berbew | 34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4d

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
Size

88KB
MD5

214eea4a379c0ffcbe2d247d3b8925f0
SHA1

5518f73434042dd7d75838126dae4d8969485a97
SHA256

34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4d
SHA512

1ff4b2507bbbb7de82fd30095712de53f223784ac25777614a7e111884a540616e081a49b0c1293d7f62dd9e1de32620f5ba659f11c84e9ca0132962ce6507d8
SSDEEP

1536:P94bU8ZZnM5KD/AqrqpDr78EQFBPPgHjqzEOc7Aznouy8L:Py1M5KD/depDkEQFBPYHOc0LoutL

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqijljfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgoime32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

pid	Process
3028	Bgoime32.exe
2560	Bqgmfkhg.exe
2476	Bgaebe32.exe
2908	Bqijljfd.exe
2872	Cfkloq32.exe
3016	Cfmhdpnc.exe
2896	Cagienkb.exe
1104	Ceebklai.exe
2980	Dpapaj32.exe

Loads dropped DLL 21 IoCs

pid	Process
2060	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
2060	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
3028	Bgoime32.exe
3028	Bgoime32.exe
2560	Bqgmfkhg.exe
2560	Bqgmfkhg.exe
2476	Bgaebe32.exe
2476	Bgaebe32.exe
2908	Bqijljfd.exe
2908	Bqijljfd.exe
2872	Cfkloq32.exe
2872	Cfkloq32.exe
3016	Cfmhdpnc.exe
3016	Cfmhdpnc.exe
2896	Cagienkb.exe
2896	Cagienkb.exe
1104	Ceebklai.exe
1104	Ceebklai.exe
1416	WerFault.exe
1416	WerFault.exe
1416	WerFault.exe

Drops file in System32 directory 29 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Bqijljfd.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Dgnenf32.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Bqijljfd.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bqgmfkhg.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Bqijljfd.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1416	2980	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqijljfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqijljfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cagienkb.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 3028	2060	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe	31
PID 2060 wrote to memory of 3028	2060	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe	31
PID 2060 wrote to memory of 3028	2060	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe	31
PID 2060 wrote to memory of 3028	2060	34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe	31
PID 3028 wrote to memory of 2560	3028	Bgoime32.exe	32
PID 3028 wrote to memory of 2560	3028	Bgoime32.exe	32
PID 3028 wrote to memory of 2560	3028	Bgoime32.exe	32
PID 3028 wrote to memory of 2560	3028	Bgoime32.exe	32
PID 2560 wrote to memory of 2476	2560	Bqgmfkhg.exe	33
PID 2560 wrote to memory of 2476	2560	Bqgmfkhg.exe	33
PID 2560 wrote to memory of 2476	2560	Bqgmfkhg.exe	33
PID 2560 wrote to memory of 2476	2560	Bqgmfkhg.exe	33
PID 2476 wrote to memory of 2908	2476	Bgaebe32.exe	34
PID 2476 wrote to memory of 2908	2476	Bgaebe32.exe	34
PID 2476 wrote to memory of 2908	2476	Bgaebe32.exe	34
PID 2476 wrote to memory of 2908	2476	Bgaebe32.exe	34
PID 2908 wrote to memory of 2872	2908	Bqijljfd.exe	35
PID 2908 wrote to memory of 2872	2908	Bqijljfd.exe	35
PID 2908 wrote to memory of 2872	2908	Bqijljfd.exe	35
PID 2908 wrote to memory of 2872	2908	Bqijljfd.exe	35
PID 2872 wrote to memory of 3016	2872	Cfkloq32.exe	36
PID 2872 wrote to memory of 3016	2872	Cfkloq32.exe	36
PID 2872 wrote to memory of 3016	2872	Cfkloq32.exe	36
PID 2872 wrote to memory of 3016	2872	Cfkloq32.exe	36
PID 3016 wrote to memory of 2896	3016	Cfmhdpnc.exe	37
PID 3016 wrote to memory of 2896	3016	Cfmhdpnc.exe	37
PID 3016 wrote to memory of 2896	3016	Cfmhdpnc.exe	37
PID 3016 wrote to memory of 2896	3016	Cfmhdpnc.exe	37
PID 2896 wrote to memory of 1104	2896	Cagienkb.exe	38
PID 2896 wrote to memory of 1104	2896	Cagienkb.exe	38
PID 2896 wrote to memory of 1104	2896	Cagienkb.exe	38
PID 2896 wrote to memory of 1104	2896	Cagienkb.exe	38
PID 1104 wrote to memory of 2980	1104	Ceebklai.exe	39
PID 1104 wrote to memory of 2980	1104	Ceebklai.exe	39
PID 1104 wrote to memory of 2980	1104	Ceebklai.exe	39
PID 1104 wrote to memory of 2980	1104	Ceebklai.exe	39
PID 2980 wrote to memory of 1416	2980	Dpapaj32.exe	40
PID 2980 wrote to memory of 1416	2980	Dpapaj32.exe	40
PID 2980 wrote to memory of 1416	2980	Dpapaj32.exe	40
PID 2980 wrote to memory of 1416	2980	Dpapaj32.exe	40

C:\Users\Admin\AppData\Local\Temp\34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe
"C:\Users\Admin\AppData\Local\Temp\34b6d91868eb57fc764a9a12b289fc5dc7db6247c16a2044e54d719a81941b4dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\Bgoime32.exe
  C:\Windows\system32\Bgoime32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\Bqgmfkhg.exe
    C:\Windows\system32\Bqgmfkhg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\Bgaebe32.exe
      C:\Windows\system32\Bgaebe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\SysWOW64\Bqijljfd.exe
        
        C:\Windows\system32\Bqijljfd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 144
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
88KB

MD5
8fecb77a25d5b1b3b5d010479d355cec

SHA1
b934a8f9c54a24052976cce0dc175f48ea5480fe

SHA256
54301b456acf521de28ff32e6d57273cffef432fa7328b93b7433a9d8b9f64a9

SHA512
e2efead7c547871cf620fe003a596c7bdc77574094ed0f06bab75bde24af6494938e295cb36655872dad1cfebf6541470d342f606099303cd23c91fc66ef966c

Download Submit
C:\Windows\SysWOW64\Oghnkh32.dll

Filesize
7KB

MD5
ab3b19afa17394eeddbc00112ddd1c45

SHA1
cce5c38cb83662875460b229b64f0d650dc7a96a

SHA256
2da0155735cdc51efa121770c1e9ac52e0acce6a43435e41c8e5943e41cf663a

SHA512
bd2c2e5f6b1cfdbcad0c304cfee0017bee7ea91398e81e38e5ac70a523e402303d3dceeeae4601e6e7f909e2feb32ecdd29c1427c91f5604f89e6e6726cc59ed

Download Submit
\Windows\SysWOW64\Bgoime32.exe

Filesize
88KB

MD5
ec63d207cd506031fc123f6a049013e9

SHA1
de33998b91147bfae7fceb8f48ca0ebfe6758aab

SHA256
8d2276d4c5a5e999d39c5cd5dbf3d6f85d901a4c381e749280283be345f0cced

SHA512
eb286b3c7d3ffcfd230d3c044725a2e4f5f9fc67900bcd9c1a267a70e1bbac1f6054e902e3455adea03e9ad5c95777daeeb93158db3db157788154937f579f5b

Download Submit
\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
88KB

MD5
7e6e83f0df4cad09dc55072c8008abc8

SHA1
0ef7adedde461aeecbadc1ce5c9887e4a98c5aa2

SHA256
744fbe982547020bbba454f4281025228c6874101afedb7b9bddfd66f1a47cdd

SHA512
7905f8152f5bfa40db8ed7003fffee2e7ef352a9eca3c8278af363a728a2ea67c25423963f0c607c7b3bbd36811bb65197dfac981a07b9737256959f174fbfcd

Download Submit
\Windows\SysWOW64\Bqijljfd.exe

Filesize
88KB

MD5
cb0654765602d51d858260ecbff7326b

SHA1
98238cc1ea0dca7d90de37f773cf26ffedf6e72c

SHA256
eeba451f23f5cd54b40a0e8c3ff83f5f3deba9b7a27349322e5c6388eda37af5

SHA512
60608ab5e826a31de5b46ee2aa7ea6efb5904620f28cc33a82dfb2633700c053c28dd6025165780ae5d30fac314202f5dc724de7af08d398362c5722d37fcb6b

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
88KB

MD5
5e7a9a3dd27c9eabb2eee94cf4eb8cf8

SHA1
013ea890bf9d57ef89788c6ae0cd61bb32f5b4f6

SHA256
8cd4eaace94299a64caeac7f2e8ac506856e025dea680ec56bf35568df2bca65

SHA512
eb383e1d507025f4cd5af6fac87fefe52b92cdf760e3630b3c843c1d07174a5e1e3eb74dd51e53729ba00f828781b7695b6ec25d8c7498dbad6410522ed9bf75

Download Submit
\Windows\SysWOW64\Ceebklai.exe

Filesize
88KB

MD5
95189eabdd96d45443b41d9895aea1cb

SHA1
4f89baa261c31b907b5f32a03496690e5b67d315

SHA256
67f15cd6cb7059344d198cdd4781e713f63cb2230326dd8ac685f8d07a328a6c

SHA512
9d10e9aa30a46a7c95d1b586685336e45e3c0fcc6cfaf6eae305028cb43216123ad2f198e74a74c7c5925130fca3069a51f6c4409cb9452c64dc94ea9276cd36

Download Submit
\Windows\SysWOW64\Cfkloq32.exe

Filesize
88KB

MD5
f2852c8a2f582de1effbdee5a9144522

SHA1
d88c25477bcc9422c160406424d733dd6c0afefd

SHA256
4bdf632a0a59e0835b882fd0bb27b1a491ed2417785ffe5ce30d5cc68ce6451c

SHA512
a7efc00563d2ed3ada625cf3e5d562d9ebfab04db2eece94130f0fc282dc30d3603e144ada919f4bda790c1a3877ff66bdf57e835d65e171ae8b1233d4c496fd

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
88KB

MD5
bae99d1166e20c3d90c0b85a2a7f3a3d

SHA1
9fe99a2e2b180f534cee0c145629321ef856332b

SHA256
b27378a914a4b51a5eb32a674e5a0d6744d5ea1becd31a0f82e9c9ea80488c0c

SHA512
af7d8b93a62dafb4d79117065b8837268cc5bf058d9b53d20aff3d515dce34ef1f8e778a1a033829ea838816d7f8dafad0af06075f2c65dfaf7a9c6b9301145b

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
88KB

MD5
e2cc0c5052666b651a1e211746b89e93

SHA1
f8d0f4a69e36f7292fbb16521acc5336569f2697

SHA256
2ff01595e17c86cedd4d894c83d6f545b309dcddb22aa359bb3b561be8cf85ba

SHA512
8adb5937eb54c4cedbfe616f84f15ea6ad168e6e4f09b3cecc6fbc7351a12cc5b19a4290449306379ac55828b5ed8df15a60e127f882ac63d7c8d123e4a84011

Download Submit
memory/1104-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-15-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2060-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-7-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2476-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2560-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2872-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-101-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2896-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2980-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-27-0x00000000001C0000-0x00000000001F4000-memory.dmp

Filesize
208KB

Download
memory/3028-22-0x00000000001C0000-0x00000000001F4000-memory.dmp

Filesize
208KB

Download
memory/3028-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads