berbew | 0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6

Analysis

max time kernel
15s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/01/2025, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
Size

520KB
MD5

172aa664efb5b2c067af15be10d1717e
SHA1

948f766c9e58ca824520fa71dea01cd26205aaf2
SHA256

0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6
SHA512

7c72d6123304c6d3bee52d682a415cb4f0a3677bc437b7b3b3f2240ac0623ab78167fa7fbceff5d5791d98abcb691d606c7421ff506d5ec8de750b08a3013326
SSDEEP

6144:Y/4RwEFM6234lKm3mo8Yvi4KsLTFM6234lKm3r8SeNpgdyuH1lZfRo0V8JcgEt:44R5FB24lwR45FB24lJ87g7/VycgEt

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnjeoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbcdjpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbcdjpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Elnagijk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhgkqmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghnaaljp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknehe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgmak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhgkqmph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghnaaljp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnjeoa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknehe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elnagijk.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 8 IoCs

pid	Process
2156	Cbcdjpba.exe
2792	Dnjeoa32.exe
2836	Dknehe32.exe
2932	Elnagijk.exe
2684	Fpgmak32.exe
1920	Fhgkqmph.exe
308	Ghnaaljp.exe
1692	Gmmgobfd.exe

Loads dropped DLL 20 IoCs

pid	Process
2148	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
2148	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
2156	Cbcdjpba.exe
2156	Cbcdjpba.exe
2792	Dnjeoa32.exe
2792	Dnjeoa32.exe
2836	Dknehe32.exe
2836	Dknehe32.exe
2932	Elnagijk.exe
2932	Elnagijk.exe
2684	Fpgmak32.exe
2684	Fpgmak32.exe
1920	Fhgkqmph.exe
1920	Fhgkqmph.exe
308	Ghnaaljp.exe
308	Ghnaaljp.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dnjeoa32.exe	Cbcdjpba.exe
File created	C:\Windows\SysWOW64\Ebgefbed.dll	Dnjeoa32.exe
File created	C:\Windows\SysWOW64\Dmocok32.dll	Dknehe32.exe
File created	C:\Windows\SysWOW64\Fpgmak32.exe	Elnagijk.exe
File opened for modification	C:\Windows\SysWOW64\Ghnaaljp.exe	Fhgkqmph.exe
File created	C:\Windows\SysWOW64\Fdhadgoa.dll	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
File created	C:\Windows\SysWOW64\Elnagijk.exe	Dknehe32.exe
File opened for modification	C:\Windows\SysWOW64\Fpgmak32.exe	Elnagijk.exe
File created	C:\Windows\SysWOW64\Ghnaaljp.exe	Fhgkqmph.exe
File opened for modification	C:\Windows\SysWOW64\Gmmgobfd.exe	Ghnaaljp.exe
File created	C:\Windows\SysWOW64\Dnjeoa32.exe	Cbcdjpba.exe
File created	C:\Windows\SysWOW64\Dknehe32.exe	Dnjeoa32.exe
File opened for modification	C:\Windows\SysWOW64\Elnagijk.exe	Dknehe32.exe
File created	C:\Windows\SysWOW64\Gmmgobfd.exe	Ghnaaljp.exe
File created	C:\Windows\SysWOW64\Idlfno32.dll	Ghnaaljp.exe
File opened for modification	C:\Windows\SysWOW64\Cbcdjpba.exe	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
File created	C:\Windows\SysWOW64\Anijicnf.dll	Cbcdjpba.exe
File opened for modification	C:\Windows\SysWOW64\Dknehe32.exe	Dnjeoa32.exe
File created	C:\Windows\SysWOW64\Ppmlkl32.dll	Elnagijk.exe
File created	C:\Windows\SysWOW64\Fhgkqmph.exe	Fpgmak32.exe
File opened for modification	C:\Windows\SysWOW64\Fhgkqmph.exe	Fpgmak32.exe
File created	C:\Windows\SysWOW64\Jpigjb32.dll	Fpgmak32.exe
File created	C:\Windows\SysWOW64\Qpaknfnf.dll	Fhgkqmph.exe
File created	C:\Windows\SysWOW64\Cbcdjpba.exe	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2976	1692	WerFault.exe	36

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elnagijk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgmak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmmgobfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbcdjpba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknehe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fhgkqmph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghnaaljp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnjeoa32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmlkl32.dll"	Elnagijk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Elnagijk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknehe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpaknfnf.dll"	Fhgkqmph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbcdjpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijicnf.dll"	Cbcdjpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dnjeoa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmocok32.dll"	Dknehe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fhgkqmph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbcdjpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebgefbed.dll"	Dnjeoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Elnagijk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpigjb32.dll"	Fpgmak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghnaaljp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghnaaljp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdhadgoa.dll"	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknehe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnjeoa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fhgkqmph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll"	Ghnaaljp.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2156	2148	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe	29
PID 2148 wrote to memory of 2156	2148	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe	29
PID 2148 wrote to memory of 2156	2148	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe	29
PID 2148 wrote to memory of 2156	2148	0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe	29
PID 2156 wrote to memory of 2792	2156	Cbcdjpba.exe	30
PID 2156 wrote to memory of 2792	2156	Cbcdjpba.exe	30
PID 2156 wrote to memory of 2792	2156	Cbcdjpba.exe	30
PID 2156 wrote to memory of 2792	2156	Cbcdjpba.exe	30
PID 2792 wrote to memory of 2836	2792	Dnjeoa32.exe	31
PID 2792 wrote to memory of 2836	2792	Dnjeoa32.exe	31
PID 2792 wrote to memory of 2836	2792	Dnjeoa32.exe	31
PID 2792 wrote to memory of 2836	2792	Dnjeoa32.exe	31
PID 2836 wrote to memory of 2932	2836	Dknehe32.exe	32
PID 2836 wrote to memory of 2932	2836	Dknehe32.exe	32
PID 2836 wrote to memory of 2932	2836	Dknehe32.exe	32
PID 2836 wrote to memory of 2932	2836	Dknehe32.exe	32
PID 2932 wrote to memory of 2684	2932	Elnagijk.exe	33
PID 2932 wrote to memory of 2684	2932	Elnagijk.exe	33
PID 2932 wrote to memory of 2684	2932	Elnagijk.exe	33
PID 2932 wrote to memory of 2684	2932	Elnagijk.exe	33
PID 2684 wrote to memory of 1920	2684	Fpgmak32.exe	34
PID 2684 wrote to memory of 1920	2684	Fpgmak32.exe	34
PID 2684 wrote to memory of 1920	2684	Fpgmak32.exe	34
PID 2684 wrote to memory of 1920	2684	Fpgmak32.exe	34
PID 1920 wrote to memory of 308	1920	Fhgkqmph.exe	35
PID 1920 wrote to memory of 308	1920	Fhgkqmph.exe	35
PID 1920 wrote to memory of 308	1920	Fhgkqmph.exe	35
PID 1920 wrote to memory of 308	1920	Fhgkqmph.exe	35
PID 308 wrote to memory of 1692	308	Ghnaaljp.exe	36
PID 308 wrote to memory of 1692	308	Ghnaaljp.exe	36
PID 308 wrote to memory of 1692	308	Ghnaaljp.exe	36
PID 308 wrote to memory of 1692	308	Ghnaaljp.exe	36
PID 1692 wrote to memory of 2976	1692	Gmmgobfd.exe	37
PID 1692 wrote to memory of 2976	1692	Gmmgobfd.exe	37
PID 1692 wrote to memory of 2976	1692	Gmmgobfd.exe	37
PID 1692 wrote to memory of 2976	1692	Gmmgobfd.exe	37

C:\Users\Admin\AppData\Local\Temp\0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe
"C:\Users\Admin\AppData\Local\Temp\0916d297ce1977289869bdd64c89172366c42803245079b8be0aa8a5975e28a6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\Cbcdjpba.exe
  C:\Windows\system32\Cbcdjpba.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\Dnjeoa32.exe
    C:\Windows\system32\Dnjeoa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Dknehe32.exe
      C:\Windows\system32\Dknehe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\Elnagijk.exe
        
        C:\Windows\system32\Elnagijk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\Fpgmak32.exe
        
        C:\Windows\system32\Fpgmak32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Fhgkqmph.exe
        
        C:\Windows\system32\Fhgkqmph.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Ghnaaljp.exe
        
        C:\Windows\system32\Ghnaaljp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\Gmmgobfd.exe
        
        C:\Windows\system32\Gmmgobfd.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dnjeoa32.exe

Filesize
520KB

MD5
5f7f68060129d968b0bd509df723ad61

SHA1
eac4372b67f6569588aae17a9da66aa7ee8e83fa

SHA256
7cf7f5e819f9453a20a865bb3513f2942b0339ba6e2106294a95230e958f27c7

SHA512
75fed3c162072e7f401cb0570a89dffb1d3c8017fcb4151ad99d59bb9c4bfa22dd89018eedfb5f29ab56bf1ea62b552344326e1615be6afb1788bcd8853ee547

Download Submit
C:\Windows\SysWOW64\Elnagijk.exe

Filesize
520KB

MD5
709fa2699b86db7e74494807185a43a6

SHA1
1341fab580a584454b44c6a58fa0b61350346c0f

SHA256
a3a9d6cd9749d1df0fd0f3290a5dd8337cc1462f47427692c250b9bafe1aa145

SHA512
8c2e98be6c044478532a11cbb981c2a06529233e71579313201a2cb6c20d126534ff353d7343aea0e155c8d7b8607dad2718bab20f75261d5c01692add5f465f

Download Submit
C:\Windows\SysWOW64\Ppmlkl32.dll

Filesize
7KB

MD5
b81434c6101156d77d67e9eb053a6fb6

SHA1
a8ad555276b25a0f6606960a9feefccb0dcda4f9

SHA256
e87bbe40c7af0231816d3d75a76d189b68428141e1d239e3e2f7e7040c7139ec

SHA512
b14fbea832f5aff61f00195ebb46812f989543c47cfee46b0666a88d14d2196dc43098fb018cbc65d3f972c005e9d4cc7a5ffc6affe2f01a198ea32e2fb522ea

Download Submit
\Windows\SysWOW64\Cbcdjpba.exe

Filesize
520KB

MD5
ad73ac5be2903fec47f5cf3104488798

SHA1
76520c0e2e7e75f6ab9074b22f9c6f3d98b0939a

SHA256
d6c037dc4047f72f8d359d4fb3943301f3f7a9891809f68bf64d74e53fb1fabc

SHA512
41b9d295af17924f4faac4d262c51c7b571c952000d74e8acbd7bfa0e8782cf5b5e13e6690cc06f1541e5714ff14014388322ec46282d5aa240ad21073317340

Download Submit
\Windows\SysWOW64\Dknehe32.exe

Filesize
520KB

MD5
9c6575e403649abb1f22ecb108bc8f20

SHA1
16694d3867836ec78230a03c171eaa782f910042

SHA256
ac490c436a46b50f4e4a35eb1d3793a8117c64a46d15cb97a862c2e81596816e

SHA512
54f3f17db629735ac0be56df9dfc7713ff08810ce5a73ead319f7cf24932384d733d0843729722ff0632aa1a4750a30fb9683213f452c06eafdc1e68da6be2ad

Download Submit
\Windows\SysWOW64\Fhgkqmph.exe

Filesize
520KB

MD5
075b143ca9a2598c9c69692c02b5f22a

SHA1
592a47761aa5d1dfe1b51057fb800d5ba9263fed

SHA256
9ceb135cffd408bf0264af72a2698a90ee4cad92df3c3b50cc89630589f298a0

SHA512
5ef2842f35e615817cd500ea29b17a003c7bc29922e0d951be106f55da62c8ebb358fc962caa0b6b4d4b64b0f411c5653e6e5a66a8436fc935f9ff3a4d7e5038

Download Submit
\Windows\SysWOW64\Fpgmak32.exe

Filesize
520KB

MD5
6c643f4587d5930259be89b43b2f3ce9

SHA1
a1f99380c3133d9bf3b665d768da6c501bc98793

SHA256
616398c7febcb62e9c479c6cb57b0cf96975d46743f52797dc53012a791d55f3

SHA512
c95d277316bb809899e223e4910c811a01593b993706f00e0211ad15580b3cfb57c878158ab8361380244579dcbe26765b2bcf6421e6e3bc02a32a5515d6d75b

Download Submit
\Windows\SysWOW64\Ghnaaljp.exe

Filesize
520KB

MD5
3c387b6dfa21f0a8b8693f6250bc16c8

SHA1
1d560ef55a8529ce6391d8b2f72eed5db9e352e3

SHA256
f5a7d941efb4b9f48f57d10bafe1bfbea16a455b9ea5b7f27f500ffa66ea7ad4

SHA512
93428a742479da2a99d5c2b505e65b1ee93a5d3990eaf4246bf66dc0fa67b99f6b6d6974124ffb8c77c0b6b68c16c731e0a8ec3a677ab7e4c8286dc703425f56

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
520KB

MD5
22d332e4f7bcdfc5050c357678754a54

SHA1
c165192550dc7c5b4dd1234d42dd49ecbfc7ca48

SHA256
a8e24b8188c693fb959487fa4d46f7f8f87691013701c5c0950f25fb596eafba

SHA512
ba0495c340685d4c0208cca7f6bfc1908127ca50be48d938291fcf6ec0fce4ad2e14b8de17d501ddd0a0729712ced13052970dfaef13bd6b9370b56d2226b50f

Download Submit
memory/308-107-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/308-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-94-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2148-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-11-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2148-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2156-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-26-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2684-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-80-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2684-85-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2684-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-36-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2792-41-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2792-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-55-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2932-65-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2932-70-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2932-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads