berbew | 9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4

Analysis

max time kernel
74s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
Size

89KB
MD5

26a54ba706d264525c39ac505c6f39a5
SHA1

192b9145c7bde0e1c12877dad94798cb89ce1f14
SHA256

9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4
SHA512

6aa5425a38ad8a3cd5b516fb88df1488dc8752c6c57451bb92e5e3ae39290c94116bef1b0c071d0e5faf8b908794d6caf33e83980bb2c05c2aa548c9dd795dc2
SSDEEP

1536:qLSA8rrJzn/wfFD7We37WIsqaV2Be/BhB88KsbuIB7BR9L4DT2EnINb:qLSprrJz/G3CuaVienH1KIB6+oQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nickoldp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlgdhcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Midnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Midnqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moqgiopk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maapjjml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhnemdbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogjhnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ogjhnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maapjjml.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
2164	Midnqh32.exe
2936	Moqgiopk.exe
2144	Maapjjml.exe
2180	Mlgdhcmb.exe
2252	Nhnemdbf.exe
2828	Nhpabdqd.exe
2272	Nickoldp.exe
2260	Nmacej32.exe
3020	Ogjhnp32.exe
1952	Opblgehg.exe

Loads dropped DLL 24 IoCs

pid	Process
1736	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
1736	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
2164	Midnqh32.exe
2164	Midnqh32.exe
2936	Moqgiopk.exe
2936	Moqgiopk.exe
2144	Maapjjml.exe
2144	Maapjjml.exe
2180	Mlgdhcmb.exe
2180	Mlgdhcmb.exe
2252	Nhnemdbf.exe
2252	Nhnemdbf.exe
2828	Nhpabdqd.exe
2828	Nhpabdqd.exe
2272	Nickoldp.exe
2272	Nickoldp.exe
2260	Nmacej32.exe
2260	Nmacej32.exe
3020	Ogjhnp32.exe
3020	Ogjhnp32.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe
1496	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bgbjkg32.dll	Midnqh32.exe
File created	C:\Windows\SysWOW64\Faqkji32.dll	Maapjjml.exe
File created	C:\Windows\SysWOW64\Nhpabdqd.exe	Nhnemdbf.exe
File created	C:\Windows\SysWOW64\Ogjhnp32.exe	Nmacej32.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ogjhnp32.exe
File created	C:\Windows\SysWOW64\Midnqh32.exe	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
File created	C:\Windows\SysWOW64\Moqgiopk.exe	Midnqh32.exe
File created	C:\Windows\SysWOW64\Mlgdhcmb.exe	Maapjjml.exe
File opened for modification	C:\Windows\SysWOW64\Moqgiopk.exe	Midnqh32.exe
File opened for modification	C:\Windows\SysWOW64\Maapjjml.exe	Moqgiopk.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ogjhnp32.exe
File created	C:\Windows\SysWOW64\Ikcpoa32.dll	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
File created	C:\Windows\SysWOW64\Ibnjlg32.dll	Moqgiopk.exe
File opened for modification	C:\Windows\SysWOW64\Nhnemdbf.exe	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Nmacej32.exe	Nickoldp.exe
File opened for modification	C:\Windows\SysWOW64\Ogjhnp32.exe	Nmacej32.exe
File created	C:\Windows\SysWOW64\Nlnjkhha.dll	Nmacej32.exe
File opened for modification	C:\Windows\SysWOW64\Nickoldp.exe	Nhpabdqd.exe
File opened for modification	C:\Windows\SysWOW64\Midnqh32.exe	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
File created	C:\Windows\SysWOW64\Maapjjml.exe	Moqgiopk.exe
File opened for modification	C:\Windows\SysWOW64\Mlgdhcmb.exe	Maapjjml.exe
File created	C:\Windows\SysWOW64\Oipenooj.dll	Nhnemdbf.exe
File created	C:\Windows\SysWOW64\Nickoldp.exe	Nhpabdqd.exe
File created	C:\Windows\SysWOW64\Nhnemdbf.exe	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Kanafj32.dll	Mlgdhcmb.exe
File opened for modification	C:\Windows\SysWOW64\Nhpabdqd.exe	Nhnemdbf.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ogjhnp32.exe
File created	C:\Windows\SysWOW64\Heknhioh.dll	Nhpabdqd.exe
File opened for modification	C:\Windows\SysWOW64\Nmacej32.exe	Nickoldp.exe
File created	C:\Windows\SysWOW64\Gaegla32.dll	Nickoldp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1496	1952	WerFault.exe	39

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moqgiopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgdhcmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhnemdbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogjhnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmacej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Midnqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maapjjml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhpabdqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nickoldp.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Midnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnjlg32.dll"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipenooj.dll"	Nhnemdbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Midnqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaegla32.dll"	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moqgiopk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlgdhcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhnemdbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhnemdbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhpabdqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heknhioh.dll"	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ogjhnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maapjjml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kanafj32.dll"	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlnjkhha.dll"	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcpoa32.dll"	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbjkg32.dll"	Midnqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nmacej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ogjhnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ogjhnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maapjjml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faqkji32.dll"	Maapjjml.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2164	1736	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe	30
PID 1736 wrote to memory of 2164	1736	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe	30
PID 1736 wrote to memory of 2164	1736	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe	30
PID 1736 wrote to memory of 2164	1736	9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe	30
PID 2164 wrote to memory of 2936	2164	Midnqh32.exe	31
PID 2164 wrote to memory of 2936	2164	Midnqh32.exe	31
PID 2164 wrote to memory of 2936	2164	Midnqh32.exe	31
PID 2164 wrote to memory of 2936	2164	Midnqh32.exe	31
PID 2936 wrote to memory of 2144	2936	Moqgiopk.exe	32
PID 2936 wrote to memory of 2144	2936	Moqgiopk.exe	32
PID 2936 wrote to memory of 2144	2936	Moqgiopk.exe	32
PID 2936 wrote to memory of 2144	2936	Moqgiopk.exe	32
PID 2144 wrote to memory of 2180	2144	Maapjjml.exe	33
PID 2144 wrote to memory of 2180	2144	Maapjjml.exe	33
PID 2144 wrote to memory of 2180	2144	Maapjjml.exe	33
PID 2144 wrote to memory of 2180	2144	Maapjjml.exe	33
PID 2180 wrote to memory of 2252	2180	Mlgdhcmb.exe	34
PID 2180 wrote to memory of 2252	2180	Mlgdhcmb.exe	34
PID 2180 wrote to memory of 2252	2180	Mlgdhcmb.exe	34
PID 2180 wrote to memory of 2252	2180	Mlgdhcmb.exe	34
PID 2252 wrote to memory of 2828	2252	Nhnemdbf.exe	35
PID 2252 wrote to memory of 2828	2252	Nhnemdbf.exe	35
PID 2252 wrote to memory of 2828	2252	Nhnemdbf.exe	35
PID 2252 wrote to memory of 2828	2252	Nhnemdbf.exe	35
PID 2828 wrote to memory of 2272	2828	Nhpabdqd.exe	36
PID 2828 wrote to memory of 2272	2828	Nhpabdqd.exe	36
PID 2828 wrote to memory of 2272	2828	Nhpabdqd.exe	36
PID 2828 wrote to memory of 2272	2828	Nhpabdqd.exe	36
PID 2272 wrote to memory of 2260	2272	Nickoldp.exe	37
PID 2272 wrote to memory of 2260	2272	Nickoldp.exe	37
PID 2272 wrote to memory of 2260	2272	Nickoldp.exe	37
PID 2272 wrote to memory of 2260	2272	Nickoldp.exe	37
PID 2260 wrote to memory of 3020	2260	Nmacej32.exe	38
PID 2260 wrote to memory of 3020	2260	Nmacej32.exe	38
PID 2260 wrote to memory of 3020	2260	Nmacej32.exe	38
PID 2260 wrote to memory of 3020	2260	Nmacej32.exe	38
PID 3020 wrote to memory of 1952	3020	Ogjhnp32.exe	39
PID 3020 wrote to memory of 1952	3020	Ogjhnp32.exe	39
PID 3020 wrote to memory of 1952	3020	Ogjhnp32.exe	39
PID 3020 wrote to memory of 1952	3020	Ogjhnp32.exe	39
PID 1952 wrote to memory of 1496	1952	Opblgehg.exe	40
PID 1952 wrote to memory of 1496	1952	Opblgehg.exe	40
PID 1952 wrote to memory of 1496	1952	Opblgehg.exe	40
PID 1952 wrote to memory of 1496	1952	Opblgehg.exe	40

C:\Users\Admin\AppData\Local\Temp\9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe
"C:\Users\Admin\AppData\Local\Temp\9edafa65286ebf25a22e60deaef528f9ef08c244e8a36ae94abd741208e277e4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\Midnqh32.exe
  C:\Windows\system32\Midnqh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\Moqgiopk.exe
    C:\Windows\system32\Moqgiopk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\Maapjjml.exe
      C:\Windows\system32\Maapjjml.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\Mlgdhcmb.exe
        
        C:\Windows\system32\Mlgdhcmb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\SysWOW64\Nhnemdbf.exe
        
        C:\Windows\system32\Nhnemdbf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Nhpabdqd.exe
        
        C:\Windows\system32\Nhpabdqd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Nickoldp.exe
        
        C:\Windows\system32\Nickoldp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Nmacej32.exe
        
        C:\Windows\system32\Nmacej32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Ogjhnp32.exe
        
        C:\Windows\system32\Ogjhnp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kanafj32.dll

Filesize
7KB

MD5
a6766e6f9a4f78acd97505961599689d

SHA1
420c74e32ce2aa849a3a67f4bb20c3b8c7ce7dca

SHA256
cc7eb4ad48467a2c061e7ddbdcbd3d4596c410c680422bd90626b9bdf51d0659

SHA512
f1e6713c6dc103387a843bf1d82b6d9213e2a13bc61089c822e64722f1d9a095e5db873365a290a5157a4c51b0db477c5d22aa6afc90906d1903a1e8e6a1b96d

Download Submit
C:\Windows\SysWOW64\Maapjjml.exe

Filesize
89KB

MD5
8503e9be95fdd2932a62c23081396db3

SHA1
19912063797c4701cb540c59c7bfa69dbe732af4

SHA256
85249c943227dff8c4a662302a322f077cd7acd60a71635f4baeddbbf8985821

SHA512
b7416076af3a303ca2e913234b552b7d55a1006ec19fc53cef5bc6e5a4de4121f9d0973bdc73c1c2f64ce7eb4874588a6342039ff1e51e43ce39213ed7607627

Download Submit
C:\Windows\SysWOW64\Midnqh32.exe

Filesize
89KB

MD5
acafca886fed2063293232b2254a368c

SHA1
92aa7fb73e9a5e31b87a71cde149e39c33511dce

SHA256
e642ff0e80d0945616787bb839dda5170e057df16aa741b8ba9d2ebf3f6ed469

SHA512
4ce7f67f80a9fde1699bb8ec6f99ce625071fd629b1ea4d74c1320a781527e43b7b5405a162d9e85ca19a8a7b75911ef15b8bfc1fbea5ae4058eb20e214ede81

Download Submit
C:\Windows\SysWOW64\Mlgdhcmb.exe

Filesize
89KB

MD5
4e04414afcc4e6e66fdb1365ebee6b69

SHA1
913a286320fbeb6adb7466f11a3ee63ce5899f15

SHA256
b30bb222aee0001abe3cb5785d8c2e8695d6c6e099f5b2ab753061994a6605fd

SHA512
daeb246ce9e94a3e613ac9fe4d94e715b6c20d54ebf202444fe3b4007bb24aa25054b4c22bae3112ff107d6aed1931917e59371ac5d423bd77ed95ef17073d5e

Download Submit
C:\Windows\SysWOW64\Moqgiopk.exe

Filesize
89KB

MD5
29a35c0c90f8d90b8135c41acd8077cc

SHA1
171e22dcca178866133e7628f753488ac1c6a40e

SHA256
fd0dc7ddd4f418475f5456bb812186ea9b94763e5a9e433ac2c774eb52a33bc8

SHA512
4cf34df4501c212a8d574bd17b683849c8183c3bdf82f7055b19f16d4de0a8b6e4c53ec349db15325aafa7818253872b6206c5c63a35598e88c330eb72c1df9b

Download Submit
\Windows\SysWOW64\Nhnemdbf.exe

Filesize
89KB

MD5
046e1daffb765252ef0a9d4ec8a435bb

SHA1
c334c207eda90b73fb649525dc73a204ff997a0e

SHA256
b271d800936cdcb11440444ee5b17cb119e1bffaaf2fbc1c429afa301ed93e24

SHA512
d3dc69c64f930f0fdaa7b8186e3b12398c024b6308d18137cf8feb564d8b3d4b75f131ae60f890970bf8147b9deaa57be51d83b383d995adb48d6654d4fdc060

Download Submit
\Windows\SysWOW64\Nhpabdqd.exe

Filesize
89KB

MD5
14327fe9d2ef4f9b569647308eb36123

SHA1
a5b2738eda8638f1f93b8190e41da7400a4831bf

SHA256
1cf1f86f7e711331109237a088a00fdefdf1af9ad3a85adb7db9db460e8f83e3

SHA512
60e72fbb1219bfb5da77c949476c09771c40227a0f446592ff129dc417bf2de8c8cb8475b60273cb3726851c324bf74fb7240f4cc041a2a28b944bcdea324620

Download Submit
\Windows\SysWOW64\Nickoldp.exe

Filesize
89KB

MD5
d287abbe60fc750b45df5c01c1aef407

SHA1
579e57ea051ed34582c4c304d8aa62b12fdda446

SHA256
9079c864c0ae79f6fdff693f339d311ce68104af13d1b3c0adf9eaa839bbbc4d

SHA512
c65b26f180885148eb51ff88081c1f0924e49e9b758894cd161ffa12a6f4dfb21f700b88117cf7bcb8e6ee4fb9350cf77c8534bffc862deaa3335b28d9a08de9

Download Submit
\Windows\SysWOW64\Nmacej32.exe

Filesize
89KB

MD5
995363188352ea5dfab8a5b21c42a8e1

SHA1
7d53c37b136733908185502ab92b85fab1463f2c

SHA256
93b30ab3e53137edbdd49dabee1570b1b0872ad54eae807f878ccb5ffe4b410e

SHA512
0d44a03df6170b09209a9c2b1fec5479b4ba651b7a61def54fcb863d0bc60d952760f25e865c1a5ec59c046f4f82ed44169fa860ffc6be4e2c496ccf05b4a1bb

Download Submit
\Windows\SysWOW64\Ogjhnp32.exe

Filesize
89KB

MD5
dc99a12ef305a0b3fb8ac71c3710da01

SHA1
609ebc33568888a4f6a60b5dcc37575056d62bf1

SHA256
e38c400c6bd5084949f5ca71d172eedb225870529bcc08273b2f96ad47168758

SHA512
27d453a71e08fc2147d582c4ae15a212ffe0b1cbdfc877dcbeb55c7f7b70de000078a49fa825c2b9c32475d1ca57fef6a99b2bb4ecc5bfefe40d938511db79b4

Download Submit
\Windows\SysWOW64\Opblgehg.exe

Filesize
89KB

MD5
04733f62403618b8128d943345810315

SHA1
22d5461bf1b404e4fa6c5367580c842c7154a1d9

SHA256
f4de2918b95512c5950cf729bc929623a9d44e639c9c8b3acb24356a55962356

SHA512
e8753f61cf98283208f91d41dcb4fed99195ed2461e08ae437428c81d274def294ba688e747ecc97ca17191e5ccd34d0a6923868423e458860d2d138e4d8916f

Download Submit
memory/1736-12-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1736-16-0x00000000001B0000-0x00000000001E4000-memory.dmp

Filesize
208KB

Download
memory/1736-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1736-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-61-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2180-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-75-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2252-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-115-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2260-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2272-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-92-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2828-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2936-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads