berbew | 3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
Size

93KB
MD5

45812f4946ec19328be15732a4ec3c20
SHA1

6b2468aa6458b6f5913b25abe3a3eeec7512c824
SHA256

3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76
SHA512

81ed155076fe523c34e81b9c679ce9812da30810a760cddb335945a9531165f07ee1fdacbd8eac5c70e3ce36d8bacab3e2603160b8433563425a4ccc1fc198b8
SSDEEP

1536:iFUxG6CC/cdr42yLsHFt3c9ssTM1DaYfMZRWuLsV+1B:vxcd5Rc9ssAgYfc0DV+1B

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 9 IoCs

pid	Process
2748	Kocpbfei.exe
2568	Kdphjm32.exe
2756	Koflgf32.exe
1256	Kdbepm32.exe
2604	Kipmhc32.exe
1208	Kpieengb.exe
628	Kbhbai32.exe
2436	Lplbjm32.exe
1088	Lbjofi32.exe

Loads dropped DLL 23 IoCs

pid	Process
2156	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
2156	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
2748	Kocpbfei.exe
2748	Kocpbfei.exe
2568	Kdphjm32.exe
2568	Kdphjm32.exe
2756	Koflgf32.exe
2756	Koflgf32.exe
1256	Kdbepm32.exe
1256	Kdbepm32.exe
2604	Kipmhc32.exe
2604	Kipmhc32.exe
1208	Kpieengb.exe
1208	Kpieengb.exe
628	Kbhbai32.exe
628	Kbhbai32.exe
2436	Lplbjm32.exe
2436	Lplbjm32.exe
284	WerFault.exe
284	WerFault.exe
284	WerFault.exe
284	WerFault.exe
284	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Pehbqi32.dll	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Ffakjm32.dll	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kocpbfei.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Kocpbfei.exe	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
284	1088	WerFault.exe	38

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kdphjm32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2748	2156	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe	30
PID 2156 wrote to memory of 2748	2156	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe	30
PID 2156 wrote to memory of 2748	2156	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe	30
PID 2156 wrote to memory of 2748	2156	3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe	30
PID 2748 wrote to memory of 2568	2748	Kocpbfei.exe	31
PID 2748 wrote to memory of 2568	2748	Kocpbfei.exe	31
PID 2748 wrote to memory of 2568	2748	Kocpbfei.exe	31
PID 2748 wrote to memory of 2568	2748	Kocpbfei.exe	31
PID 2568 wrote to memory of 2756	2568	Kdphjm32.exe	32
PID 2568 wrote to memory of 2756	2568	Kdphjm32.exe	32
PID 2568 wrote to memory of 2756	2568	Kdphjm32.exe	32
PID 2568 wrote to memory of 2756	2568	Kdphjm32.exe	32
PID 2756 wrote to memory of 1256	2756	Koflgf32.exe	33
PID 2756 wrote to memory of 1256	2756	Koflgf32.exe	33
PID 2756 wrote to memory of 1256	2756	Koflgf32.exe	33
PID 2756 wrote to memory of 1256	2756	Koflgf32.exe	33
PID 1256 wrote to memory of 2604	1256	Kdbepm32.exe	34
PID 1256 wrote to memory of 2604	1256	Kdbepm32.exe	34
PID 1256 wrote to memory of 2604	1256	Kdbepm32.exe	34
PID 1256 wrote to memory of 2604	1256	Kdbepm32.exe	34
PID 2604 wrote to memory of 1208	2604	Kipmhc32.exe	35
PID 2604 wrote to memory of 1208	2604	Kipmhc32.exe	35
PID 2604 wrote to memory of 1208	2604	Kipmhc32.exe	35
PID 2604 wrote to memory of 1208	2604	Kipmhc32.exe	35
PID 1208 wrote to memory of 628	1208	Kpieengb.exe	36
PID 1208 wrote to memory of 628	1208	Kpieengb.exe	36
PID 1208 wrote to memory of 628	1208	Kpieengb.exe	36
PID 1208 wrote to memory of 628	1208	Kpieengb.exe	36
PID 628 wrote to memory of 2436	628	Kbhbai32.exe	37
PID 628 wrote to memory of 2436	628	Kbhbai32.exe	37
PID 628 wrote to memory of 2436	628	Kbhbai32.exe	37
PID 628 wrote to memory of 2436	628	Kbhbai32.exe	37
PID 2436 wrote to memory of 1088	2436	Lplbjm32.exe	38
PID 2436 wrote to memory of 1088	2436	Lplbjm32.exe	38
PID 2436 wrote to memory of 1088	2436	Lplbjm32.exe	38
PID 2436 wrote to memory of 1088	2436	Lplbjm32.exe	38
PID 1088 wrote to memory of 284	1088	Lbjofi32.exe	39
PID 1088 wrote to memory of 284	1088	Lbjofi32.exe	39
PID 1088 wrote to memory of 284	1088	Lbjofi32.exe	39
PID 1088 wrote to memory of 284	1088	Lbjofi32.exe	39

C:\Users\Admin\AppData\Local\Temp\3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe
"C:\Users\Admin\AppData\Local\Temp\3eb5be9231da591c66c07e588cb460f189a2faadf6fefb16dbb01b431a288b76N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\Kocpbfei.exe
  C:\Windows\system32\Kocpbfei.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\Kdphjm32.exe
    C:\Windows\system32\Kdphjm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\Koflgf32.exe
      C:\Windows\system32\Koflgf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
93KB

MD5
05037ea4a304742fe702cdd9b3fa7ab7

SHA1
364611fc823fb2e0801fb950fd83d0c72fd9c6a3

SHA256
b32645e74737769d91f01f1630417f9a855a8657d8b4997ede1b7f89b8f82d38

SHA512
ace444cdf5cc8f0aa172bc9232dd59fefb5828abbd746c771497b3a1cd0b905bd11861a118b81a4a4b53ea42f98a3d7773f898a4c34707384b1a06d5dd8475c0

Download Submit
C:\Windows\SysWOW64\Kocpbfei.exe

Filesize
93KB

MD5
1e5d7474a4beb65783cce25d95636c67

SHA1
af212d244f1cda91f328ad492467862e29587244

SHA256
b8dc21b00fd4b030ec3930b251c5f05445d74e0310671f1a42998285b02e0c88

SHA512
bced7e1f6654654a2f150a9a0ec90776cdade7f66cdccf02a5efc1c3a0e3b29b3da61a6748978c23ce60bc6ddd0747381af4dfa62b6701cae81242a9e064a239

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
93KB

MD5
c86c10602c327067afe1a7b1600dd609

SHA1
ba67c1c4fd5c899382e49768126ba516d8e4cb97

SHA256
352f7856933fd4cde6712cf948a90f20155e7f1a703ac4d986bbcc512b39c812

SHA512
ae6696225bdc0bd93761511f06d5640b3d1617143750904aa8ca8a8969fdc1d6ba5674d9ce4b61bff073c0d4fa8a1782644824ff07b46a9df20a4054ddef1114

Download Submit
\Windows\SysWOW64\Kdbepm32.exe

Filesize
93KB

MD5
5a8158e8253309d12b83bb9b2e604b9e

SHA1
bd3fea5bdab20eb3b410add4bdc4ebc7beb65d07

SHA256
34a69924db956fa67e6831977c51c9e91c47f2b05f5e4dfdb73d2223c7c8818a

SHA512
1d2d0a148a59ce9e045d6b47dc9aefc7fc3d6b54f0da4f33249af98b0a86b177ef54d10a1e5194bc556fde327cb03e8d1ace4e4d6e8da0359eec4b369286848b

Download Submit
\Windows\SysWOW64\Kdphjm32.exe

Filesize
93KB

MD5
67527ae742fe6024c73fc10f11eb641f

SHA1
915f967046a77b7cca8412996e66802a17d5de17

SHA256
3ca532b5938b12cd58e5cf5f91b0ff034790eb9e78df5cdefa4a225b1916fc15

SHA512
798ba224a723ab0d5fc5d9cefc9b90fffe353c1499919a2e1f413a4aeb07d4454d705e09e08d4ca24683c9817b245bc334d6ba904f6cd61d6937dfd3af1e4317

Download Submit
\Windows\SysWOW64\Kipmhc32.exe

Filesize
93KB

MD5
50a1accb5cbe39fb539002a6f2eeb346

SHA1
2d7d17d1c7dce614f0fcae1caada7980c1663e55

SHA256
a470a31ee318f2ab13b294ef8f3af032c18d2e61acdb4729b66d24b35435a644

SHA512
90117e8ed1bf08b9ced8b3b18513598c369dae03ff199f4009aa2ecdaf82c87012ea19cd089bfb487974c445bf43ac7fa98980fb457aea315d88279778632e59

Download Submit
\Windows\SysWOW64\Kpieengb.exe

Filesize
93KB

MD5
1379f8d8a6c5a734cd9fd86e0207a00f

SHA1
d643a61926c4efc7ff7ffc8e844b57132c903d3e

SHA256
7a4ee4e5beb5e18132f08d980de36502e4b5e57998520ec43b5d2b65fe0d1d68

SHA512
b8fcd75d34d1e79d69e89f6395e6f49e6025df45d3675562900faf2146e5d3ef0d71b22193cbffe822700000292fe4e283fd210646ba38aea8fe0743cbfe2df8

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
93KB

MD5
3e57d5892257f60caec02d5508828bbc

SHA1
a0123acd55f2fc3fa2bcb780bc7585fbeb2ce69e

SHA256
ec773563a8a9fb0649f6b4fd4f696d439ebf5cc3003f437ad072d4fe6cdfb01d

SHA512
5ef481c0c498d090251557520e32904e0b216f6e939b16722c7ca52c573c01b173373897f4d23d1d6a46d07b2187cdef89382221befc45f0342570620aaf479a

Download Submit
\Windows\SysWOW64\Lplbjm32.exe

Filesize
93KB

MD5
d111bdd6c39d84188b5147be8a6d2c1c

SHA1
a9a7d9882d5a591fd8520803467a6d105dffc9f3

SHA256
fe104a1445fcbe8890f8501a8921aa00fd800efb8aef66c56faad28e69542ba9

SHA512
314091a94b9922a9cd285cd191f1d0398570af8afa7f5ae42ce8d0911aa6ab7484539c2a8327778a1edc3eaead038e700f15a54e3632086ed1ad6c1254da5fc1

Download Submit
memory/628-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-106-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1088-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1256-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2156-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2156-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2436-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2568-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-22-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2756-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-48-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads