berbew | 36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
Size

59KB
MD5

91131ac6c7adf88fd39ef7e154f756cf
SHA1

c428ebdeb2aae73b1499e8a26a83ce7bbf23d05a
SHA256

36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a
SHA512

ba20b8a4ab545ffc0000b1a10fe1c74265a856242fed2b37296e7e26546075fa23611035e684f86f67d4da2930d2d91e36d5cc22cf99b072daf3c215fda64c4d
SSDEEP

1536:bjRihL6KDDKZ/JwaPhgPE6HWF/f+8CluNCyVs:bjRA6KDw/di25f+ldes

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffeoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gifhkpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gepeep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glgqlkdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaffja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaffja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flnnfllf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdefgimi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flbgak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flbgak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gifhkpgk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glgqlkdl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gepeep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flnnfllf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffeoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 9 IoCs

pid	Process
2180	Flnnfllf.exe
1192	Fdefgimi.exe
1476	Ffeoid32.exe
2936	Flbgak32.exe
2860	Gifhkpgk.exe
2972	Glgqlkdl.exe
2664	Gepeep32.exe
2716	Gaffja32.exe
1372	Gmmgobfd.exe

Loads dropped DLL 22 IoCs

pid	Process
2608	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
2608	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
2180	Flnnfllf.exe
2180	Flnnfllf.exe
1192	Fdefgimi.exe
1192	Fdefgimi.exe
1476	Ffeoid32.exe
1476	Ffeoid32.exe
2936	Flbgak32.exe
2936	Flbgak32.exe
2860	Gifhkpgk.exe
2860	Gifhkpgk.exe
2972	Glgqlkdl.exe
2972	Glgqlkdl.exe
2664	Gepeep32.exe
2664	Gepeep32.exe
2716	Gaffja32.exe
2716	Gaffja32.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fdefgimi.exe	Flnnfllf.exe
File created	C:\Windows\SysWOW64\Iiogbn32.dll	Flbgak32.exe
File opened for modification	C:\Windows\SysWOW64\Gepeep32.exe	Glgqlkdl.exe
File opened for modification	C:\Windows\SysWOW64\Gaffja32.exe	Gepeep32.exe
File created	C:\Windows\SysWOW64\Ffeoid32.exe	Fdefgimi.exe
File opened for modification	C:\Windows\SysWOW64\Ffeoid32.exe	Fdefgimi.exe
File created	C:\Windows\SysWOW64\Gepeep32.exe	Glgqlkdl.exe
File created	C:\Windows\SysWOW64\Gaffja32.exe	Gepeep32.exe
File created	C:\Windows\SysWOW64\Gmmgobfd.exe	Gaffja32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmgobfd.exe	Gaffja32.exe
File created	C:\Windows\SysWOW64\Idlfno32.dll	Gaffja32.exe
File opened for modification	C:\Windows\SysWOW64\Flnnfllf.exe	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
File created	C:\Windows\SysWOW64\Pefone32.dll	Flnnfllf.exe
File created	C:\Windows\SysWOW64\Akinoefk.dll	Fdefgimi.exe
File created	C:\Windows\SysWOW64\Flbgak32.exe	Ffeoid32.exe
File opened for modification	C:\Windows\SysWOW64\Gifhkpgk.exe	Flbgak32.exe
File created	C:\Windows\SysWOW64\Glgqlkdl.exe	Gifhkpgk.exe
File opened for modification	C:\Windows\SysWOW64\Glgqlkdl.exe	Gifhkpgk.exe
File created	C:\Windows\SysWOW64\Opebop32.dll	Gifhkpgk.exe
File created	C:\Windows\SysWOW64\Flnnfllf.exe	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
File created	C:\Windows\SysWOW64\Ahjlfmkh.dll	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
File opened for modification	C:\Windows\SysWOW64\Fdefgimi.exe	Flnnfllf.exe
File opened for modification	C:\Windows\SysWOW64\Flbgak32.exe	Ffeoid32.exe
File created	C:\Windows\SysWOW64\Ifgpnf32.dll	Ffeoid32.exe
File created	C:\Windows\SysWOW64\Gifhkpgk.exe	Flbgak32.exe
File created	C:\Windows\SysWOW64\Hmalaioi.dll	Glgqlkdl.exe
File created	C:\Windows\SysWOW64\Gbgbmipo.dll	Gepeep32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
576	1372	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glgqlkdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaffja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnnfllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffeoid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flbgak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gepeep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmmgobfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdefgimi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gifhkpgk.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gepeep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefone32.dll"	Flnnfllf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flnnfllf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akinoefk.dll"	Fdefgimi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgpnf32.dll"	Ffeoid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gepeep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffeoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gifhkpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiogbn32.dll"	Flbgak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glgqlkdl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flnnfllf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdefgimi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gifhkpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opebop32.dll"	Gifhkpgk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glgqlkdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaffja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahjlfmkh.dll"	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaffja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll"	Gaffja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffeoid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flbgak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmalaioi.dll"	Glgqlkdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flbgak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgbmipo.dll"	Gepeep32.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2180	2608	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe	29
PID 2608 wrote to memory of 2180	2608	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe	29
PID 2608 wrote to memory of 2180	2608	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe	29
PID 2608 wrote to memory of 2180	2608	36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe	29
PID 2180 wrote to memory of 1192	2180	Flnnfllf.exe	30
PID 2180 wrote to memory of 1192	2180	Flnnfllf.exe	30
PID 2180 wrote to memory of 1192	2180	Flnnfllf.exe	30
PID 2180 wrote to memory of 1192	2180	Flnnfllf.exe	30
PID 1192 wrote to memory of 1476	1192	Fdefgimi.exe	31
PID 1192 wrote to memory of 1476	1192	Fdefgimi.exe	31
PID 1192 wrote to memory of 1476	1192	Fdefgimi.exe	31
PID 1192 wrote to memory of 1476	1192	Fdefgimi.exe	31
PID 1476 wrote to memory of 2936	1476	Ffeoid32.exe	32
PID 1476 wrote to memory of 2936	1476	Ffeoid32.exe	32
PID 1476 wrote to memory of 2936	1476	Ffeoid32.exe	32
PID 1476 wrote to memory of 2936	1476	Ffeoid32.exe	32
PID 2936 wrote to memory of 2860	2936	Flbgak32.exe	33
PID 2936 wrote to memory of 2860	2936	Flbgak32.exe	33
PID 2936 wrote to memory of 2860	2936	Flbgak32.exe	33
PID 2936 wrote to memory of 2860	2936	Flbgak32.exe	33
PID 2860 wrote to memory of 2972	2860	Gifhkpgk.exe	34
PID 2860 wrote to memory of 2972	2860	Gifhkpgk.exe	34
PID 2860 wrote to memory of 2972	2860	Gifhkpgk.exe	34
PID 2860 wrote to memory of 2972	2860	Gifhkpgk.exe	34
PID 2972 wrote to memory of 2664	2972	Glgqlkdl.exe	35
PID 2972 wrote to memory of 2664	2972	Glgqlkdl.exe	35
PID 2972 wrote to memory of 2664	2972	Glgqlkdl.exe	35
PID 2972 wrote to memory of 2664	2972	Glgqlkdl.exe	35
PID 2664 wrote to memory of 2716	2664	Gepeep32.exe	36
PID 2664 wrote to memory of 2716	2664	Gepeep32.exe	36
PID 2664 wrote to memory of 2716	2664	Gepeep32.exe	36
PID 2664 wrote to memory of 2716	2664	Gepeep32.exe	36
PID 2716 wrote to memory of 1372	2716	Gaffja32.exe	37
PID 2716 wrote to memory of 1372	2716	Gaffja32.exe	37
PID 2716 wrote to memory of 1372	2716	Gaffja32.exe	37
PID 2716 wrote to memory of 1372	2716	Gaffja32.exe	37
PID 1372 wrote to memory of 576	1372	Gmmgobfd.exe	38
PID 1372 wrote to memory of 576	1372	Gmmgobfd.exe	38
PID 1372 wrote to memory of 576	1372	Gmmgobfd.exe	38
PID 1372 wrote to memory of 576	1372	Gmmgobfd.exe	38

C:\Users\Admin\AppData\Local\Temp\36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe
"C:\Users\Admin\AppData\Local\Temp\36b7ba9b5c385ee8684724d59b1321ce39efb5181e0d93f1a41a45032684954a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\Flnnfllf.exe
  C:\Windows\system32\Flnnfllf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\Fdefgimi.exe
    C:\Windows\system32\Fdefgimi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\SysWOW64\Ffeoid32.exe
      C:\Windows\system32\Ffeoid32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\Flbgak32.exe
        
        C:\Windows\system32\Flbgak32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\Gifhkpgk.exe
        
        C:\Windows\system32\Gifhkpgk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Glgqlkdl.exe
        
        C:\Windows\system32\Glgqlkdl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Gepeep32.exe
        
        C:\Windows\system32\Gepeep32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Gaffja32.exe
        
        C:\Windows\system32\Gaffja32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Gmmgobfd.exe
        
        C:\Windows\system32\Gmmgobfd.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 140
        11⤵
        Loads dropped DLL
        Program crash
        
        PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ffeoid32.exe

Filesize
59KB

MD5
0c1d8a9c9e7803d903c1c84c28025e96

SHA1
fc2f82d58e507ce3f904861bed1f285eae3dc6e2

SHA256
4da82f0bf43f210f4820f1a06eec6c153b2654113644dc6f0448bbf1464b12f4

SHA512
0609f12be3dc9077592b0cc0046fd110990a1f12ad3233de84ead2a6201b2075581a5ba454dfe490bf97318514c0fd48fd6fe8f6b13175f4185ce44c66d3db5c

Download Submit
C:\Windows\SysWOW64\Gmmgobfd.exe

Filesize
59KB

MD5
0a056d70758ccc92a58642643b29ec99

SHA1
9c78aa651224a5e1d4504afa540651e050370b7e

SHA256
c6de57f6d5e68d77005dc600a10d48a26388466409050b1bda69aeaca2923b04

SHA512
c87a1e744a84cea6b131d1ae738087a4a23b4c1af01dc10c2aa14f612542bb76c38e1fd35ed035264553eb12b481b34fecfdf8e00e263855152e8a8e3a337d4a

Download Submit
\Windows\SysWOW64\Fdefgimi.exe

Filesize
59KB

MD5
bd3b2ffbcbdaa1e558a8951833179195

SHA1
17d050fee0fd85b4bd5224ca716933e0d4053b97

SHA256
dec04774aa935e3fd5d856eeb27ae61ec2920c624b2f6e3d9c12b9b0e9b48a24

SHA512
91b4be68b8b1481d02db67707a3296949d7f939b2cda99b293fdd6f17f153be961e61a1286ad27481acefc6be60ece368db321237ed5979fd9ced3f1f8e44bbc

Download Submit
\Windows\SysWOW64\Flbgak32.exe

Filesize
59KB

MD5
a71c74103a866e506909ffbfc19b6f1c

SHA1
6d4c08ccf112600d65d6bb62d42aa679b394d3c3

SHA256
5d5fd51a8bdd0579431f0761189a9b9662872b02949ae8385c518e40073ab9b0

SHA512
8755acadb74252540578b254c00f4420d4090dafad3b928379b5a46c236f422b1a94f0f9bffc379fe14fb4e648816ae740d550ffa491eadf8577c937d31773e0

Download Submit
\Windows\SysWOW64\Flnnfllf.exe

Filesize
59KB

MD5
c897d60cb62a7c4047c0bf32261e37ef

SHA1
a3abeebe2c60117ab777019542e42f6f855440b2

SHA256
895a6d118c5fd2a5acd0e0a79d360b3461c5ccc4fc0a9fd512c7528e15eb879e

SHA512
8ec45013dd9c7689b03ac61d6c12ff917b24364f7279da18426c575866d1e629d693536ba284a75b42525090ae3c31ce52b4fccdc37fc6f7f034d1e4777bd48b

Download Submit
\Windows\SysWOW64\Gaffja32.exe

Filesize
59KB

MD5
d331da5e4601013970114c1b7e6c7ce5

SHA1
88f8c3acd931377a00e0c6e000fd03bbf66e65b0

SHA256
dd42ad4346c7db44e286ebcea539e5029f56fe9060e56f7c8ec3b719cb9d5ee1

SHA512
f05157baabf86946add5debf6cc2d20dfaa78e63f75048153c39517beaf40fdf9e354104c13b4d5776f071223260d19a7c678b1a7c97c0f2a7640aead0f30569

Download Submit
\Windows\SysWOW64\Gepeep32.exe

Filesize
59KB

MD5
ae98064c82a3ea89886cfbfb4bd74932

SHA1
a2c8e2809f476ccaee47194ea2167b95522c8a05

SHA256
0b4f17e1e1566b3dfe77e7774325bcfd3b6340746d410414a5de990ae687d726

SHA512
c050914e8a325cff1ee87cdf1f4c45e331a823c5c766973935615cd7cbbe2f4df16e9d8660b6875a07caabce3ddc1354bcc6f63186949a4c09f2f0bff1073465

Download Submit
\Windows\SysWOW64\Gifhkpgk.exe

Filesize
59KB

MD5
0ea8ecd63a617632fbba90da2a3eec0f

SHA1
3d7cab002578f3621ca2c1f79016e678e0fc6651

SHA256
3f3b303a74e611d48977af4ed8b1956533ab59e0adc78319b834f3b00b654aa3

SHA512
9c5bebb333edc612af9c7ba0fca421ef1284aa00a0604bff83f3bce71446e0f7c8b9e1c4cd3f1a66934b417da766673c5731b91ca92c694021a9e48e964b5763

Download Submit
\Windows\SysWOW64\Glgqlkdl.exe

Filesize
59KB

MD5
cc084f212102a0fddba5d9ee36a75d55

SHA1
2d5a1977bd5bddc36ee9e668523de66577118a79

SHA256
ae76056be7ed6dff4042483aa2a9e40d53a7726b298a41298d7d3c4827083ef8

SHA512
75fdddb76ab1eb193f1a19e51401544973f2553f16bb7d0055d66b053668dcbd3b2f499dbe263dc93a9b8d4a2d098f1e4b4f628d1b53e76e29ee8eb5e366c4e7

Download Submit
memory/1192-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1372-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1372-116-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1476-126-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2180-124-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2180-19-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2608-17-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/2608-125-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2608-18-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/2608-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2664-98-0x0000000000220000-0x000000000025A000-memory.dmp

Filesize
232KB

Download
memory/2716-130-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2860-75-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2860-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2860-123-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-129-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2972-90-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2972-122-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2972-77-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads