berbew | e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
Size

442KB
MD5

09f94c9e9112bdc11bbc050242f60ee8
SHA1

56ab4c5131ddb4bde81d376bdf76a57532d9b94e
SHA256

e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0
SHA512

b92b527a5b4c7238a72805905fbde6aa4eea10b5b1def36ad830374a72e02a04badf566fa332d382bfacbf105047d584efe14dead4ffe5f62b4cbfb46a4b2182
SSDEEP

3072:bPa2keiOgYdhKLRcvVkqrifbdB7dYk1Bx8DpsV68RfPi4meqByN2DmtXGTtiOd/r:bPa+9gL6vVkym/89bifPidzIEZ/VZ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moahdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfcfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnakjaoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moahdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oclpdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moloidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnakjaoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmejaqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njmejaqb.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 11 IoCs

pid	Process
2700	Moloidjl.exe
2724	Mnakjaoc.exe
3036	Moahdd32.exe
3020	Ndnplk32.exe
2312	Njmejaqb.exe
2660	Nfcfob32.exe
1052	Nffcebdd.exe
2716	Ncjcnfcn.exe
2140	Oclpdf32.exe
2720	Oiiilm32.exe
1408	Ohnemidj.exe

Loads dropped DLL 26 IoCs

pid	Process
1456	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
1456	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
2700	Moloidjl.exe
2700	Moloidjl.exe
2724	Mnakjaoc.exe
2724	Mnakjaoc.exe
3036	Moahdd32.exe
3036	Moahdd32.exe
3020	Ndnplk32.exe
3020	Ndnplk32.exe
2312	Njmejaqb.exe
2312	Njmejaqb.exe
2660	Nfcfob32.exe
2660	Nfcfob32.exe
1052	Nffcebdd.exe
1052	Nffcebdd.exe
2716	Ncjcnfcn.exe
2716	Ncjcnfcn.exe
2140	Oclpdf32.exe
2140	Oclpdf32.exe
2720	Oiiilm32.exe
2720	Oiiilm32.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Moloidjl.exe	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
File created	C:\Windows\SysWOW64\Cjqigm32.dll	Njmejaqb.exe
File opened for modification	C:\Windows\SysWOW64\Nffcebdd.exe	Nfcfob32.exe
File created	C:\Windows\SysWOW64\Gaijph32.dll	Nfcfob32.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Dgcdjk32.dll	Moloidjl.exe
File created	C:\Windows\SysWOW64\Ndnplk32.exe	Moahdd32.exe
File created	C:\Windows\SysWOW64\Gkmkilcj.dll	Moahdd32.exe
File created	C:\Windows\SysWOW64\Njmejaqb.exe	Ndnplk32.exe
File opened for modification	C:\Windows\SysWOW64\Njmejaqb.exe	Ndnplk32.exe
File opened for modification	C:\Windows\SysWOW64\Nfcfob32.exe	Njmejaqb.exe
File created	C:\Windows\SysWOW64\Mnakjaoc.exe	Moloidjl.exe
File created	C:\Windows\SysWOW64\Hacdjlag.dll	Nffcebdd.exe
File created	C:\Windows\SysWOW64\Oiiilm32.exe	Oclpdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnakjaoc.exe	Moloidjl.exe
File created	C:\Windows\SysWOW64\Moahdd32.exe	Mnakjaoc.exe
File opened for modification	C:\Windows\SysWOW64\Ndnplk32.exe	Moahdd32.exe
File opened for modification	C:\Windows\SysWOW64\Oclpdf32.exe	Ncjcnfcn.exe
File opened for modification	C:\Windows\SysWOW64\Oiiilm32.exe	Oclpdf32.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Eehkmm32.dll	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
File created	C:\Windows\SysWOW64\Mceodfan.dll	Mnakjaoc.exe
File created	C:\Windows\SysWOW64\Nffcebdd.exe	Nfcfob32.exe
File opened for modification	C:\Windows\SysWOW64\Ncjcnfcn.exe	Nffcebdd.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Oiiilm32.exe
File created	C:\Windows\SysWOW64\Nfcfob32.exe	Njmejaqb.exe
File created	C:\Windows\SysWOW64\Moloidjl.exe	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
File opened for modification	C:\Windows\SysWOW64\Moahdd32.exe	Mnakjaoc.exe
File created	C:\Windows\SysWOW64\Ogpaem32.dll	Ndnplk32.exe
File created	C:\Windows\SysWOW64\Ncjcnfcn.exe	Nffcebdd.exe
File created	C:\Windows\SysWOW64\Oclpdf32.exe	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Hpamlo32.dll	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Qenpjecb.dll	Oclpdf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2888	1408	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moloidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcfob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjcnfcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oclpdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiiilm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnakjaoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moahdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnplk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmejaqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nffcebdd.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qenpjecb.dll"	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaijph32.dll"	Nfcfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpamlo32.dll"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcdjk32.dll"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfcfob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njmejaqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oclpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpaem32.dll"	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njmejaqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjqigm32.dll"	Njmejaqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moahdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacdjlag.dll"	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehkmm32.dll"	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Oiiilm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfcfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moahdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oiiilm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmkilcj.dll"	Moahdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mceodfan.dll"	Mnakjaoc.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2700	1456	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe	29
PID 1456 wrote to memory of 2700	1456	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe	29
PID 1456 wrote to memory of 2700	1456	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe	29
PID 1456 wrote to memory of 2700	1456	e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe	29
PID 2700 wrote to memory of 2724	2700	Moloidjl.exe	30
PID 2700 wrote to memory of 2724	2700	Moloidjl.exe	30
PID 2700 wrote to memory of 2724	2700	Moloidjl.exe	30
PID 2700 wrote to memory of 2724	2700	Moloidjl.exe	30
PID 2724 wrote to memory of 3036	2724	Mnakjaoc.exe	31
PID 2724 wrote to memory of 3036	2724	Mnakjaoc.exe	31
PID 2724 wrote to memory of 3036	2724	Mnakjaoc.exe	31
PID 2724 wrote to memory of 3036	2724	Mnakjaoc.exe	31
PID 3036 wrote to memory of 3020	3036	Moahdd32.exe	32
PID 3036 wrote to memory of 3020	3036	Moahdd32.exe	32
PID 3036 wrote to memory of 3020	3036	Moahdd32.exe	32
PID 3036 wrote to memory of 3020	3036	Moahdd32.exe	32
PID 3020 wrote to memory of 2312	3020	Ndnplk32.exe	33
PID 3020 wrote to memory of 2312	3020	Ndnplk32.exe	33
PID 3020 wrote to memory of 2312	3020	Ndnplk32.exe	33
PID 3020 wrote to memory of 2312	3020	Ndnplk32.exe	33
PID 2312 wrote to memory of 2660	2312	Njmejaqb.exe	34
PID 2312 wrote to memory of 2660	2312	Njmejaqb.exe	34
PID 2312 wrote to memory of 2660	2312	Njmejaqb.exe	34
PID 2312 wrote to memory of 2660	2312	Njmejaqb.exe	34
PID 2660 wrote to memory of 1052	2660	Nfcfob32.exe	35
PID 2660 wrote to memory of 1052	2660	Nfcfob32.exe	35
PID 2660 wrote to memory of 1052	2660	Nfcfob32.exe	35
PID 2660 wrote to memory of 1052	2660	Nfcfob32.exe	35
PID 1052 wrote to memory of 2716	1052	Nffcebdd.exe	36
PID 1052 wrote to memory of 2716	1052	Nffcebdd.exe	36
PID 1052 wrote to memory of 2716	1052	Nffcebdd.exe	36
PID 1052 wrote to memory of 2716	1052	Nffcebdd.exe	36
PID 2716 wrote to memory of 2140	2716	Ncjcnfcn.exe	37
PID 2716 wrote to memory of 2140	2716	Ncjcnfcn.exe	37
PID 2716 wrote to memory of 2140	2716	Ncjcnfcn.exe	37
PID 2716 wrote to memory of 2140	2716	Ncjcnfcn.exe	37
PID 2140 wrote to memory of 2720	2140	Oclpdf32.exe	38
PID 2140 wrote to memory of 2720	2140	Oclpdf32.exe	38
PID 2140 wrote to memory of 2720	2140	Oclpdf32.exe	38
PID 2140 wrote to memory of 2720	2140	Oclpdf32.exe	38
PID 2720 wrote to memory of 1408	2720	Oiiilm32.exe	39
PID 2720 wrote to memory of 1408	2720	Oiiilm32.exe	39
PID 2720 wrote to memory of 1408	2720	Oiiilm32.exe	39
PID 2720 wrote to memory of 1408	2720	Oiiilm32.exe	39
PID 1408 wrote to memory of 2888	1408	Ohnemidj.exe	40
PID 1408 wrote to memory of 2888	1408	Ohnemidj.exe	40
PID 1408 wrote to memory of 2888	1408	Ohnemidj.exe	40
PID 1408 wrote to memory of 2888	1408	Ohnemidj.exe	40

C:\Users\Admin\AppData\Local\Temp\e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe
"C:\Users\Admin\AppData\Local\Temp\e53df9a117d1338b03233aedeb4be1afca46a5cbdc9fdb5b6926d061833fb6f0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\Moloidjl.exe
  C:\Windows\system32\Moloidjl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Mnakjaoc.exe
    C:\Windows\system32\Mnakjaoc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\Moahdd32.exe
      C:\Windows\system32\Moahdd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\SysWOW64\Ndnplk32.exe
        
        C:\Windows\system32\Ndnplk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\SysWOW64\Njmejaqb.exe
        
        C:\Windows\system32\Njmejaqb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Nfcfob32.exe
        
        C:\Windows\system32\Nfcfob32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Nffcebdd.exe
        
        C:\Windows\system32\Nffcebdd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Ncjcnfcn.exe
        
        C:\Windows\system32\Ncjcnfcn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Oclpdf32.exe
        
        C:\Windows\system32\Oclpdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Oiiilm32.exe
        
        C:\Windows\system32\Oiiilm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mnakjaoc.exe

Filesize
442KB

MD5
487289cee835c4eb3e25454f453d4dfc

SHA1
51cc8ab4b39f46e7a578471e32196538415a8d1a

SHA256
3f3004a4e0032e18b120bd3491c6e5697084f9955a8d96f9ad60fe42f3984fab

SHA512
387ae036ec8490931284f5b6e5e05cfb6ac62888b082619b240de63fa2359d70b0a122ab72bfe45036bdd7473878e5394d127b545f08d76f4fa21d2cd5023710

Download Submit
C:\Windows\SysWOW64\Ndnplk32.exe

Filesize
442KB

MD5
2247ca1c5e2a6238a5f74342765ba1e9

SHA1
5d5e54e91585bbf21e3c262fab5e5f921edd6da0

SHA256
5219571a696051179159ed89b608bdddda117dbbeca566dd6a0e635097559f3f

SHA512
b200bfc12addaf12041b01b69de5088dd2dfabfac0af8cd0998593e699c08858e59d6cbd91b736239eb65a34d15419cd0acd19a9f3418dbb754489f2a0cdf2c7

Download Submit
C:\Windows\SysWOW64\Ogpaem32.dll

Filesize
7KB

MD5
c04784b01721fc73717653551c46e1e4

SHA1
764ccae1e5a53d59374f117ae3296d6588c6099d

SHA256
d25a4354307d2fe3dd06b4964aabdcfa7031a297a1e8d5d019d09dd7cfdd461e

SHA512
bc75e5b72b8fdf191d56bebf53e1d58c97d261a26768f18c89d7fefce74d74189b3f67c4659c6ea86bbd76f9538a6aa3baf8aab15af7e42c66324dab218026f2

Download Submit
\Windows\SysWOW64\Moahdd32.exe

Filesize
442KB

MD5
184e4a7255a8c2e044867a2c6bf68a82

SHA1
78f9e694ade22ee49b09f9dcb624b9d69980608a

SHA256
5a16b6a9542b2f824ddab3b4e9befc01454df2863819bfc9713a1c1f9beae836

SHA512
ec13eb2e92fb06c57074cb33db209a5d7e8843713f486deef3c63a48a7ee00b76f04684282419e54ef29b50cee1b13602c20989e966a653aaa3897b8ccdf624e

Download Submit
\Windows\SysWOW64\Moloidjl.exe

Filesize
442KB

MD5
dfe1c6da2f229d22775850bab9e1bbd0

SHA1
13698b937fbabe23179c9718d9df1bb96b7a2df0

SHA256
4fdca5b727e319f42382d86be121667eacd012769f116ab4bc158dde30496701

SHA512
bed867755aa79e3bdbfdd91f13a4e3a39aeecbbd4991ab503f78faa34d5b1f45163bbdb4b3d06068beb28403859420e87b5a4d2279c37856a83bb56444e299d4

Download Submit
\Windows\SysWOW64\Ncjcnfcn.exe

Filesize
442KB

MD5
93f817b0d3626589452a65c04d6be7a6

SHA1
9316b620ae34728129b8f561abe69617dd52d932

SHA256
4b0000084720a029e27e093737961610c588ae38cc3ee4f139b12dc1bf998407

SHA512
ddaef1bcd7326c9170e4a5a1a2d96e2926358da0eeeded0bdab8249e91ece9d02f94e955fd4daa8c40a4960b9937e0f3749b0888c47c3eb1e1226b8d65377ae0

Download Submit
\Windows\SysWOW64\Nfcfob32.exe

Filesize
442KB

MD5
afe1a1b9baddfe171d6b2f089a451aa6

SHA1
27cfa2a8ab79d0c3a9f9be3e2b1203b8ac9349ff

SHA256
f5aee80e461f5e051f8459d9ad157139146bb13fa111290ecf3af10a5f1227d8

SHA512
cc4a3cf2c105f039586ed9386cde7f7ecf36d3563bc43904f86e2282c3c62d32eb1d9c8263de9a2d62912d8c835db3121c05bd4e1f95db4db6834c323ef66e2c

Download Submit
\Windows\SysWOW64\Nffcebdd.exe

Filesize
442KB

MD5
53b631af7ebe848fb27d3d5610d81492

SHA1
f06befa61fbef2dd49073eeae7afa8f15dc6d417

SHA256
f928c78902341dcc2bab571e822c725ca1e9a845fbf911d635932fcff572af7b

SHA512
6847eab4302b4d2e518788c86a632cf63f3523dfaa826eda67cd90730d8aec6b784e5287cfc8fa768e15b5274fa411201e00539e000a933674e260958125e4e4

Download Submit
\Windows\SysWOW64\Njmejaqb.exe

Filesize
442KB

MD5
455a11ec034e84d998bbb4a626b201e9

SHA1
010babd830e7bf50fc742f0777dbd857a37e33ef

SHA256
aac052269f49151a58af6512d620a32e0b8f52284f351088441c3625fb826ac8

SHA512
6176c766b21e91b7d44268c5c928f6107f04bc11f98c53f7130d99dffece2b85ee74b17de0c95361053d5651f8cfffd667db8009b7d17ddc6013fd596d94c175

Download Submit
\Windows\SysWOW64\Oclpdf32.exe

Filesize
442KB

MD5
faca31a80d7d177f23fa44e53488c2a8

SHA1
ec246002a01674c2942dd54530034e643b6473b2

SHA256
45f3664ba7b7a59e035649a068c1af15d7af4461dd19467aae07e88a343444c8

SHA512
a129d8ebe044419bb97c6b8cfaf12e5f8fce6da2da809c5b13dae900786682233520b33b64b486f28a0f7c0118d11926d01348f15fdc81a541e761fcd5988075

Download Submit
\Windows\SysWOW64\Ohnemidj.exe

Filesize
442KB

MD5
0f6462bdf1c2ff0f7afa4be528a77d23

SHA1
620aeb55568b1dad9022cc06e49679fa2b13976b

SHA256
401567634f57eb14a48ab25bc609ffd3c708d6671b44ae7e790add028931ea0c

SHA512
47fe84fcd0af436f13eb8b731c2673195b60a057ff06760e06159b25badea1eb198ef57e4c5fef408ba5b41822a1cb389a0367019f27377bff49bcb85a8a6d17

Download Submit
\Windows\SysWOW64\Oiiilm32.exe

Filesize
442KB

MD5
763b6df33b53a995e86293adce33dcff

SHA1
c204208adec5b9b027b6b3ebfcd3ece73275349c

SHA256
3c0262dad890c55949c019d13cdd9450f102486be1c7359d568e0c5a02b1dc52

SHA512
f6e4ee4618f92bd8686b500809fe703e104e630786dccd702d412be00cbf79839497e2d318972766bc749b1dae0afc5640a92d8cfb48736598275a0d60473bc9

Download Submit
memory/1052-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-106-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1408-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-11-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1456-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1456-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-134-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2312-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-79-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2660-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2660-88-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2660-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-25-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2716-116-0x00000000004B0000-0x00000000004E4000-memory.dmp

Filesize
208KB

Download
memory/2716-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2720-143-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2724-34-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2724-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2724-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-62-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3020-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-52-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads