berbew | efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
Size

232KB
MD5

eb4a15464ab0ed9e8a12bbb2caaad7c0
SHA1

ee0f268c1763d67e9880bf12299c686bc467fa05
SHA256

efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452
SHA512

9efff9f86c86afee4f581d7dd28aff8e09acc42e849a42bf317dbe7d453589d0cff73a265b90c2303eebcce04753f59395c126bc73516790752531d883b161cd
SSDEEP

3072:cD1zagnyh0jyY7usluTXp6UF5wzec+tZOnU1/s5HH0AU/yRvS3u121TzlbNRfzPX:cFuIyY6s21L7/s50z/Wa3/PNlPX

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjofanld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhgpgjoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nndhpqma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncggifep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdigakic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnakjaoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhgpgjoj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncejcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omddmkhl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjofanld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncejcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncggifep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omddmkhl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nndhpqma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nglmifca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpmbjbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdlkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofklpa32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 17 IoCs

pid	Process
2704	Mjofanld.exe
2248	Mdigakic.exe
2840	Mnakjaoc.exe
3020	Mhgpgjoj.exe
2640	Nndhpqma.exe
2636	Nglmifca.exe
2588	Nbaafocg.exe
2716	Ndpmbjbk.exe
2140	Nmkbfmpf.exe
2348	Ncejcg32.exe
1408	Nqijmkfm.exe
2972	Ncggifep.exe
1056	Ncjcnfcn.exe
408	Ojdlkp32.exe
1364	Ofklpa32.exe
2380	Omddmkhl.exe
3032	Ohnemidj.exe

Loads dropped DLL 38 IoCs

pid	Process
1456	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
1456	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
2704	Mjofanld.exe
2704	Mjofanld.exe
2248	Mdigakic.exe
2248	Mdigakic.exe
2840	Mnakjaoc.exe
2840	Mnakjaoc.exe
3020	Mhgpgjoj.exe
3020	Mhgpgjoj.exe
2640	Nndhpqma.exe
2640	Nndhpqma.exe
2636	Nglmifca.exe
2636	Nglmifca.exe
2588	Nbaafocg.exe
2588	Nbaafocg.exe
2716	Ndpmbjbk.exe
2716	Ndpmbjbk.exe
2140	Nmkbfmpf.exe
2140	Nmkbfmpf.exe
2348	Ncejcg32.exe
2348	Ncejcg32.exe
1408	Nqijmkfm.exe
1408	Nqijmkfm.exe
2972	Ncggifep.exe
2972	Ncggifep.exe
1056	Ncjcnfcn.exe
1056	Ncjcnfcn.exe
408	Ojdlkp32.exe
408	Ojdlkp32.exe
1364	Ofklpa32.exe
1364	Ofklpa32.exe
2380	Omddmkhl.exe
2380	Omddmkhl.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mdigakic.exe	Mjofanld.exe
File created	C:\Windows\SysWOW64\Dgcdjk32.dll	Mdigakic.exe
File created	C:\Windows\SysWOW64\Iiicgkof.dll	Mnakjaoc.exe
File created	C:\Windows\SysWOW64\Glfijb32.dll	Mhgpgjoj.exe
File opened for modification	C:\Windows\SysWOW64\Nmkbfmpf.exe	Ndpmbjbk.exe
File created	C:\Windows\SysWOW64\Khggofme.dll	Ncejcg32.exe
File created	C:\Windows\SysWOW64\Ncggifep.exe	Nqijmkfm.exe
File created	C:\Windows\SysWOW64\Jimcoh32.dll	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
File created	C:\Windows\SysWOW64\Keniknoh.dll	Ojdlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Omddmkhl.exe
File opened for modification	C:\Windows\SysWOW64\Ofklpa32.exe	Ojdlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncggifep.exe	Nqijmkfm.exe
File created	C:\Windows\SysWOW64\Hacdjlag.dll	Ncggifep.exe
File created	C:\Windows\SysWOW64\Bghlof32.dll	Mjofanld.exe
File opened for modification	C:\Windows\SysWOW64\Nndhpqma.exe	Mhgpgjoj.exe
File created	C:\Windows\SysWOW64\Ndpmbjbk.exe	Nbaafocg.exe
File created	C:\Windows\SysWOW64\Bllndljk.dll	Ndpmbjbk.exe
File created	C:\Windows\SysWOW64\Ncjcnfcn.exe	Ncggifep.exe
File created	C:\Windows\SysWOW64\Ojdlkp32.exe	Ncjcnfcn.exe
File opened for modification	C:\Windows\SysWOW64\Ojdlkp32.exe	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Mhgpgjoj.exe	Mnakjaoc.exe
File created	C:\Windows\SysWOW64\Mdigakic.exe	Mjofanld.exe
File created	C:\Windows\SysWOW64\Mnakjaoc.exe	Mdigakic.exe
File created	C:\Windows\SysWOW64\Ncejcg32.exe	Nmkbfmpf.exe
File created	C:\Windows\SysWOW64\Nqijmkfm.exe	Ncejcg32.exe
File created	C:\Windows\SysWOW64\Dlmoai32.dll	Nqijmkfm.exe
File created	C:\Windows\SysWOW64\Plgojd32.dll	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Ofklpa32.exe	Ojdlkp32.exe
File created	C:\Windows\SysWOW64\Mjofanld.exe	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Omddmkhl.exe
File created	C:\Windows\SysWOW64\Ceahlg32.dll	Nndhpqma.exe
File created	C:\Windows\SysWOW64\Nmkbfmpf.exe	Ndpmbjbk.exe
File created	C:\Windows\SysWOW64\Omddmkhl.exe	Ofklpa32.exe
File opened for modification	C:\Windows\SysWOW64\Mhgpgjoj.exe	Mnakjaoc.exe
File opened for modification	C:\Windows\SysWOW64\Ndpmbjbk.exe	Nbaafocg.exe
File opened for modification	C:\Windows\SysWOW64\Nqijmkfm.exe	Ncejcg32.exe
File opened for modification	C:\Windows\SysWOW64\Ncjcnfcn.exe	Ncggifep.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Omddmkhl.exe
File opened for modification	C:\Windows\SysWOW64\Mjofanld.exe	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
File created	C:\Windows\SysWOW64\Nglmifca.exe	Nndhpqma.exe
File opened for modification	C:\Windows\SysWOW64\Nbaafocg.exe	Nglmifca.exe
File created	C:\Windows\SysWOW64\Nmjkbjpm.dll	Nglmifca.exe
File opened for modification	C:\Windows\SysWOW64\Ncejcg32.exe	Nmkbfmpf.exe
File opened for modification	C:\Windows\SysWOW64\Omddmkhl.exe	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Gobhkhgi.dll	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Nndhpqma.exe	Mhgpgjoj.exe
File opened for modification	C:\Windows\SysWOW64\Nglmifca.exe	Nndhpqma.exe
File created	C:\Windows\SysWOW64\Nbaafocg.exe	Nglmifca.exe
File created	C:\Windows\SysWOW64\Bqhmkq32.dll	Nbaafocg.exe
File created	C:\Windows\SysWOW64\Jfqjjp32.dll	Nmkbfmpf.exe
File opened for modification	C:\Windows\SysWOW64\Mnakjaoc.exe	Mdigakic.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2568	3032	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjofanld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nndhpqma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglmifca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqijmkfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjcnfcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnakjaoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbaafocg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpmbjbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncejcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncggifep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdlkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omddmkhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdigakic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhgpgjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkbfmpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofklpa32.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjofanld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacdjlag.dll"	Ncggifep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncggifep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncejcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdigakic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndpmbjbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keniknoh.dll"	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nndhpqma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmoai32.dll"	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncggifep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofklpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghlof32.dll"	Mjofanld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicgkof.dll"	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll"	Nndhpqma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omddmkhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfijb32.dll"	Mhgpgjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojdlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofklpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omddmkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgojd32.dll"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjofanld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhgpgjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khggofme.dll"	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Omddmkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcdjk32.dll"	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nglmifca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nndhpqma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmjkbjpm.dll"	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqhmkq32.dll"	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllndljk.dll"	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqjjp32.dll"	Nmkbfmpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobhkhgi.dll"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimcoh32.dll"	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhgpgjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqijmkfm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2704	1456	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe	29
PID 1456 wrote to memory of 2704	1456	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe	29
PID 1456 wrote to memory of 2704	1456	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe	29
PID 1456 wrote to memory of 2704	1456	efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe	29
PID 2704 wrote to memory of 2248	2704	Mjofanld.exe	30
PID 2704 wrote to memory of 2248	2704	Mjofanld.exe	30
PID 2704 wrote to memory of 2248	2704	Mjofanld.exe	30
PID 2704 wrote to memory of 2248	2704	Mjofanld.exe	30
PID 2248 wrote to memory of 2840	2248	Mdigakic.exe	31
PID 2248 wrote to memory of 2840	2248	Mdigakic.exe	31
PID 2248 wrote to memory of 2840	2248	Mdigakic.exe	31
PID 2248 wrote to memory of 2840	2248	Mdigakic.exe	31
PID 2840 wrote to memory of 3020	2840	Mnakjaoc.exe	32
PID 2840 wrote to memory of 3020	2840	Mnakjaoc.exe	32
PID 2840 wrote to memory of 3020	2840	Mnakjaoc.exe	32
PID 2840 wrote to memory of 3020	2840	Mnakjaoc.exe	32
PID 3020 wrote to memory of 2640	3020	Mhgpgjoj.exe	33
PID 3020 wrote to memory of 2640	3020	Mhgpgjoj.exe	33
PID 3020 wrote to memory of 2640	3020	Mhgpgjoj.exe	33
PID 3020 wrote to memory of 2640	3020	Mhgpgjoj.exe	33
PID 2640 wrote to memory of 2636	2640	Nndhpqma.exe	34
PID 2640 wrote to memory of 2636	2640	Nndhpqma.exe	34
PID 2640 wrote to memory of 2636	2640	Nndhpqma.exe	34
PID 2640 wrote to memory of 2636	2640	Nndhpqma.exe	34
PID 2636 wrote to memory of 2588	2636	Nglmifca.exe	35
PID 2636 wrote to memory of 2588	2636	Nglmifca.exe	35
PID 2636 wrote to memory of 2588	2636	Nglmifca.exe	35
PID 2636 wrote to memory of 2588	2636	Nglmifca.exe	35
PID 2588 wrote to memory of 2716	2588	Nbaafocg.exe	36
PID 2588 wrote to memory of 2716	2588	Nbaafocg.exe	36
PID 2588 wrote to memory of 2716	2588	Nbaafocg.exe	36
PID 2588 wrote to memory of 2716	2588	Nbaafocg.exe	36
PID 2716 wrote to memory of 2140	2716	Ndpmbjbk.exe	37
PID 2716 wrote to memory of 2140	2716	Ndpmbjbk.exe	37
PID 2716 wrote to memory of 2140	2716	Ndpmbjbk.exe	37
PID 2716 wrote to memory of 2140	2716	Ndpmbjbk.exe	37
PID 2140 wrote to memory of 2348	2140	Nmkbfmpf.exe	38
PID 2140 wrote to memory of 2348	2140	Nmkbfmpf.exe	38
PID 2140 wrote to memory of 2348	2140	Nmkbfmpf.exe	38
PID 2140 wrote to memory of 2348	2140	Nmkbfmpf.exe	38
PID 2348 wrote to memory of 1408	2348	Ncejcg32.exe	39
PID 2348 wrote to memory of 1408	2348	Ncejcg32.exe	39
PID 2348 wrote to memory of 1408	2348	Ncejcg32.exe	39
PID 2348 wrote to memory of 1408	2348	Ncejcg32.exe	39
PID 1408 wrote to memory of 2972	1408	Nqijmkfm.exe	40
PID 1408 wrote to memory of 2972	1408	Nqijmkfm.exe	40
PID 1408 wrote to memory of 2972	1408	Nqijmkfm.exe	40
PID 1408 wrote to memory of 2972	1408	Nqijmkfm.exe	40
PID 2972 wrote to memory of 1056	2972	Ncggifep.exe	41
PID 2972 wrote to memory of 1056	2972	Ncggifep.exe	41
PID 2972 wrote to memory of 1056	2972	Ncggifep.exe	41
PID 2972 wrote to memory of 1056	2972	Ncggifep.exe	41
PID 1056 wrote to memory of 408	1056	Ncjcnfcn.exe	42
PID 1056 wrote to memory of 408	1056	Ncjcnfcn.exe	42
PID 1056 wrote to memory of 408	1056	Ncjcnfcn.exe	42
PID 1056 wrote to memory of 408	1056	Ncjcnfcn.exe	42
PID 408 wrote to memory of 1364	408	Ojdlkp32.exe	43
PID 408 wrote to memory of 1364	408	Ojdlkp32.exe	43
PID 408 wrote to memory of 1364	408	Ojdlkp32.exe	43
PID 408 wrote to memory of 1364	408	Ojdlkp32.exe	43
PID 1364 wrote to memory of 2380	1364	Ofklpa32.exe	44
PID 1364 wrote to memory of 2380	1364	Ofklpa32.exe	44
PID 1364 wrote to memory of 2380	1364	Ofklpa32.exe	44
PID 1364 wrote to memory of 2380	1364	Ofklpa32.exe	44

C:\Users\Admin\AppData\Local\Temp\efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe
"C:\Users\Admin\AppData\Local\Temp\efdde4bf326f2dda707441156821ff13738fe8416c29bc4094ac9ccc254a6452N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\Mjofanld.exe
  C:\Windows\system32\Mjofanld.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\Mdigakic.exe
    C:\Windows\system32\Mdigakic.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\Mnakjaoc.exe
      C:\Windows\system32\Mnakjaoc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\Mhgpgjoj.exe
        
        C:\Windows\system32\Mhgpgjoj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\SysWOW64\Nndhpqma.exe
        
        C:\Windows\system32\Nndhpqma.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Nglmifca.exe
        
        C:\Windows\system32\Nglmifca.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Nbaafocg.exe
        
        C:\Windows\system32\Nbaafocg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Ndpmbjbk.exe
        
        C:\Windows\system32\Ndpmbjbk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Nmkbfmpf.exe
        
        C:\Windows\system32\Nmkbfmpf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Ncejcg32.exe
        
        C:\Windows\system32\Ncejcg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Nqijmkfm.exe
        
        C:\Windows\system32\Nqijmkfm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Ncggifep.exe
        
        C:\Windows\system32\Ncggifep.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Ncjcnfcn.exe
        
        C:\Windows\system32\Ncjcnfcn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Ojdlkp32.exe
        
        C:\Windows\system32\Ojdlkp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Ofklpa32.exe
        
        C:\Windows\system32\Ofklpa32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\SysWOW64\Omddmkhl.exe
        
        C:\Windows\system32\Omddmkhl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mhgpgjoj.exe

Filesize
232KB

MD5
dc72ecb3d872872f02a5c74a2ca7ce4f

SHA1
51f5e0eaae0f5be07ed0bc6a31763016163b45a3

SHA256
86e81ede48fc238773f9bc0112ae4804dd43d237bc795efea5d46853a60197f5

SHA512
bb93e2bbca61fa840a58124bd5b501c743388d0b790eceaa77fc2e94e21b06ca72bb309fdf4741f313d39e4c49c7c69308ca9b9e5f9fbb3e4f4b35767e24db70

Download Submit
C:\Windows\SysWOW64\Ncejcg32.exe

Filesize
232KB

MD5
4805e6479b1f6b9bc5321d8310c26f2f

SHA1
296e1a4647fdbd822585bd1d2ef88d5e9571d405

SHA256
94329b559d15ad54e9d4963d9eac8132d34a9f91d2cbaee68848a55042af3195

SHA512
679ccdf839ba5f320cc07ab73ccd85c6f2190f0f2e7dde0f846418a5f4233d5b67c0d9e2258318c2af2e6f2e2e2c68b01310927b6fbe72d962f5ea409943b7cf

Download Submit
C:\Windows\SysWOW64\Ncggifep.exe

Filesize
232KB

MD5
77ed1dd8b7ced0d28b2411752369ea28

SHA1
f9f0bb7008853cb6553face6f74b7f0bb7638c77

SHA256
de83514712c8839c057b129e3f9d647952e92fefeac1fe0c0ec9146b4a9a68d7

SHA512
30902c2ef175374bf179cdb67eec6e0253ce973ef8fafda589e0fb4cb4c7af65ea4b3a6808924aa68336f0ad5a883502ded13544c0c63cecb26d7bbd3785cc91

Download Submit
C:\Windows\SysWOW64\Ndpmbjbk.exe

Filesize
232KB

MD5
684ef1c0ac31885f2afe36dc9d458cf9

SHA1
053dbb1e3de8c1eef4452951a9179576965983bf

SHA256
ab0eacf9cabe2bb28a2ae77e4ae293f0b8a58e337bb832b90772763c5f5fc488

SHA512
dcfe8ee1b42521d21c770095dcdb935ec177d29fce0192e131dc382ff18b6d3b86eb3a67d02c48f289429a7b050ee90f856e62e1b40a81f816ddcb8064303822

Download Submit
C:\Windows\SysWOW64\Nqijmkfm.exe

Filesize
232KB

MD5
a1a77b2f46c0c239079b286e424de9f0

SHA1
0e626dda0ee204f449117ab8f05e2170adf9c410

SHA256
26b0cb9c0e0484268c77daf9fcc0a68f7ee8f109fefafd778bea121b0f66ff35

SHA512
50ceb0676495b10d2617a4334891aebef1675075574dd54bc274689347a7aef0921fa06da56f3b79e7edece03c81bd99f3520a9552a350e5c6c1fed8a807d99d

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
232KB

MD5
89489928ee29620e442b6bb0adc290c9

SHA1
e63eb36207424660a8a85492f0b3623ff27785f8

SHA256
1aa75ef76ede7f91e35f2b490fc008e0c2f865a005d358e7e83b12abcab29f78

SHA512
f3f5cd64006e0a23e6ae7d0f5e241bbc26e622fcfa7e3516608f2bd255631666957bbf411259695d634147f1c074523d49f737cb3c557e56ee6a89ad379fb6f3

Download Submit
C:\Windows\SysWOW64\Ojdlkp32.exe

Filesize
232KB

MD5
f4f0de9455338b1626f395f8930965cf

SHA1
324ccf4946d5bbb276512f6b318a4a0c50a22f3b

SHA256
61ada10890043f7e0fcf9d71868c79564666c21b8c4cdc5fc3c30964cdd576b2

SHA512
db16b4626324e3f4966c2ad9264d62956f2641d0c45fb5f713590ddba3b95824fa434a7848d194572c403e41d686a1ce7d91fb67bcf8c870adf9cf937c9bbf63

Download Submit
C:\Windows\SysWOW64\Omddmkhl.exe

Filesize
232KB

MD5
6aaf4b248c9ce1e83bc75dad9b87ce30

SHA1
289ff12e827bebcaf529c1ffdf946ccd84ca220e

SHA256
5aa847b0b541dcce885004a5fe7ea963c33ed400538bde5bd20326a35f7ea17d

SHA512
eb178d654980b156ec554ceb6ff6d22fa1f6c98ef14c9001d1d0c525cf13d297e86b126f4ad3f67b1c875bb575f35f392418a8fafa65a1e1ab30bad7f2f8aeeb

Download Submit
\Windows\SysWOW64\Mdigakic.exe

Filesize
232KB

MD5
5a9c1fbf11ea0574b49346bab67dfa94

SHA1
e222ececfb8c3add0d8564ebe1dac907ebb1a7a0

SHA256
963158de01d26911a621eca7b9c287742ee3d43f51ad257cd153bb6c0660cb41

SHA512
37d8daa430b5696ab67595bdb3aca9855905bd9704b1f1f34e88a918e00b52149002b6674045768aa023e4b7153dd51db6c13442f2fd68aa37c72431f3f093bc

Download Submit
\Windows\SysWOW64\Mjofanld.exe

Filesize
232KB

MD5
6eb45d3b768d13b9f417abab5df5df5a

SHA1
01c41f59eff1f2af3eb20c0640e3f417f7954019

SHA256
f216a2b154bd575e18397b108dcc9cb4061b3048d100a5c56b56df7614669712

SHA512
c9bd6adb31124ca8130124f17cf0ae978a471309aa294c9c7403d8d6b76a3b039b1654dad4422c567e6d8099bcb0406e168c25945403107f9fe21863d11739e5

Download Submit
\Windows\SysWOW64\Mnakjaoc.exe

Filesize
232KB

MD5
b6edb9682d9fd658cca39c3ec6963bfd

SHA1
6e68d723bbaffc47d1c439536a5268698d320b98

SHA256
0e1667bd4a4a5d9dcd5c81971ec17263e90ab2bffff50032e85b0c7d0e4ffb10

SHA512
04ed01048dc8e82354c61bbeddd8dea14fae756d43a3d43f02fdee9f602d87e97ea237f4a74e58fe9a52d5122134bb20ec06a4517a57cf3e80bfd74f7c6b1bc5

Download Submit
\Windows\SysWOW64\Nbaafocg.exe

Filesize
232KB

MD5
a699748e50cfea51faeca9604422abfb

SHA1
81745ab03b4a98b73c4bee002a70066543d340f2

SHA256
adaeadf87bfcef50f30fc9a9824b77c9c44e4bb245c1c9300c07abc72cbf4342

SHA512
8b476ed7c9db78245883a51c630e59407eac48d9f7ff89ae6f40250efcc459f8efbe314f34a5415f904145967513a27c4ec7c151677a0ac44510f0139868d2a2

Download Submit
\Windows\SysWOW64\Ncjcnfcn.exe

Filesize
232KB

MD5
f016d879e3dd34238b18ef5c8688ba6d

SHA1
c181095ac48728fcd450493dedf65a989d263ca4

SHA256
47aea2cc497f9866d537ab942c6bbd12560240965a2a4c16a5a3f658fb009aa1

SHA512
3161caf5550612915b8549ea8fc93068b3a99a4bd991150c44d588981dd56b4fb55f622acfb0ba6f267b9550b8dc9840540512d302b49790b990d0813987acd0

Download Submit
\Windows\SysWOW64\Nglmifca.exe

Filesize
232KB

MD5
e12eb037640d77be6a73532db4e8f49a

SHA1
8b3ec8be13f04704516475a2942a9412f30accdd

SHA256
73e07fb7741629def98bcc94fa75e391b662ec2ffb5d8013e5dd16ad4bf0f852

SHA512
dcb099a5bb2d9268b5a9c7dae60cc4ecd35c33831ebc94c9db7190a546f238a15938c1fe92228e2c5989d316b0ad9cead36421999cfe53addf8f7ff4a4ef4abc

Download Submit
\Windows\SysWOW64\Nmkbfmpf.exe

Filesize
232KB

MD5
b3cd25994772f3e07059662289daebe2

SHA1
712b8dc13637e57e25da83a8e303f56e201527a5

SHA256
996719aeaa31bd07969a2408acaa0677e2b9b9f27f96f6dcb209c89ab67abc38

SHA512
4c908f7d61dd6e19c1aa3d3a7cee57bcd873f6cf998d3400a6377da55ff6d3f5c1933f3e60c6fecbbb579646e119f0d81c392ad387925f85c65db95b75fc6755

Download Submit
\Windows\SysWOW64\Nndhpqma.exe

Filesize
232KB

MD5
210de40320ad745ee236cc6b2fc95ec0

SHA1
085e968d3ce1d952ca3f67426e3fd5509f656754

SHA256
3d8c99bd78d5854d07774bea0a44248a91bd16f5fe23e7bc570ca6eb11658bee

SHA512
6235d3b509bdbcb5df8ac5bc6878e8e9dbf2db871a13884f0be4b512dd6adda88ee7cec40803c3c4ecd1159d68416562ea758fae1d9afb34f7844e99fbd79971

Download Submit
\Windows\SysWOW64\Ofklpa32.exe

Filesize
232KB

MD5
25f11dee04242fffa31723fd4bafb1af

SHA1
59a995b392db25105446bac531589d2edf5dce4d

SHA256
e7ba84eed4897339fe8bffb4ba2400f94e2135b0d88f8cb385c5025ed5b6a9fe

SHA512
28a286c6af5ffcb5c9d41c71716d53de6322147e8a13568652807dbdcef583c1b128574bf262fe2684e968f5e3e1408044bc8dfac1d280ee48db8fee53228e21

Download Submit
memory/408-200-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/408-240-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/408-205-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/408-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-190-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1056-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-220-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1364-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-161-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1408-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1456-7-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2140-262-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2140-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-34-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2248-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-246-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-144-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/2348-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-231-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2380-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2380-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-106-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2636-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-266-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-88-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2636-93-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2640-78-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2640-250-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-258-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-24-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2716-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2716-116-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2716-121-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2716-249-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-45-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-176-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2972-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-170-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/3020-61-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/3020-53-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-264-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads