berbew | e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7

Analysis

max time kernel
143s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
Size

352KB
MD5

d98e15b204b81ff8f0bdc5ee62401bab
SHA1

1ed6a3149e8945cb42c03f55af7f7a35ec1d7fc3
SHA256

e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7
SHA512

f50fa2d9bbefbcdc5f656e77d42e0d07926be0186d4d29010dd0f1c0e93293e094090c4dce7519fcc609a9e52acda77d7758a461ae6acf01c9a23e5a55a71ecc
SSDEEP

6144:NYiSRzPOwXYrMdlvkGr0f+uPOwXYrMdl2MPnhdU:N5nwIaJwISfU

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojbnkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnimpcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmgifa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Occlcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimpcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clfhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnbpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clfhml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnbpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnnfkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnnfkb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aljmbknm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Occlcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojbnkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aljmbknm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmgifa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

pid	Process
1760	Occlcg32.exe
2800	Ojbnkp32.exe
2656	Obnbpb32.exe
2816	Pnimpcke.exe
2716	Pnnfkb32.exe
2216	Aljmbknm.exe
2544	Aalofa32.exe
2576	Bmgifa32.exe
2992	Bgdfjfmi.exe
2924	Clfhml32.exe
2236	Coindgbi.exe

Loads dropped DLL 22 IoCs

pid	Process
2128	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
2128	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
1760	Occlcg32.exe
1760	Occlcg32.exe
2800	Ojbnkp32.exe
2800	Ojbnkp32.exe
2656	Obnbpb32.exe
2656	Obnbpb32.exe
2816	Pnimpcke.exe
2816	Pnimpcke.exe
2716	Pnnfkb32.exe
2716	Pnnfkb32.exe
2216	Aljmbknm.exe
2216	Aljmbknm.exe
2544	Aalofa32.exe
2544	Aalofa32.exe
2576	Bmgifa32.exe
2576	Bmgifa32.exe
2992	Bgdfjfmi.exe
2992	Bgdfjfmi.exe
2924	Clfhml32.exe
2924	Clfhml32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Clfhml32.exe
File created	C:\Windows\SysWOW64\Kegmaomi.dll	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
File created	C:\Windows\SysWOW64\Lpjqnpjb.dll	Ojbnkp32.exe
File created	C:\Windows\SysWOW64\Ofmlooqi.dll	Obnbpb32.exe
File opened for modification	C:\Windows\SysWOW64\Aljmbknm.exe	Pnnfkb32.exe
File opened for modification	C:\Windows\SysWOW64\Clfhml32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Clfhml32.exe
File created	C:\Windows\SysWOW64\Fmdpcpjb.dll	Occlcg32.exe
File created	C:\Windows\SysWOW64\Pnnfkb32.exe	Pnimpcke.exe
File created	C:\Windows\SysWOW64\Fmdkki32.dll	Pnnfkb32.exe
File created	C:\Windows\SysWOW64\Cmpbigma.dll	Aalofa32.exe
File opened for modification	C:\Windows\SysWOW64\Obnbpb32.exe	Ojbnkp32.exe
File opened for modification	C:\Windows\SysWOW64\Pnnfkb32.exe	Pnimpcke.exe
File created	C:\Windows\SysWOW64\Obnbpb32.exe	Ojbnkp32.exe
File created	C:\Windows\SysWOW64\Pnimpcke.exe	Obnbpb32.exe
File created	C:\Windows\SysWOW64\Mqpfnk32.dll	Pnimpcke.exe
File created	C:\Windows\SysWOW64\Aljmbknm.exe	Pnnfkb32.exe
File opened for modification	C:\Windows\SysWOW64\Aalofa32.exe	Aljmbknm.exe
File created	C:\Windows\SysWOW64\Hjlkkhne.dll	Bgdfjfmi.exe
File opened for modification	C:\Windows\SysWOW64\Occlcg32.exe	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
File created	C:\Windows\SysWOW64\Ipippm32.dll	Aljmbknm.exe
File created	C:\Windows\SysWOW64\Clfhml32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Clfhml32.exe
File created	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bmgifa32.exe
File created	C:\Windows\SysWOW64\Occlcg32.exe	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
File opened for modification	C:\Windows\SysWOW64\Ojbnkp32.exe	Occlcg32.exe
File created	C:\Windows\SysWOW64\Bmgifa32.exe	Aalofa32.exe
File opened for modification	C:\Windows\SysWOW64\Bmgifa32.exe	Aalofa32.exe
File created	C:\Windows\SysWOW64\Ojeffiih.dll	Bmgifa32.exe
File created	C:\Windows\SysWOW64\Ojbnkp32.exe	Occlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Pnimpcke.exe	Obnbpb32.exe
File created	C:\Windows\SysWOW64\Aalofa32.exe	Aljmbknm.exe
File opened for modification	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bmgifa32.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojbnkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obnbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnnfkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aljmbknm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Occlcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmgifa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clfhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnimpcke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalofa32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmgifa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obnbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdkki32.dll"	Pnnfkb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmgifa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojbnkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnbpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aljmbknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegmaomi.dll"	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnimpcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnimpcke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnnfkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlkkhne.dll"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clfhml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Occlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdpcpjb.dll"	Occlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Occlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojbnkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqpfnk32.dll"	Pnimpcke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnnfkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipippm32.dll"	Aljmbknm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpbigma.dll"	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjqnpjb.dll"	Ojbnkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmlooqi.dll"	Obnbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aljmbknm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll"	Bmgifa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clfhml32.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1760	2128	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe	30
PID 2128 wrote to memory of 1760	2128	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe	30
PID 2128 wrote to memory of 1760	2128	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe	30
PID 2128 wrote to memory of 1760	2128	e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe	30
PID 1760 wrote to memory of 2800	1760	Occlcg32.exe	31
PID 1760 wrote to memory of 2800	1760	Occlcg32.exe	31
PID 1760 wrote to memory of 2800	1760	Occlcg32.exe	31
PID 1760 wrote to memory of 2800	1760	Occlcg32.exe	31
PID 2800 wrote to memory of 2656	2800	Ojbnkp32.exe	32
PID 2800 wrote to memory of 2656	2800	Ojbnkp32.exe	32
PID 2800 wrote to memory of 2656	2800	Ojbnkp32.exe	32
PID 2800 wrote to memory of 2656	2800	Ojbnkp32.exe	32
PID 2656 wrote to memory of 2816	2656	Obnbpb32.exe	33
PID 2656 wrote to memory of 2816	2656	Obnbpb32.exe	33
PID 2656 wrote to memory of 2816	2656	Obnbpb32.exe	33
PID 2656 wrote to memory of 2816	2656	Obnbpb32.exe	33
PID 2816 wrote to memory of 2716	2816	Pnimpcke.exe	34
PID 2816 wrote to memory of 2716	2816	Pnimpcke.exe	34
PID 2816 wrote to memory of 2716	2816	Pnimpcke.exe	34
PID 2816 wrote to memory of 2716	2816	Pnimpcke.exe	34
PID 2716 wrote to memory of 2216	2716	Pnnfkb32.exe	35
PID 2716 wrote to memory of 2216	2716	Pnnfkb32.exe	35
PID 2716 wrote to memory of 2216	2716	Pnnfkb32.exe	35
PID 2716 wrote to memory of 2216	2716	Pnnfkb32.exe	35
PID 2216 wrote to memory of 2544	2216	Aljmbknm.exe	36
PID 2216 wrote to memory of 2544	2216	Aljmbknm.exe	36
PID 2216 wrote to memory of 2544	2216	Aljmbknm.exe	36
PID 2216 wrote to memory of 2544	2216	Aljmbknm.exe	36
PID 2544 wrote to memory of 2576	2544	Aalofa32.exe	37
PID 2544 wrote to memory of 2576	2544	Aalofa32.exe	37
PID 2544 wrote to memory of 2576	2544	Aalofa32.exe	37
PID 2544 wrote to memory of 2576	2544	Aalofa32.exe	37
PID 2576 wrote to memory of 2992	2576	Bmgifa32.exe	38
PID 2576 wrote to memory of 2992	2576	Bmgifa32.exe	38
PID 2576 wrote to memory of 2992	2576	Bmgifa32.exe	38
PID 2576 wrote to memory of 2992	2576	Bmgifa32.exe	38
PID 2992 wrote to memory of 2924	2992	Bgdfjfmi.exe	39
PID 2992 wrote to memory of 2924	2992	Bgdfjfmi.exe	39
PID 2992 wrote to memory of 2924	2992	Bgdfjfmi.exe	39
PID 2992 wrote to memory of 2924	2992	Bgdfjfmi.exe	39
PID 2924 wrote to memory of 2236	2924	Clfhml32.exe	40
PID 2924 wrote to memory of 2236	2924	Clfhml32.exe	40
PID 2924 wrote to memory of 2236	2924	Clfhml32.exe	40
PID 2924 wrote to memory of 2236	2924	Clfhml32.exe	40

C:\Users\Admin\AppData\Local\Temp\e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe
"C:\Users\Admin\AppData\Local\Temp\e35baedac8dc227c7413b9ad4b9aaa693f1e1daac4a3a13738d4e35225ae06a7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\Occlcg32.exe
  C:\Windows\system32\Occlcg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\Ojbnkp32.exe
    C:\Windows\system32\Ojbnkp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\Obnbpb32.exe
      C:\Windows\system32\Obnbpb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\Pnimpcke.exe
        
        C:\Windows\system32\Pnimpcke.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\SysWOW64\Pnnfkb32.exe
        
        C:\Windows\system32\Pnnfkb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Aljmbknm.exe
        
        C:\Windows\system32\Aljmbknm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Aalofa32.exe
        
        C:\Windows\system32\Aalofa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Bmgifa32.exe
        
        C:\Windows\system32\Bmgifa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Clfhml32.exe
        
        C:\Windows\system32\Clfhml32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aljmbknm.exe

Filesize
352KB

MD5
402f10e27fdc59c447ce33837996f41c

SHA1
6cae89365b374badbb4e0496acc2aac5a45df315

SHA256
a42d283b0cd1173dd3871930e6dde70df52224200ba910df65307a239ef9758c

SHA512
35de842b2498532a65fc0e32ff613fe69e4834e2578105ac1a06d956478c0b52b1f97299e93c7985e5a26ab2b0b8102912bdc59b30bbd386ced3bc8d9d60662b

Download Submit
C:\Windows\SysWOW64\Bmgifa32.exe

Filesize
352KB

MD5
148c973fc1a05514d6f7f767bc362444

SHA1
32c0cc3792dccaa98f32a6ca330b35e66136a36e

SHA256
4cdfcf3462021ac0703313dd890c603e695b0ea0daf72747c327647854f9e9f0

SHA512
eb942ccea031c7c72f4e9153413b53821fdc34fa38b07ed3ffa10150cb77e2afc801d3ba209a430a8438b6402e54e15d6a4114b58fb5898cb00bbe21b7a2e38c

Download Submit
C:\Windows\SysWOW64\Obnbpb32.exe

Filesize
352KB

MD5
e6f8f443150d00401efe816b07c420a8

SHA1
d069b569daa365246c9ed382e5baf279993e6f2e

SHA256
1ed82d97bf18c1305b4401395690087325f21835b629a8b7e26698829dc57428

SHA512
dfeb6afe9cfa5809ef04a0d9d168faa894a1df380e998eca5b463ee4776979341fc936a775f8e7013143cff4ba077592b4167e1479f19caff886f148465e1992

Download Submit
C:\Windows\SysWOW64\Occlcg32.exe

Filesize
352KB

MD5
b2c81b070dce446ca5096daac8bb26cf

SHA1
854b9763e25843941f28868762f1b61cdbde86db

SHA256
4a9dfa4fe680fee00345be3ac97f50164153e8843e6a34982a40a6613e7c3943

SHA512
260299193d0860d61553e2f26b3ec60ae8f1e9b017e5018a9c7852273d5e49a70dcd1dccec06564830359c515449135ec6322fa18db42f8f96a117b7b55bc20e

Download Submit
\Windows\SysWOW64\Aalofa32.exe

Filesize
352KB

MD5
1f2d9bad7396fec22e2ad746cbc50632

SHA1
64287346ab6f0e6c4367180881392c87fba30241

SHA256
067532720c7f09cae995792d02a312e54653561ebdaf4171442f83533029284c

SHA512
c6ea886e8f77a88f6a31ced46f9f45d9b7ca0c3688f840e8a093a45383c2bc588686de654b6d663d7fc43cfe1e4a2fee0670fc5e2eec51e98d48c7fe3fc5c031

Download Submit
\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
352KB

MD5
e9a38f422bd7a2357c705948ecbced68

SHA1
252f44c58187baa938e0a5e22b2f21ebccb0c102

SHA256
53da2cf1c1a7e3e5183f2b06432bc195b848ef78ff3a53f210f741898eff23d4

SHA512
309143e9a5b2ba27d6eb51097988147c78c2fd756e122203a3da9327d4b9a40980bdaa68903333f376b9f427a33762cf17c9df1d2e67fe3074642142521e7866

Download Submit
\Windows\SysWOW64\Clfhml32.exe

Filesize
352KB

MD5
3fcaa131cde50bbf8d550387369b36fc

SHA1
2cad3820a15f6bacb19da48ec9854e0086195b18

SHA256
37dd275aba1f878bc2256c979780f35562515e1fa6eca7fbb504fdea26645df0

SHA512
09403db44c0311a0f6d0936f6847aa9e9ab1b285eb628d2ceaeaf06db4a757bb480f3c24f7491baf1d69c71d8cfe38d7ad3bc1343c19e51c1cc524194c2baf85

Download Submit
\Windows\SysWOW64\Coindgbi.exe

Filesize
352KB

MD5
946d1eaf6b28827c09f47b1f651a0566

SHA1
c09defa9f0e72870a9f99f1cfa2f242908ae9b19

SHA256
a94224e6684b69885f5963b7c29d2dc61d4dbc22ff5de8e2076f5296b84b6c12

SHA512
559e50231300fe738fe04a3829e2b7bf4a5804ed6c767d17a89e705c220e841af68f69aecfd84d8efaf3ce31dedee843e783613d8ab1ee8496b35cc876afb91b

Download Submit
\Windows\SysWOW64\Ojbnkp32.exe

Filesize
352KB

MD5
6c8e9297613386f3a198ec289853ed12

SHA1
45789a4c3ea9c647f27d2d6bb0ad0fcaeaabdc8f

SHA256
d777ab46405840ebf393712c5fed92867928b936859aaffe51c2d010f3d06d3a

SHA512
8d8f256449ba9a988a71f324e9af6d7e37b5427dcb4c53d3af02b072584a16b7c4a41875add5fe60e92dc7b4931ff78e9ecf79265daef4f04490b66ebbd2d56a

Download Submit
\Windows\SysWOW64\Pnimpcke.exe

Filesize
352KB

MD5
c80212e0f291e9f983ecbc82fc697f92

SHA1
0c01f9b963f1eb4fda8e5a293abea830dbb8a0e0

SHA256
6dddde8b4ef8fbffb703e5a7624d0f76344d0dea3141faa688c263b010f1174a

SHA512
dfd078be24dd87c911f217cf1935941ffae18fce0d85ce96b068def889b1b21b31a0480c41ce5f6fa827f09efa67e03e7e27a5bab5bdcf4777fd5d1713eca74b

Download Submit
\Windows\SysWOW64\Pnnfkb32.exe

Filesize
352KB

MD5
328839f54dbe866f51bf2f9a8362eae7

SHA1
a950c2b772ed5a2d5ec42733884ed3750390ba02

SHA256
fd50c53704aff0b952c1b9fa6f8c8f41aac944a2e71e823d157c76a0d68eb94a

SHA512
068ec0e8b4a265bc7b4981259948716415665895ffc2d6946a5b4eb8b89db5d1c047224860ad0c9b5671321fb810e98c85c7cfb53821a54939a39aae730bda6f

Download Submit
memory/1760-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-22-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1760-27-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2128-12-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2128-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-13-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2216-100-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2216-99-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2216-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2544-115-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2544-109-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2576-127-0x0000000001B60000-0x0000000001B93000-memory.dmp

Filesize
204KB

Download
memory/2576-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-51-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2656-55-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2716-80-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2716-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2716-86-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2716-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-42-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2800-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-70-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2924-156-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2924-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-137-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2992-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads