5525d715499117cce24307737f70b031c509ab49a51968ae0988e681ce019d0380791385930f394256b
SSDEEP

1536:PSr+qpJtIYtJhFH3I6gQqYtkbwe7Qopr7pbOUEl+iFkSIgiItKq9v6Ds:KCqBtJhFH3IjQfubwe7EUEoixtBtKq9/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpqlemaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ladebd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbconkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llgljn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladebd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmpcca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpcca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lifcib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemdncoa.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

pid	Process
2708	Lmpcca32.exe
2688	Llbconkd.exe
2752	Lekghdad.exe
2744	Lifcib32.exe
2648	Lpqlemaj.exe
2800	Lemdncoa.exe
2556	Llgljn32.exe
2144	Ladebd32.exe
1216	Lepaccmo.exe

Loads dropped DLL 22 IoCs

pid	Process
2668	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
2668	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
2708	Lmpcca32.exe
2708	Lmpcca32.exe
2688	Llbconkd.exe
2688	Llbconkd.exe
2752	Lekghdad.exe
2752	Lekghdad.exe
2744	Lifcib32.exe
2744	Lifcib32.exe
2648	Lpqlemaj.exe
2648	Lpqlemaj.exe
2800	Lemdncoa.exe
2800	Lemdncoa.exe
2556	Llgljn32.exe
2556	Llgljn32.exe
2144	Ladebd32.exe
2144	Ladebd32.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lemdncoa.exe	Lpqlemaj.exe
File created	C:\Windows\SysWOW64\Lioglifg.dll	Lpqlemaj.exe
File opened for modification	C:\Windows\SysWOW64\Llgljn32.exe	Lemdncoa.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Ladebd32.exe
File created	C:\Windows\SysWOW64\Lmpcca32.exe	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
File created	C:\Windows\SysWOW64\Llgljn32.exe	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Ladebd32.exe
File created	C:\Windows\SysWOW64\Lemdncoa.exe	Lpqlemaj.exe
File opened for modification	C:\Windows\SysWOW64\Ladebd32.exe	Llgljn32.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Lekghdad.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Qaamhelq.dll	Llbconkd.exe
File created	C:\Windows\SysWOW64\Lifcib32.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Ladebd32.exe
File created	C:\Windows\SysWOW64\Agpdah32.dll	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
File created	C:\Windows\SysWOW64\Ljphmekn.dll	Lifcib32.exe
File opened for modification	C:\Windows\SysWOW64\Lmpcca32.exe	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
File opened for modification	C:\Windows\SysWOW64\Lpqlemaj.exe	Lifcib32.exe
File created	C:\Windows\SysWOW64\Lpqlemaj.exe	Lifcib32.exe
File created	C:\Windows\SysWOW64\Ladebd32.exe	Llgljn32.exe
File created	C:\Windows\SysWOW64\Llbconkd.exe	Lmpcca32.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Lmpcca32.exe
File opened for modification	C:\Windows\SysWOW64\Lekghdad.exe	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Lifcib32.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Gkeeihpg.dll	Lekghdad.exe
File created	C:\Windows\SysWOW64\Lgfikc32.dll	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Hbppfnao.dll	Llgljn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
868	1216	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekghdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lifcib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpqlemaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemdncoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgljn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpcca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ladebd32.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljphmekn.dll"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll"	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkeeihpg.dll"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ladebd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Ladebd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll"	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lioglifg.dll"	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfikc32.dll"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ladebd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lekghdad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lifcib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpqlemaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbppfnao.dll"	Llgljn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lifcib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llgljn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2708	2668	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe	30
PID 2668 wrote to memory of 2708	2668	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe	30
PID 2668 wrote to memory of 2708	2668	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe	30
PID 2668 wrote to memory of 2708	2668	e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe	30
PID 2708 wrote to memory of 2688	2708	Lmpcca32.exe	31
PID 2708 wrote to memory of 2688	2708	Lmpcca32.exe	31
PID 2708 wrote to memory of 2688	2708	Lmpcca32.exe	31
PID 2708 wrote to memory of 2688	2708	Lmpcca32.exe	31
PID 2688 wrote to memory of 2752	2688	Llbconkd.exe	32
PID 2688 wrote to memory of 2752	2688	Llbconkd.exe	32
PID 2688 wrote to memory of 2752	2688	Llbconkd.exe	32
PID 2688 wrote to memory of 2752	2688	Llbconkd.exe	32
PID 2752 wrote to memory of 2744	2752	Lekghdad.exe	33
PID 2752 wrote to memory of 2744	2752	Lekghdad.exe	33
PID 2752 wrote to memory of 2744	2752	Lekghdad.exe	33
PID 2752 wrote to memory of 2744	2752	Lekghdad.exe	33
PID 2744 wrote to memory of 2648	2744	Lifcib32.exe	34
PID 2744 wrote to memory of 2648	2744	Lifcib32.exe	34
PID 2744 wrote to memory of 2648	2744	Lifcib32.exe	34
PID 2744 wrote to memory of 2648	2744	Lifcib32.exe	34
PID 2648 wrote to memory of 2800	2648	Lpqlemaj.exe	35
PID 2648 wrote to memory of 2800	2648	Lpqlemaj.exe	35
PID 2648 wrote to memory of 2800	2648	Lpqlemaj.exe	35
PID 2648 wrote to memory of 2800	2648	Lpqlemaj.exe	35
PID 2800 wrote to memory of 2556	2800	Lemdncoa.exe	36
PID 2800 wrote to memory of 2556	2800	Lemdncoa.exe	36
PID 2800 wrote to memory of 2556	2800	Lemdncoa.exe	36
PID 2800 wrote to memory of 2556	2800	Lemdncoa.exe	36
PID 2556 wrote to memory of 2144	2556	Llgljn32.exe	37
PID 2556 wrote to memory of 2144	2556	Llgljn32.exe	37
PID 2556 wrote to memory of 2144	2556	Llgljn32.exe	37
PID 2556 wrote to memory of 2144	2556	Llgljn32.exe	37
PID 2144 wrote to memory of 1216	2144	Ladebd32.exe	38
PID 2144 wrote to memory of 1216	2144	Ladebd32.exe	38
PID 2144 wrote to memory of 1216	2144	Ladebd32.exe	38
PID 2144 wrote to memory of 1216	2144	Ladebd32.exe	38
PID 1216 wrote to memory of 868	1216	Lepaccmo.exe	39
PID 1216 wrote to memory of 868	1216	Lepaccmo.exe	39
PID 1216 wrote to memory of 868	1216	Lepaccmo.exe	39
PID 1216 wrote to memory of 868	1216	Lepaccmo.exe	39

C:\Users\Admin\AppData\Local\Temp\e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe
"C:\Users\Admin\AppData\Local\Temp\e0fe1e9e533b314950340a603dcd8eadba181f11322b52b37ba623c44e5c9a8c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\Lmpcca32.exe
  C:\Windows\system32\Lmpcca32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\SysWOW64\Llbconkd.exe
    C:\Windows\system32\Llbconkd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\Lekghdad.exe
      C:\Windows\system32\Lekghdad.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\Lifcib32.exe
        
        C:\Windows\system32\Lifcib32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\SysWOW64\Lpqlemaj.exe
        
        C:\Windows\system32\Lpqlemaj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Lemdncoa.exe
        
        C:\Windows\system32\Lemdncoa.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Llgljn32.exe
        
        C:\Windows\system32\Llgljn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ladebd32.exe
        
        C:\Windows\system32\Ladebd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lekghdad.exe

Filesize
79KB

MD5
6d196b21d1ae5eeef03948f53c571e63

SHA1
2c8599ea83c30924ae95841d5c80844661c133ea

SHA256
2a3418f96f6c9105907c8e3feff6cebf3ee420cfebf08c39e496ae721f622314

SHA512
ababe7e84895c08d018bfee839a78cdb41874654348903f57af1aabd7bb5235903ad0528532477590daf905d9f612319a2a65ed10843cdc582b368c68fa38456

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
79KB

MD5
1fb4b722d6ec786a146aec8d15671ab7

SHA1
f6125ccd4b06f074dccc1473acfb67541f73b45b

SHA256
74fe5bb2b5982443bdbf8024296917824d75798b0bb33a8707ad9073acee866d

SHA512
eff7024ad7fe3fee567528fca29290ae3d23560497ffd5264602d08b79298649668d4419b3dbf60a4a2296a21caceb574f5bbf64f2937b8094a012bc7095e4c8

Download Submit
C:\Windows\SysWOW64\Lifcib32.exe

Filesize
79KB

MD5
df6751d7b72d00634f416549c1593577

SHA1
70fcd4f67a1dba64797e985736081871e5b26461

SHA256
d4f93f1ec6b7c05370105bb1a165444aec1db927c5439f838e602ed064d87fa1

SHA512
262a73860ee2fa4188d4838ad74d6952027867ba320a32079af4f86dc47a1f25788db94767a822617d30a831335a7a969107c3133d3b2537fb9cf75c5027a9d8

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
79KB

MD5
5735a8b43b216965b0be03981fad38d0

SHA1
8666ad189e916a40ad86b5b8f6875369b0c2c77a

SHA256
649cb78ff1f0bdccaf2ff41a75e58c9f2cda3b4a5f28bb584a5c47389e7e81b9

SHA512
3373ad6ebd924eac272fe76b996d4c18e36ef64d020dac881a65337b750345b2f1903dd4c8e0a32c58976eaecc3fdb4d576e248b72d5ad9c7711da16e5760d7e

Download Submit
\Windows\SysWOW64\Ladebd32.exe

Filesize
79KB

MD5
16f4e4d436fac0b85bbbb837ff051245

SHA1
c00d75ff3bb439fe412f33e65435a5ec1d3b364a

SHA256
c767de7fd21adb9fea7ee387b10ba8a433fa1a586f766c9df1bf4480fbbeb906

SHA512
31b49338372043acd7133adc57aa4cb353cafb4323d39e39ce5cd1349aff9603229fdad714b96137239fc4d8aba4dbc15afce705fed173980af96d6b684e9288

Download Submit
\Windows\SysWOW64\Lemdncoa.exe

Filesize
79KB

MD5
30ecacdfb97165e762224173f08809b2

SHA1
a3db24b173fde31b52a18f5e0711b3f0a5f4e0e9

SHA256
79bf97ade91e48b1c39bb5d6ee372d849cfddcf7e5095e14d404c6546fb02aec

SHA512
b6175c8d75d840640fac3ed2252cc5c3d32a3188a347069f60d69f3a60776fa2816901aee324c4136f650d7a8f23947023616c7527246f25202a5e298ac06925

Download Submit
\Windows\SysWOW64\Llgljn32.exe

Filesize
79KB

MD5
f356c563030088adcd2eb9d69be569de

SHA1
9c65a4748cd5f54713e2b32282d586bdeace63d9

SHA256
d83a6cd856b4360d5bfbac4a4bd746d4bab9e4d45626bfb060975523bcc3f208

SHA512
cc8037d6d85236bd9806bee909f46de5908bb6383d3a0968dc4f6cdff2c96985372f0a36ed8454f0029bd0a2d08b8339959603c69e1fedcb797398f5a2f7de68

Download Submit
\Windows\SysWOW64\Lmpcca32.exe

Filesize
79KB

MD5
6c56d2b042c0ddb0605a045216046e7a

SHA1
8163333585b66315ec47aba982803e962ba09976

SHA256
8f3b70916d8c25fc973f3956785f07f3cd0d86c9911da77be45629c27d02a847

SHA512
534ffa73217341e3c80132358f20929573c50e199f37bca4eda9818dac7251eeb0109c81369e0460d6734f5aa5100787a39463b37c067090faf2f1e982baeb38

Download Submit
\Windows\SysWOW64\Lpqlemaj.exe

Filesize
79KB

MD5
5291f873e4ac13038883a24168226092

SHA1
4d9df957d4c00b99a605fda73c4280e147725c90

SHA256
5c21b8d07dad1f3976ed49e7846ea02a452db07575604c9e4c371987453514b0

SHA512
7e453343b7184cd6597925d15f65d13c9809e572c0124d22ed4d1383b3b1f4088cccb9cd72450fe2ba4788e3a3c097db8b8d1b57bc6d4bbfd84b8eabba16191b

Download Submit
memory/1216-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1216-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2556-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-75-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2668-13-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2668-12-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2688-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2708-27-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2744-63-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2744-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-68-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2752-46-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-58-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2800-95-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2800-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads