berbew | d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
Size

93KB
MD5

db480903b6c196fe161aa5ebf300fcb1
SHA1

776d33979a393a3e5187ca6354c591775f5d6a8f
SHA256

d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182
SHA512

f1865799a5aac9caef9ee5115ca7fe015695d3668e719fbcfd4a8b32bd47a480c1bf75bdedbffa7c312248fd739eabf495d58cfeccf55cb70a726364ed254127
SSDEEP

1536:/XzEy8VyRJeb/1SS6hPoRuoY31DaYfMZRWuLsV+17:/X2eJI/wSGoRuoY3gYfc0DV+17

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 12 IoCs

pid	Process
2764	Kekkiq32.exe
2696	Kjhcag32.exe
2952	Kablnadm.exe
2820	Kfodfh32.exe
3060	Koflgf32.exe
1208	Kpgionie.exe
628	Kfaalh32.exe
2436	Kageia32.exe
852	Kdeaelok.exe
1664	Lmmfnb32.exe
264	Lplbjm32.exe
1252	Lbjofi32.exe

Loads dropped DLL 29 IoCs

pid	Process
296	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
296	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
2764	Kekkiq32.exe
2764	Kekkiq32.exe
2696	Kjhcag32.exe
2696	Kjhcag32.exe
2952	Kablnadm.exe
2952	Kablnadm.exe
2820	Kfodfh32.exe
2820	Kfodfh32.exe
3060	Koflgf32.exe
3060	Koflgf32.exe
1208	Kpgionie.exe
1208	Kpgionie.exe
628	Kfaalh32.exe
628	Kfaalh32.exe
2436	Kageia32.exe
2436	Kageia32.exe
852	Kdeaelok.exe
852	Kdeaelok.exe
1664	Lmmfnb32.exe
1664	Lmmfnb32.exe
264	Lplbjm32.exe
264	Lplbjm32.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kekkiq32.exe	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
File opened for modification	C:\Windows\SysWOW64\Kekkiq32.exe	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kjhcag32.exe	Kekkiq32.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Phblkn32.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kageia32.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kageia32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Kageia32.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Agioom32.dll	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
568	1252	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll"	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2764	296	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe	30
PID 296 wrote to memory of 2764	296	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe	30
PID 296 wrote to memory of 2764	296	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe	30
PID 296 wrote to memory of 2764	296	d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe	30
PID 2764 wrote to memory of 2696	2764	Kekkiq32.exe	31
PID 2764 wrote to memory of 2696	2764	Kekkiq32.exe	31
PID 2764 wrote to memory of 2696	2764	Kekkiq32.exe	31
PID 2764 wrote to memory of 2696	2764	Kekkiq32.exe	31
PID 2696 wrote to memory of 2952	2696	Kjhcag32.exe	32
PID 2696 wrote to memory of 2952	2696	Kjhcag32.exe	32
PID 2696 wrote to memory of 2952	2696	Kjhcag32.exe	32
PID 2696 wrote to memory of 2952	2696	Kjhcag32.exe	32
PID 2952 wrote to memory of 2820	2952	Kablnadm.exe	33
PID 2952 wrote to memory of 2820	2952	Kablnadm.exe	33
PID 2952 wrote to memory of 2820	2952	Kablnadm.exe	33
PID 2952 wrote to memory of 2820	2952	Kablnadm.exe	33
PID 2820 wrote to memory of 3060	2820	Kfodfh32.exe	34
PID 2820 wrote to memory of 3060	2820	Kfodfh32.exe	34
PID 2820 wrote to memory of 3060	2820	Kfodfh32.exe	34
PID 2820 wrote to memory of 3060	2820	Kfodfh32.exe	34
PID 3060 wrote to memory of 1208	3060	Koflgf32.exe	35
PID 3060 wrote to memory of 1208	3060	Koflgf32.exe	35
PID 3060 wrote to memory of 1208	3060	Koflgf32.exe	35
PID 3060 wrote to memory of 1208	3060	Koflgf32.exe	35
PID 1208 wrote to memory of 628	1208	Kpgionie.exe	36
PID 1208 wrote to memory of 628	1208	Kpgionie.exe	36
PID 1208 wrote to memory of 628	1208	Kpgionie.exe	36
PID 1208 wrote to memory of 628	1208	Kpgionie.exe	36
PID 628 wrote to memory of 2436	628	Kfaalh32.exe	37
PID 628 wrote to memory of 2436	628	Kfaalh32.exe	37
PID 628 wrote to memory of 2436	628	Kfaalh32.exe	37
PID 628 wrote to memory of 2436	628	Kfaalh32.exe	37
PID 2436 wrote to memory of 852	2436	Kageia32.exe	38
PID 2436 wrote to memory of 852	2436	Kageia32.exe	38
PID 2436 wrote to memory of 852	2436	Kageia32.exe	38
PID 2436 wrote to memory of 852	2436	Kageia32.exe	38
PID 852 wrote to memory of 1664	852	Kdeaelok.exe	39
PID 852 wrote to memory of 1664	852	Kdeaelok.exe	39
PID 852 wrote to memory of 1664	852	Kdeaelok.exe	39
PID 852 wrote to memory of 1664	852	Kdeaelok.exe	39
PID 1664 wrote to memory of 264	1664	Lmmfnb32.exe	40
PID 1664 wrote to memory of 264	1664	Lmmfnb32.exe	40
PID 1664 wrote to memory of 264	1664	Lmmfnb32.exe	40
PID 1664 wrote to memory of 264	1664	Lmmfnb32.exe	40
PID 264 wrote to memory of 1252	264	Lplbjm32.exe	41
PID 264 wrote to memory of 1252	264	Lplbjm32.exe	41
PID 264 wrote to memory of 1252	264	Lplbjm32.exe	41
PID 264 wrote to memory of 1252	264	Lplbjm32.exe	41
PID 1252 wrote to memory of 568	1252	Lbjofi32.exe	42
PID 1252 wrote to memory of 568	1252	Lbjofi32.exe	42
PID 1252 wrote to memory of 568	1252	Lbjofi32.exe	42
PID 1252 wrote to memory of 568	1252	Lbjofi32.exe	42

C:\Users\Admin\AppData\Local\Temp\d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe
"C:\Users\Admin\AppData\Local\Temp\d2261e2319199c3ab7be3e0fb6259e1cbdfc2b453f83655e8b5fdcfcff728182.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:296
- C:\Windows\SysWOW64\Kekkiq32.exe
  C:\Windows\system32\Kekkiq32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\Kjhcag32.exe
    C:\Windows\system32\Kjhcag32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Kablnadm.exe
      C:\Windows\system32\Kablnadm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 140
        14⤵
        Loads dropped DLL
        Program crash
        
        PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kablnadm.exe

Filesize
93KB

MD5
130d419984ac47bdb9058129224c03a1

SHA1
9c693f6c407cca8130cb5e1487fd11f53d2c199d

SHA256
7690e44a25aa1c9fcd7f20298ce9d6cde5949e8bbf1ed2447d2a5c46a8112177

SHA512
48bb3d2ad9d980fd71f2cff045600f88ab45a6083b15c4e6774875a011d666ee7eb17174f7af5672ba3aa421ef44e446f2700d6aa6025bfa16ca8a060421d8f3

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
93KB

MD5
de191fd97502a5cbde0283b4fecfd3b0

SHA1
9abe485a428cd9f002830fd62fd71ed9fc691839

SHA256
0dc06f1224affbbb1bd450d13576065ce60014750fffc6c741b80da6eb3b28d9

SHA512
de5c052a2a6387de205d010e20d51a0e0527b2ea2669d83d66c64c1bf30976f46111ee2dd9e8099df245c891cfdd3b6371dc493cee1c363226e9d52fe8d2b7a0

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
93KB

MD5
057ac94b5a36132e873a107f5b09f220

SHA1
d7eba6b3c4a1e19eeabe8ca60d84fcd2ff9d232c

SHA256
6a14cab4f793164608b54cb7f5a36987c0bb7f7419b01a75cae48fcf1c02af47

SHA512
c37303cc478170741459940a0121c61aa7174e93962de70ca2c9f1e1705c5d52be6b920af9674f397244194fe618a22a6a52cd6795b148c3ab3e771deb907468

Download Submit
\Windows\SysWOW64\Kageia32.exe

Filesize
93KB

MD5
eee06b8fb6830c3b441df49f94cd7bef

SHA1
cfa358b3291ef9bc62fb0a807e9f4e55cf04db4e

SHA256
c244b6fc6c11a84ba0bf3d6778121d53d05227798696743d7551a929d0e14dd8

SHA512
8392ba1104454c61e8ce33f930288533ae26d7b66c0388f02b17ae396e494be789eb1ad8926b34d85d0412e76af8c041b89a1af0d8b85465c1e4e40f46bad140

Download Submit
\Windows\SysWOW64\Kdeaelok.exe

Filesize
93KB

MD5
cbc170a3d5635d3d315dc9100d689afc

SHA1
eb9212e62403783b27848c3e785152692961ca1e

SHA256
29ec66b620454e3ab68095aa46977d4ec25701a834da40b43435ee71cd38dc92

SHA512
4017695b377b24cc81f9aaa913f8ab0557d4674814998b1a8d976792328f8b29ab0cbaabb1a704230d37805465c00642219f220debb121d3eb0dcbb5a557d7c0

Download Submit
\Windows\SysWOW64\Kekkiq32.exe

Filesize
93KB

MD5
b932207dc83395724a6f9aca6a597641

SHA1
7688cce6d5a27b1002ca46b29747a772b763de3c

SHA256
c8da4e7f4176eb2f52cbdeab856de468d88eea90729e59e146b68fb4f9cd3ecf

SHA512
964f19a62a47cea2db4572622d8eef6ce65c91ac48e4c2952f0379e1918101da813448e6209547614f653523f430f46b3cac22f93f960220576f7f387cde95f8

Download Submit
\Windows\SysWOW64\Kfaalh32.exe

Filesize
93KB

MD5
df4a4c4574f37a2da13890edffe7e676

SHA1
c04f9d70958fa305d07925dbc951d4bf260237d9

SHA256
51f67ca2aaed983aa9f3cec2b0f10d4eb34dda78bf850cdac6863826056a672e

SHA512
b232b554d000a6bd07ee396c5f6acbad13d969c680c9fafe9a071108193a3f92b2b281f73bc8983a98e36fc344d4eff64dbc76e485bebabba45c0e6f693bafae

Download Submit
\Windows\SysWOW64\Kjhcag32.exe

Filesize
93KB

MD5
65cdf2e0c570089dd52e8cf5abd4ab5f

SHA1
9ade0a1b03074eb0aadf67277ee4681c02ecbc3f

SHA256
65c06238022b1f036c002e8ed152bb51f64a2557212debd92f576ca84e38a6ce

SHA512
c01b3ec0fb51ea3e2c4ba76e9a7149d17a1dbce521e2f4139635d5c5894b18ed30b7d07d25e4c68f82f55ff35456bb5f405a6ff4f2471615db7afe7b8802c948

Download Submit
\Windows\SysWOW64\Kpgionie.exe

Filesize
93KB

MD5
5951f1af1bd4f7a329e381dbf28b3893

SHA1
4a49d038f7ccbfd8d796d60ba6e650d66119a3f6

SHA256
14f4445b6081a57ecfbd13f2d9b2533f4fbbe836bdbcde759acb7df8a1fa421d

SHA512
404131f5d7ddc9468bb33ae4a911b97de70a1c6c3e4d1277692837fc11ae39af3036dc01954b85cdc96c007056a9d89b2a8f50c9d7f79d7e07baec6936fc2ff3

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
93KB

MD5
96cdad57660ad2af4a35c6030336099c

SHA1
ade9adb79ce3390d766989a0411aa7043037edbb

SHA256
1a775baa42282a49c60c00a1ea80275434bd2e635775acac6bb371964ef28917

SHA512
c0aa01de1619a653e4fb17502aea77fec26c4fd0d3809ba76a8d31df4747f0c8bae5345d6bdeee104df208b54dc5cbf98af2bada5634a49e45c835f4ebad5e92

Download Submit
\Windows\SysWOW64\Lmmfnb32.exe

Filesize
93KB

MD5
134f79a883f5ea5cb2aeb61895130352

SHA1
88712574fd41aa2feb007948236886719b84b1fa

SHA256
f5369fb96a72a899ae2d298f6196d79b1e822c75930b1b7b767e92013977894d

SHA512
5bcbccae39674ef3ba8372e0b20a72e69df1eeda3346089c23e78d19676ced753ed1ec8e7b1cf1f9c4def77ebec3345dea61f85b6035c99d7506ce5fd321e5b7

Download Submit
\Windows\SysWOW64\Lplbjm32.exe

Filesize
93KB

MD5
5f54d8e1536306bfd0fd79b40f60e00a

SHA1
a81bc06218e42fa8a03dda4c86013b9ef8043c77

SHA256
e8fd832c1094fd82679d112d6b85bc89593a79cb72e901de0ce5a900113dda6f

SHA512
cfc473ba4e291158076d24d3d5e83456eec61a5e3b7ecd36c4a5ce5b3abf1d056a4294fbd2a1106438e265f0716a8aaa235256a2ab174748bccddd524c9b1230

Download Submit
memory/264-160-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/264-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/264-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/296-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/296-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/296-12-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/296-13-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/628-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-116-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2696-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-35-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2696-40-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2764-187-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-21-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2820-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-68-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2952-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-49-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3060-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads