berbew | dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
Size

72KB
MD5

f13f4fd0e0a21070119f217408419f14
SHA1

b493f596a69c71514c9edef31829fe1ed999c094
SHA256

dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561
SHA512

ebba6b85a8044ab582e8db065908d9891404dd19f90884155da11907be594efb4a9eb1469272298cc985b25d71965b981871b65bddc1a095010e948d0fa573b6
SSDEEP

768:x7dtXTJNvrfBnVN7AE65emQYLjILF1tDa1lTetv/1H58iU9UiEb/KEiEixV38HiD:x7fTzvrf2ImpUZMTetB+PgUN3QivEtA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 12 IoCs

pid	Process
4568	Djgjlelk.exe
2340	Dobfld32.exe
4068	Ddonekbl.exe
1300	Dhkjej32.exe
1092	Dkifae32.exe
4672	Daconoae.exe
4424	Ddakjkqi.exe
3836	Dkkcge32.exe
3668	Dmjocp32.exe
1820	Dddhpjof.exe
1284	Dknpmdfc.exe
3536	Dmllipeg.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Djgjlelk.exe	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3988	3536	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4568	5072	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe	82
PID 5072 wrote to memory of 4568	5072	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe	82
PID 5072 wrote to memory of 4568	5072	dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe	82
PID 4568 wrote to memory of 2340	4568	Djgjlelk.exe	83
PID 4568 wrote to memory of 2340	4568	Djgjlelk.exe	83
PID 4568 wrote to memory of 2340	4568	Djgjlelk.exe	83
PID 2340 wrote to memory of 4068	2340	Dobfld32.exe	84
PID 2340 wrote to memory of 4068	2340	Dobfld32.exe	84
PID 2340 wrote to memory of 4068	2340	Dobfld32.exe	84
PID 4068 wrote to memory of 1300	4068	Ddonekbl.exe	85
PID 4068 wrote to memory of 1300	4068	Ddonekbl.exe	85
PID 4068 wrote to memory of 1300	4068	Ddonekbl.exe	85
PID 1300 wrote to memory of 1092	1300	Dhkjej32.exe	86
PID 1300 wrote to memory of 1092	1300	Dhkjej32.exe	86
PID 1300 wrote to memory of 1092	1300	Dhkjej32.exe	86
PID 1092 wrote to memory of 4672	1092	Dkifae32.exe	87
PID 1092 wrote to memory of 4672	1092	Dkifae32.exe	87
PID 1092 wrote to memory of 4672	1092	Dkifae32.exe	87
PID 4672 wrote to memory of 4424	4672	Daconoae.exe	88
PID 4672 wrote to memory of 4424	4672	Daconoae.exe	88
PID 4672 wrote to memory of 4424	4672	Daconoae.exe	88
PID 4424 wrote to memory of 3836	4424	Ddakjkqi.exe	89
PID 4424 wrote to memory of 3836	4424	Ddakjkqi.exe	89
PID 4424 wrote to memory of 3836	4424	Ddakjkqi.exe	89
PID 3836 wrote to memory of 3668	3836	Dkkcge32.exe	90
PID 3836 wrote to memory of 3668	3836	Dkkcge32.exe	90
PID 3836 wrote to memory of 3668	3836	Dkkcge32.exe	90
PID 3668 wrote to memory of 1820	3668	Dmjocp32.exe	91
PID 3668 wrote to memory of 1820	3668	Dmjocp32.exe	91
PID 3668 wrote to memory of 1820	3668	Dmjocp32.exe	91
PID 1820 wrote to memory of 1284	1820	Dddhpjof.exe	92
PID 1820 wrote to memory of 1284	1820	Dddhpjof.exe	92
PID 1820 wrote to memory of 1284	1820	Dddhpjof.exe	92
PID 1284 wrote to memory of 3536	1284	Dknpmdfc.exe	93
PID 1284 wrote to memory of 3536	1284	Dknpmdfc.exe	93
PID 1284 wrote to memory of 3536	1284	Dknpmdfc.exe	93

C:\Users\Admin\AppData\Local\Temp\dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe
"C:\Users\Admin\AppData\Local\Temp\dcc498f24008b14e01da869bd8fb6ff6dc83a3e014ddd45038f643e77756c561.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\Djgjlelk.exe
  C:\Windows\system32\Djgjlelk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\Dobfld32.exe
    C:\Windows\system32\Dobfld32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\Ddonekbl.exe
      C:\Windows\system32\Ddonekbl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
      - C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 396
        14⤵
        Program crash
        
        PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3536 -ip 3536
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daconoae.exe

Filesize
72KB

MD5
632888c307a584ac70b33f3ddf5dfd63

SHA1
93ebd4be0142bbc86b59310a9430bb14e744f003

SHA256
28433cb2e097abc24850442e721dde274b2cc4d7eea7090c244bd51bea1adb6b

SHA512
2ff7198041086abfd85104766a63d865b86c441d290d35fa54dea453c7d2f03f0174c134ae562aaa67f4e5b4e53558df3c4b903678e7caa6390bbe9a9b21a9b0

Download Submit
C:\Windows\SysWOW64\Ddakjkqi.exe

Filesize
72KB

MD5
3ebf2025710631d26a24134e79c8efc6

SHA1
c32914768cf29b58a507a0a293949be2b4e3568f

SHA256
51a4ceb556324c64a75d152361b753f260626093da9faa97a50135e2a2ee5e88

SHA512
911396100133a9254f7f78a895e59b47a7542ed6be5c9dc1a4068cf6316626a84ac0d59e1f4744342c1205c402ff5bd1e1fed5e516149cf5344b7588c4493e25

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
72KB

MD5
4a067ab7f0496fc75703f39c323b6305

SHA1
4ad69a618dcc437dd4d4b55abdb658d281b5b5b7

SHA256
abc9b62a45ccd317a45c30df608b3414a96a62db2e52963a4f8da3b2bb9b7a50

SHA512
79912959a97ad06c63488c857a0a83860c26b53d17900477e800e18e8feb60286aca209a6870d13f1fe15486811f2b886b921a8f548c9642d757acfee351c387

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
72KB

MD5
22578282d1deca203aae1cbe6c42061e

SHA1
f21de7e3418eb465eb2f03cc5b7b806522a01368

SHA256
057a378ddc8165e0518e5a59ae9e89f1c76446065b24b41fe05c712b101cef01

SHA512
4e4ea6d94af974c609a8c637d57865cfd2085de5d9e1c6025b5738477213f12dcd9ddda1271afbf08b7cbb77c81ec43124802d13ae94edeb7275de5c87666638

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
72KB

MD5
ec1990fd564fad9fe4f51a1ca5af8ab3

SHA1
4f4cbd60afab7a7d7031f1890e1217771e32c3af

SHA256
71cb036b44fde63c1e2520e096ffea5350b212a2574499f8a9817708dd96818e

SHA512
e3b84ed91b670c48b4d0797c577567138f30d397372c5e23178af772486f072540cd637d17561ac7da707866d3bcd9102eeb1a220a451719c82c18cbcc810f22

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
72KB

MD5
f204634c59721cb11be2b77051fc42d6

SHA1
1c45b4058f1ce99f027837e2c67cc672f31eb536

SHA256
0455a9ef7b7b66c89a055f6c5e2eeca0c00a791fabec8ad600fc3aeb3a3f7b87

SHA512
2226b7e3ac151501ff649f99d4ae916f0f89cfdba456ce04b3d206eca871d9ba9ba6cda5c7b09ab5cc5074afff1469662a5da277f73c521a3f0bef3c0e872028

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
72KB

MD5
47df19e040d8993e05ac40fb82a91b3e

SHA1
894738beabf6aad443b7ad65ca0a704cf0082698

SHA256
08609b4e8e25d5249142685685ef5396a0fd8466ecee8f2f32b1958f63b7f3e9

SHA512
5afaeaa592fb81171f9058003cc2823480619d9d747b41f1d0ee37b21eceaa648eec7092cd25d901a17bd960faeca78e6b0912bdf549d2cd6af8859a322548b2

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
72KB

MD5
bb8e7da89a3dbd3f586d6ae1cf20cf75

SHA1
38408120f5cc4fa45dccf81a56c69993cfd34773

SHA256
e19e315b2c5f30b613004646568d7c46ad8229116e72e051f78384a572241807

SHA512
5db49ed8d9eddd1979c6dd74b5e1b1e551523bd369316af13ff4a349ae6f6f7525f52da6e2e1b543bca36acebf83d2b595c98cee3a053594efaac8a24ada70d8

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
72KB

MD5
9b995540d32c84d43b6495a329c6f05b

SHA1
2c2d1a9cfa2556af8784f06e6ef0564f8971db98

SHA256
5c1e9a91e88e375819c848d27636e7ae188caa15a055869ca55b5159a4cc72ea

SHA512
8d1a0c841097a0f431168215c1d58564c141803faf582c59f34d4f9e230480c2cfead17dfa9cc80d5bdf73ac857a3e8c638dbc80f3e9a5b13b24e2a36fd8af4c

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
72KB

MD5
3454a2db7cf626cafb2bcb6fee4970f2

SHA1
51bf046e4d90db2b3f7ec3f19dbc3a060c08d183

SHA256
15df0ca860000ef5760b3f8a1d08f89f216163f32a519fa301d9412a1d0ff431

SHA512
49a55d344b08e6aaa82297192d4070d9ad05316e2070aa9662ba1cb525bbac6ba7ecec813b7342a8e0592752c0b76f7bb119ec4947e5dd89f92b6fd0c75f706d

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
72KB

MD5
e99ab68ca83acdbe4928108e016f6524

SHA1
219704796175bd01081cac07bb74b15018a15bc2

SHA256
9e4cd4923332cf653e2b08c6abd5004f6922b01902eec3dcb7da3d635fd40776

SHA512
6e089a8dc99991ed1701fe9ab5dbc372b50fb6853da74e91cf1e399013f9322006a3d613b9327210c05c442303b5679b48a36187604bab414c2b30177dc3dae3

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
72KB

MD5
34632e9ed86a37371b9fd14674e704e8

SHA1
8d29ea13f59872c14da5b764f581c545de777e6a

SHA256
9c954b719d0a190a149ed5de5b0a3cb4ee88a09b6f5607dd72618cee07331286

SHA512
dd86f620637f9383af470536c6362f1d6dff1747da264cad6851c3c0a4c4b7bfefbfdd525c123e980a0b0e20e3181ea7f9c129dcda5bda9c37fb57ded9b8b852

Download Submit
memory/1092-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1092-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1284-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1284-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1300-31-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1300-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1820-80-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2340-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3536-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3536-101-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3668-104-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3836-105-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3836-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4068-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4068-23-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4424-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4424-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4568-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4672-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4672-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5072-79-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads