berbew | e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
Size

93KB
MD5

94bbf09bc85f3fef8b3d882567308548
SHA1

1ceeebc00046d9d76904d44c8a5032d9829f87f9
SHA256

e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf
SHA512

2bda2a8afc6321f59cc079f37ae30185cea0962ef7de69978c69cd60524f2e200b38aa9b1701b19b6bd2b11810e0d76e84f8f87740b20f58f2bc9fc98e12c286
SSDEEP

1536:6eyIYo0KfAvDHE3kF0zHm+CQnS0j1DaYfMZRWuLsV+1L:6cf0KfAvDHE0mCkS0jgYfc0DV+1L

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 11 IoCs

pid	Process
2772	Kocpbfei.exe
2696	Kenhopmf.exe
2952	Koflgf32.exe
1256	Kpgionie.exe
3060	Khnapkjg.exe
920	Kmkihbho.exe
2260	Kpieengb.exe
2784	Kgcnahoo.exe
572	Libjncnc.exe
1664	Lplbjm32.exe
264	Lbjofi32.exe

Loads dropped DLL 27 IoCs

pid	Process
296	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
296	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
2772	Kocpbfei.exe
2772	Kocpbfei.exe
2696	Kenhopmf.exe
2696	Kenhopmf.exe
2952	Koflgf32.exe
2952	Koflgf32.exe
1256	Kpgionie.exe
1256	Kpgionie.exe
3060	Khnapkjg.exe
3060	Khnapkjg.exe
920	Kmkihbho.exe
920	Kmkihbho.exe
2260	Kpieengb.exe
2260	Kpieengb.exe
2784	Kgcnahoo.exe
2784	Kgcnahoo.exe
572	Libjncnc.exe
572	Libjncnc.exe
1664	Lplbjm32.exe
1664	Lplbjm32.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe
3048	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Khnapkjg.exe	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Ffakjm32.dll	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
File opened for modification	C:\Windows\SysWOW64\Kenhopmf.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Jpnghhmn.dll	Kocpbfei.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	Kenhopmf.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Libjncnc.exe
File created	C:\Windows\SysWOW64\Kenhopmf.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Khnapkjg.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	Kpgionie.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Koflgf32.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kenhopmf.exe
File created	C:\Windows\SysWOW64\Khnapkjg.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kmkihbho.exe

Program crash 1 IoCs

pid	pid_target	Process
3048	264	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lplbjm32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 296 wrote to memory of 2772	296	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe	30
PID 296 wrote to memory of 2772	296	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe	30
PID 296 wrote to memory of 2772	296	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe	30
PID 296 wrote to memory of 2772	296	e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe	30
PID 2772 wrote to memory of 2696	2772	Kocpbfei.exe	31
PID 2772 wrote to memory of 2696	2772	Kocpbfei.exe	31
PID 2772 wrote to memory of 2696	2772	Kocpbfei.exe	31
PID 2772 wrote to memory of 2696	2772	Kocpbfei.exe	31
PID 2696 wrote to memory of 2952	2696	Kenhopmf.exe	32
PID 2696 wrote to memory of 2952	2696	Kenhopmf.exe	32
PID 2696 wrote to memory of 2952	2696	Kenhopmf.exe	32
PID 2696 wrote to memory of 2952	2696	Kenhopmf.exe	32
PID 2952 wrote to memory of 1256	2952	Koflgf32.exe	33
PID 2952 wrote to memory of 1256	2952	Koflgf32.exe	33
PID 2952 wrote to memory of 1256	2952	Koflgf32.exe	33
PID 2952 wrote to memory of 1256	2952	Koflgf32.exe	33
PID 1256 wrote to memory of 3060	1256	Kpgionie.exe	34
PID 1256 wrote to memory of 3060	1256	Kpgionie.exe	34
PID 1256 wrote to memory of 3060	1256	Kpgionie.exe	34
PID 1256 wrote to memory of 3060	1256	Kpgionie.exe	34
PID 3060 wrote to memory of 920	3060	Khnapkjg.exe	35
PID 3060 wrote to memory of 920	3060	Khnapkjg.exe	35
PID 3060 wrote to memory of 920	3060	Khnapkjg.exe	35
PID 3060 wrote to memory of 920	3060	Khnapkjg.exe	35
PID 920 wrote to memory of 2260	920	Kmkihbho.exe	36
PID 920 wrote to memory of 2260	920	Kmkihbho.exe	36
PID 920 wrote to memory of 2260	920	Kmkihbho.exe	36
PID 920 wrote to memory of 2260	920	Kmkihbho.exe	36
PID 2260 wrote to memory of 2784	2260	Kpieengb.exe	37
PID 2260 wrote to memory of 2784	2260	Kpieengb.exe	37
PID 2260 wrote to memory of 2784	2260	Kpieengb.exe	37
PID 2260 wrote to memory of 2784	2260	Kpieengb.exe	37
PID 2784 wrote to memory of 572	2784	Kgcnahoo.exe	38
PID 2784 wrote to memory of 572	2784	Kgcnahoo.exe	38
PID 2784 wrote to memory of 572	2784	Kgcnahoo.exe	38
PID 2784 wrote to memory of 572	2784	Kgcnahoo.exe	38
PID 572 wrote to memory of 1664	572	Libjncnc.exe	39
PID 572 wrote to memory of 1664	572	Libjncnc.exe	39
PID 572 wrote to memory of 1664	572	Libjncnc.exe	39
PID 572 wrote to memory of 1664	572	Libjncnc.exe	39
PID 1664 wrote to memory of 264	1664	Lplbjm32.exe	40
PID 1664 wrote to memory of 264	1664	Lplbjm32.exe	40
PID 1664 wrote to memory of 264	1664	Lplbjm32.exe	40
PID 1664 wrote to memory of 264	1664	Lplbjm32.exe	40
PID 264 wrote to memory of 3048	264	Lbjofi32.exe	41
PID 264 wrote to memory of 3048	264	Lbjofi32.exe	41
PID 264 wrote to memory of 3048	264	Lbjofi32.exe	41
PID 264 wrote to memory of 3048	264	Lbjofi32.exe	41

C:\Users\Admin\AppData\Local\Temp\e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe
"C:\Users\Admin\AppData\Local\Temp\e0671478fbc3a90fbd7806ea05a89b8a48b17c023eeee1bdc6ee63d5faf6c6bf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:296
- C:\Windows\SysWOW64\Kocpbfei.exe
  C:\Windows\system32\Kocpbfei.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\Kenhopmf.exe
    C:\Windows\system32\Kenhopmf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Koflgf32.exe
      C:\Windows\system32\Koflgf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
93KB

MD5
b84181953fbd0994c1f5766a30c2e8cb

SHA1
20051ddcb646ab55a404f87e5bba683254889c29

SHA256
f1bbfa33d48af18c433c0e1d3abca09ef77c8a19a364cf0cf6e0e44646f3cdad

SHA512
3d93ad8f5445071b45fc9d1948ce2bff81a9c419ac20c39914dcb20d1152fb472d4d7464b24d495047bc349a13f05a3d4350cb7364b72c06c530480524239b32

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
93KB

MD5
a936e07926df3aff6b2fbf05877113cc

SHA1
b5baf12f5acaecf1d97c801d3b5caf670cc566b8

SHA256
3cbef0e292075e0360125d06a760fbcae246da84a45a2ef41279cf4731439e93

SHA512
4499205556771e54afecb1088bf5929c5049a44e57165f0560dc25ec2344aae707d920f501b26edef2a00e1fcccb4e01a6662ee3e95df7fb192e265aec1e3769

Download Submit
C:\Windows\SysWOW64\Khnapkjg.exe

Filesize
93KB

MD5
7087e21b3cad8cfc587bad4d1e923f48

SHA1
614a5f721f82614351dee6c369c0a001d82e8f00

SHA256
bd111ae6656b90d6b0ac14fd35c38c030d5ba54964372df9f2aa35caca12f14f

SHA512
3b119c561cb5161769b01614831a59269327cba32c4df863e4d186893cdb336f92f31d68521492a5eda0949dd975f39e39dcc2db4a9cc52ca319d629dad6e0d6

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
93KB

MD5
5e9211c54207161f235fb21edc3fc7c2

SHA1
52623c2a923dbc348e5cb89455bdc83fb5bb0ae3

SHA256
200f0e1892b955e217000986cd94e16473207c3ab66ed77151ada7f5233feef9

SHA512
0c7d64cd2b05c4d65c877cbf3a59f0c9f143ccf13d591d8332b574c470ea058d5ff817f24d6c3871dddf8332b08618c5652586db220cf691dceeeeda6561a179

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
93KB

MD5
06f04049402e90186e57547bbef8f997

SHA1
733bfcec06585ef390a2e9ce752ed7d4e2b57a83

SHA256
429336ebf75cbe6cc14c2351a5be3aa4da2cc6154a1c5fa497aadad6e17ebb4a

SHA512
0598e50a13ef463a847ff7bfd0ce4fa2884bfca1a290c44978831748bff676c2b807926e4c920edbc052e8bc21621a7b8b39c678cf7ca170c185e2b85d24ed27

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
93KB

MD5
dc986893f126f6f189618392238e321b

SHA1
82b7b1028cd3b3c2d46e993cfa69dee9439ad0b4

SHA256
b683b5c293ac73939dac00b14310730359c1f289da184bf7d8de4cbf09700aff

SHA512
eac2eeddb0906a77b71d272d52d72c53c9304f0aa8d1061062409c2f0fe321651af1fc5ded46f7de75f3d16fbc8b9ef38cd6cc26978aaefe7742c27a0a1d6175

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
93KB

MD5
3b5200325c245361ebfaac4b5d6c121f

SHA1
30c425061907ce239c3e14ccab12275cea302d49

SHA256
5dfa8808f4d11d5893a9b6dd87ab8c0f37728fa579d424825b83f09cda1edac1

SHA512
ead96fe9717daedc4e673cb08027c31b9c29759308c0f3326e8f8ff10dbe0611d5a6c196b7d28141ad27029a84213fca46814e1539894d4aca1dea106b99ad38

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
93KB

MD5
3ddced77c14d8b5bcc8438a00635ec62

SHA1
c7681ea0cd3bdc167711e2f2943a237a26044d03

SHA256
dbeaf22543c690f082d6f30729f58046bff226171da336c9b45b18bb454728c8

SHA512
5f5914fe02bd915587974d2a14829c722f1853a125792a6a0390238e84ad4427b87f858f4eebe57aaeddbaaadc43c42b500b51dc16ec3bf74644ccafb0c484ae

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
93KB

MD5
d66809dfcf618f68eefe9bf15735cb95

SHA1
2f1295f458ef106b9760cc968986ff42e5c295fd

SHA256
e8904e8f450c61a504a99797ffc13e75ccbeaddffe0c560940bbee13acb4df7b

SHA512
f0458d2f5f8dfe63eaa9015ae7241cc3b9b797a605b4028f5b9a086a026163a2f608c72e5ddd317d6a758a9b5cee55e9a3e1062633e8ff781867bcb8c038612c

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
93KB

MD5
2c73fcfa17065c65f675843840df5e3a

SHA1
f8ea494b0f3080e87ea8a81a86a07623a719a36b

SHA256
85719e38f3c3ca4d65450af7ceaec55587a147416b0138203a546caf679f342b

SHA512
a3028c494d539d1d9dc0ea52b2ac2d036b1ff16c612dcdf556b4d37e13ca02846ff093b0cf29f6b0ad105eb0f26dee3827b5b750cf0f4605df102e788d54d18e

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
93KB

MD5
774f467b515a9a8dc7c58247f89d0a00

SHA1
63577303eb3a76c32e18170ee91372793970bc36

SHA256
29863f848f61ce5b408c728221796fe48e1cca5152f9724bbbdd6025a31d568b

SHA512
8d4534e3b5fd7f9bcb396c1c0adeadee3e2307f60380d2e7de2ebc5e3398fd38c7b4bc0fc155259e7ccbf91c28b47dcb28a9518e8b4bae8699393c20f6001678

Download Submit
memory/264-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/264-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/296-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/296-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/296-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/296-17-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/572-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-130-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/920-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-91-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1256-67-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1256-68-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1256-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1664-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-104-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2260-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-40-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2696-39-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2696-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-22-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2784-117-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2784-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2952-49-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2952-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-77-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3060-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads