berbew | 362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113

Analysis

max time kernel
62s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
Size

344KB
MD5

36c4f06310842c369f5e649c5f28ab3f
SHA1

eeef64413d08d86cc70600fe79d7794024bd3c8e
SHA256

362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113
SHA512

82b7910864aeb226d5d0d3f6ae6ff981d92263fac1b921b3ed2ee9b05a3c9c6b1f075af6410941f0dd3d75c6419d8cfd7fc2d83f9ae4630528317fd38bd61fa7
SSDEEP

6144:km1+IhWCpX2/mnbzvdLaD6OkPgl6bmIjlQF1:klxCpXImbzQD6OkPgl6bmIjK1

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klcgpkhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klcgpkhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khldkllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 12 IoCs

pid	Process
2376	Jikhnaao.exe
2776	Jabponba.exe
2708	Jcqlkjae.exe
2868	Jfohgepi.exe
2644	Jlqjkk32.exe
1004	Klcgpkhh.exe
1872	Kdnkdmec.exe
1680	Kablnadm.exe
1932	Khldkllj.exe
448	Kpgionie.exe
2948	Kkojbf32.exe
2136	Lbjofi32.exe

Loads dropped DLL 28 IoCs

pid	Process
2188	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
2188	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
2376	Jikhnaao.exe
2376	Jikhnaao.exe
2776	Jabponba.exe
2776	Jabponba.exe
2708	Jcqlkjae.exe
2708	Jcqlkjae.exe
2868	Jfohgepi.exe
2868	Jfohgepi.exe
2644	Jlqjkk32.exe
2644	Jlqjkk32.exe
1004	Klcgpkhh.exe
1004	Klcgpkhh.exe
1872	Kdnkdmec.exe
1872	Kdnkdmec.exe
1680	Kablnadm.exe
1680	Kablnadm.exe
1932	Khldkllj.exe
1932	Khldkllj.exe
448	Kpgionie.exe
448	Kpgionie.exe
2948	Kkojbf32.exe
2948	Kkojbf32.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe
1648	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jabponba.exe	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Jabponba.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Jabponba.exe
File created	C:\Windows\SysWOW64\Qmeedp32.dll	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jabponba.exe
File created	C:\Windows\SysWOW64\Cmojeo32.dll	Jabponba.exe
File created	C:\Windows\SysWOW64\Qmgaio32.dll	Jcqlkjae.exe
File opened for modification	C:\Windows\SysWOW64\Jlqjkk32.exe	Jfohgepi.exe
File opened for modification	C:\Windows\SysWOW64\Khldkllj.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Eghoka32.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Jikhnaao.exe	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Jfohgepi.exe	Jcqlkjae.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Jikhnaao.exe	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
File created	C:\Windows\SysWOW64\Khldkllj.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Khldkllj.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Klcgpkhh.exe	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Jlqjkk32.exe	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Biklma32.dll	Jfohgepi.exe
File opened for modification	C:\Windows\SysWOW64\Klcgpkhh.exe	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Mmofpf32.dll	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	Klcgpkhh.exe
File created	C:\Windows\SysWOW64\Caefjg32.dll	Klcgpkhh.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Oiahkhpo.dll	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Khldkllj.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Klcgpkhh.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Jfohgepi.exe	Jcqlkjae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1648	2136	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khldkllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlqjkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klcgpkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Khldkllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll"	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klcgpkhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoka32.dll"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll"	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll"	Jabponba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Kkojbf32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2376	2188	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe	30
PID 2188 wrote to memory of 2376	2188	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe	30
PID 2188 wrote to memory of 2376	2188	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe	30
PID 2188 wrote to memory of 2376	2188	362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe	30
PID 2376 wrote to memory of 2776	2376	Jikhnaao.exe	31
PID 2376 wrote to memory of 2776	2376	Jikhnaao.exe	31
PID 2376 wrote to memory of 2776	2376	Jikhnaao.exe	31
PID 2376 wrote to memory of 2776	2376	Jikhnaao.exe	31
PID 2776 wrote to memory of 2708	2776	Jabponba.exe	32
PID 2776 wrote to memory of 2708	2776	Jabponba.exe	32
PID 2776 wrote to memory of 2708	2776	Jabponba.exe	32
PID 2776 wrote to memory of 2708	2776	Jabponba.exe	32
PID 2708 wrote to memory of 2868	2708	Jcqlkjae.exe	33
PID 2708 wrote to memory of 2868	2708	Jcqlkjae.exe	33
PID 2708 wrote to memory of 2868	2708	Jcqlkjae.exe	33
PID 2708 wrote to memory of 2868	2708	Jcqlkjae.exe	33
PID 2868 wrote to memory of 2644	2868	Jfohgepi.exe	34
PID 2868 wrote to memory of 2644	2868	Jfohgepi.exe	34
PID 2868 wrote to memory of 2644	2868	Jfohgepi.exe	34
PID 2868 wrote to memory of 2644	2868	Jfohgepi.exe	34
PID 2644 wrote to memory of 1004	2644	Jlqjkk32.exe	35
PID 2644 wrote to memory of 1004	2644	Jlqjkk32.exe	35
PID 2644 wrote to memory of 1004	2644	Jlqjkk32.exe	35
PID 2644 wrote to memory of 1004	2644	Jlqjkk32.exe	35
PID 1004 wrote to memory of 1872	1004	Klcgpkhh.exe	36
PID 1004 wrote to memory of 1872	1004	Klcgpkhh.exe	36
PID 1004 wrote to memory of 1872	1004	Klcgpkhh.exe	36
PID 1004 wrote to memory of 1872	1004	Klcgpkhh.exe	36
PID 1872 wrote to memory of 1680	1872	Kdnkdmec.exe	37
PID 1872 wrote to memory of 1680	1872	Kdnkdmec.exe	37
PID 1872 wrote to memory of 1680	1872	Kdnkdmec.exe	37
PID 1872 wrote to memory of 1680	1872	Kdnkdmec.exe	37
PID 1680 wrote to memory of 1932	1680	Kablnadm.exe	38
PID 1680 wrote to memory of 1932	1680	Kablnadm.exe	38
PID 1680 wrote to memory of 1932	1680	Kablnadm.exe	38
PID 1680 wrote to memory of 1932	1680	Kablnadm.exe	38
PID 1932 wrote to memory of 448	1932	Khldkllj.exe	39
PID 1932 wrote to memory of 448	1932	Khldkllj.exe	39
PID 1932 wrote to memory of 448	1932	Khldkllj.exe	39
PID 1932 wrote to memory of 448	1932	Khldkllj.exe	39
PID 448 wrote to memory of 2948	448	Kpgionie.exe	40
PID 448 wrote to memory of 2948	448	Kpgionie.exe	40
PID 448 wrote to memory of 2948	448	Kpgionie.exe	40
PID 448 wrote to memory of 2948	448	Kpgionie.exe	40
PID 2948 wrote to memory of 2136	2948	Kkojbf32.exe	41
PID 2948 wrote to memory of 2136	2948	Kkojbf32.exe	41
PID 2948 wrote to memory of 2136	2948	Kkojbf32.exe	41
PID 2948 wrote to memory of 2136	2948	Kkojbf32.exe	41
PID 2136 wrote to memory of 1648	2136	Lbjofi32.exe	42
PID 2136 wrote to memory of 1648	2136	Lbjofi32.exe	42
PID 2136 wrote to memory of 1648	2136	Lbjofi32.exe	42
PID 2136 wrote to memory of 1648	2136	Lbjofi32.exe	42

C:\Users\Admin\AppData\Local\Temp\362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe
"C:\Users\Admin\AppData\Local\Temp\362bf1701d3e5dfc90f87ffccbc14225618d2c817ed77a44ebffcb7c91ae1113.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\Jikhnaao.exe
  C:\Windows\system32\Jikhnaao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\Jabponba.exe
    C:\Windows\system32\Jabponba.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Jcqlkjae.exe
      C:\Windows\system32\Jcqlkjae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Jfohgepi.exe
        
        C:\Windows\system32\Jfohgepi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\SysWOW64\Jlqjkk32.exe
        
        C:\Windows\system32\Jlqjkk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Klcgpkhh.exe
        
        C:\Windows\system32\Klcgpkhh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Khldkllj.exe
        
        C:\Windows\system32\Khldkllj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jabponba.exe

Filesize
344KB

MD5
e2ef5f7ed740cc0e37f39c144c896aa2

SHA1
4524a8882f2017c37bc3d835158806bb06265e83

SHA256
7fe0bd1807be95b4f898d106c6719ce98449639759b7764390fe86413d445767

SHA512
c858a051cfa320192c54fc2c09e8657fd85e5bf5ac253e22b7354e3f8dd6cef1f7854723fa16d807cdb11470ca3537d2c854ae4d382853a88c5b48ee06838474

Download Submit
C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
344KB

MD5
accede4f45ca6392614905202f593a3f

SHA1
86f31350d33bd660d1ebd2ffdbfd5ce2416b3065

SHA256
844110d69851e0b1a9003354517320e6fe3fb2c63d58c045583c27a632ae354b

SHA512
3ca1067781e6f611eb438321cb020e42296b2d06ec1c510f18504eea7c2e649570a5528f875a62abecd9dea8421a0157c32d9e1eb4a8e1a44230547cf47698ad

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
344KB

MD5
75f26b0fddb5cd987b215a3af29be795

SHA1
36b240da20b58b750be2f3ab34fb6b308c672673

SHA256
5529721e759482ae6e49fad1285fee90a1be12f258daaa8db78497eff32b9fd5

SHA512
0878911e70c70798a1841a01cc709e408b54055cd9cd0ca16dd3ef47910c8743a94d22dd8f2697cce5c6d3dab7c17e47ec7eb06e42f874f7ec0c71126172429a

Download Submit
C:\Windows\SysWOW64\Jlqjkk32.exe

Filesize
344KB

MD5
9b06e785e7125a98c95f4e973cf23646

SHA1
913eaaffdcede39bfbe1e9814d0e5e6c4dcb5c62

SHA256
9e3a724e2a5c62c3818ec943e04f2aa4b669a9c9535fce913495943a1abb7e27

SHA512
8aa251fd71077f3b0db4e71e99368419eb6b32a6e0a3730c142e6bf1386a9be00d359ea0e4d90b176dcf73ed5c435f4e05f36b0ac060c2c20dcec3b64b34dc46

Download Submit
C:\Windows\SysWOW64\Khldkllj.exe

Filesize
344KB

MD5
1cfb101ec898c9ed3937d02edc969356

SHA1
e76c5834ba1a09ab1863beb910433cf4334cf034

SHA256
ab514b8e04bdc4d7deabc0a693411a37157d17c8cbc2f0f2d151858162b1147f

SHA512
f17442013c07be181fafa691a1d54df4bfb1a465b0364f574190d08e5c7516bb2ffe00b1e25885a3900c8b8df80be5730b83ecdbfe35d0ce11857e65586cf912

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
344KB

MD5
294d96ff1b078b04566f288f3e28b71f

SHA1
e3aaec6d0608e178146d7c3f7d86a0bf757aaf3b

SHA256
9494eb00c5398cc5ddb1d6a2d444088fb97fce0c6ce669781d8b12f1d3281150

SHA512
275dc7d7f547d161c4bf4f9bbb17723c0ca3c9b72f45df0d4e5463fe3eaeda75ca2cb405135c12f9d5277c8bbb087a8e11f89a678d35037a1f72cef73a25288b

Download Submit
\Windows\SysWOW64\Jfohgepi.exe

Filesize
344KB

MD5
103fc9be455194f32a33d18110a4389a

SHA1
582f5a8f175f858a0c9c506bfa054ee6231bdabd

SHA256
e73b95ead73397e0cc22f6e17f55a05a1533b3daf98f7f90ffcdfd8223d0871a

SHA512
9b3cab8655b28135dae1ae0c827ac43a09dfa31502d3b70397e31e7a3512bdd85963b2f58f4ea4d39e83a4b64b187307a52cf612278b8f40c387142a2d753f2f

Download Submit
\Windows\SysWOW64\Kablnadm.exe

Filesize
344KB

MD5
52b8e5d8889f5b591f0e265f701283e5

SHA1
d4114c79319f0a57427830722f0f0b29776cd719

SHA256
e5e96ff32a749454dc1d60b82b37cfa3b7c106b86314ab9f29d31095956bc5bb

SHA512
4afea60d0be54e9fde5189b144ff864529ed00805eda5d3cdc4cce29ce237557276673b76b1479d662a7d0c205a6142465a576ca641eb1f956daac2a68447803

Download Submit
\Windows\SysWOW64\Kdnkdmec.exe

Filesize
344KB

MD5
a12246dce4b07dbec31e8b7e05089af0

SHA1
103172fcbd4e8c7f6fbc589fee98c35552ddaa9b

SHA256
4b7c0d0025ff372ef07863249dab68d6f2a1846c7fdfcbb67f6c2184ee0e5ad0

SHA512
12d747f647cf5b3185bdbda399f50b3ed7b812695704b22f0e40d569b575db9c46a539b5d799e98f3a9782e00a882cf320dbacd86a2faeb95adf4a8583891f05

Download Submit
\Windows\SysWOW64\Kkojbf32.exe

Filesize
344KB

MD5
abc9f082b3bc0c69330d34c23d2536dc

SHA1
76e163a7a7fa80d7ca6d3b679dc383bb471e1bf0

SHA256
75bf8688cbe651d7663674b7fc043cbc49d8a29b192bc618fabc2071d8685a7e

SHA512
ad47bcf9beaa226aea80c83c8272a7a215f56347a99998a4bcd4d5d083010d06ff7597791c68913fc46a8eebca93a8457875429e06fb5138d2724fa4eaa20e15

Download Submit
\Windows\SysWOW64\Klcgpkhh.exe

Filesize
344KB

MD5
311cccf7f52212ef172d98562ded0e91

SHA1
284c496bcedc0499215ec514439c7322fe2f135b

SHA256
0430c915e33be3bb0ecc37b5133d0270d62ea4a649053cb6a2c718c3526c2339

SHA512
0c896e22c07ab8bafa4bc42576254b02af6207c611b91d0c52a997f260514749134f3eff1013bcc91aaf2f5d2f71687dbb6b31a924ccf9726b75dfce9cd13e9e

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
344KB

MD5
18ae96f8f5ccfd0111a53e62d0aa95aa

SHA1
337f7e29ea330b39330ca9d09a0e10b6a289352e

SHA256
3ba2eb9b09ff39f5f54f76880cc26a245ccad05e72e0c2996a6491e3e181a91c

SHA512
ae247ad08ecf76afa63a2f722d3e2aa331a89f5874d65490baaa9fa10a68b1c9545738a2b9a7bcfa2656d3f7da7e0d90e386587541fd5cb50eb5012f3ffd8930

Download Submit
memory/448-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-155-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/448-156-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1004-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1004-98-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1680-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-126-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1872-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1872-111-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1872-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-140-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1932-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-141-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2136-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-12-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2188-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-13-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2376-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2376-32-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2376-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-80-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2708-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-56-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2708-49-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2776-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-46-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2868-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-70-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2868-71-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2868-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-169-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2948-170-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2948-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads