berbew | bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb

Analysis

max time kernel
87s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
Size

128KB
MD5

a71e4864708c630bd222968b74557dd1
SHA1

00d2b1ddeea7e5f350be6f134711a46bbaab13be
SHA256

bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb
SHA512

7bd9ef96854a9b0f00684aea34a57771ddaf80c100d16d13775d4ed3b629952cea3ebe925ea110143009f61bd7c615005d6c5046e1efb672f76a245743294bb8
SSDEEP

3072:QvdgYlrojYnuokkWsRL+4vnHWCREXdXNKT1ntPG9poDrFDHZtOgl:QFzS4vHNCN9Otopg5tTl

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepadh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepadh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlqpaafg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlqpaafg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 14 IoCs

pid	Process
4556	Cdnelpod.exe
1408	Cepadh32.exe
2972	Cmgjee32.exe
4068	Clijablo.exe
1068	Ddqbbo32.exe
4564	Dfonnk32.exe
376	Dinjjf32.exe
3932	Dpgbgpbe.exe
4104	Dfakcj32.exe
2116	Dmkcpdao.exe
5072	Ddekmo32.exe
724	Dbhlikpf.exe
3832	Dlqpaafg.exe
3672	Dbkhnk32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ioeiam32.dll	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Clijablo.exe	Cmgjee32.exe
File opened for modification	C:\Windows\SysWOW64\Dfakcj32.exe	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Dmkcpdao.exe	Dfakcj32.exe
File opened for modification	C:\Windows\SysWOW64\Ddekmo32.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Dbhlikpf.exe	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Fjgnln32.dll	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Cepadh32.exe	Cdnelpod.exe
File created	C:\Windows\SysWOW64\Befogbik.dll	Cdnelpod.exe
File created	C:\Windows\SysWOW64\Dihmeahp.dll	Dfonnk32.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Dlqpaafg.exe
File opened for modification	C:\Windows\SysWOW64\Ddqbbo32.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Oihlnd32.dll	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Idbgcb32.dll	Dfakcj32.exe
File opened for modification	C:\Windows\SysWOW64\Dpgbgpbe.exe	Dinjjf32.exe
File created	C:\Windows\SysWOW64\Dfakcj32.exe	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Ddqbbo32.exe	Clijablo.exe
File opened for modification	C:\Windows\SysWOW64\Dinjjf32.exe	Dfonnk32.exe
File opened for modification	C:\Windows\SysWOW64\Dlqpaafg.exe	Dbhlikpf.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjee32.exe	Cepadh32.exe
File created	C:\Windows\SysWOW64\Cdnelpod.exe	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
File created	C:\Windows\SysWOW64\Qfeckiie.dll	Cepadh32.exe
File created	C:\Windows\SysWOW64\Dpaohckm.dll	Clijablo.exe
File opened for modification	C:\Windows\SysWOW64\Dfonnk32.exe	Ddqbbo32.exe
File opened for modification	C:\Windows\SysWOW64\Dmkcpdao.exe	Dfakcj32.exe
File created	C:\Windows\SysWOW64\Ddekmo32.exe	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Cbccbiml.dll	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Ggiipk32.dll	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
File opened for modification	C:\Windows\SysWOW64\Cepadh32.exe	Cdnelpod.exe
File created	C:\Windows\SysWOW64\Cmgjee32.exe	Cepadh32.exe
File created	C:\Windows\SysWOW64\Dpgbgpbe.exe	Dinjjf32.exe
File opened for modification	C:\Windows\SysWOW64\Dbhlikpf.exe	Ddekmo32.exe
File created	C:\Windows\SysWOW64\Dlqpaafg.exe	Dbhlikpf.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Dlqpaafg.exe
File created	C:\Windows\SysWOW64\Nfmcle32.dll	Dpgbgpbe.exe
File opened for modification	C:\Windows\SysWOW64\Cdnelpod.exe	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
File opened for modification	C:\Windows\SysWOW64\Clijablo.exe	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Fbelak32.dll	Cmgjee32.exe
File created	C:\Windows\SysWOW64\Dfonnk32.exe	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Adlafb32.dll	Ddqbbo32.exe
File created	C:\Windows\SysWOW64\Dinjjf32.exe	Dfonnk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2624	3672	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepadh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddekmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbhlikpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdnelpod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clijablo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfonnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfakcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlqpaafg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpgbgpbe.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepadh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfakcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idbgcb32.dll"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihlnd32.dll"	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggiipk32.dll"	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlafb32.dll"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfonnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgnln32.dll"	Dbhlikpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfeckiie.dll"	Cepadh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepadh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfakcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddekmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befogbik.dll"	Cdnelpod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbhlikpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbelak32.dll"	Cmgjee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clijablo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dinjjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcle32.dll"	Dpgbgpbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbccbiml.dll"	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddekmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlqpaafg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihmeahp.dll"	Dfonnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdnelpod.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 4556	4408	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe	85
PID 4408 wrote to memory of 4556	4408	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe	85
PID 4408 wrote to memory of 4556	4408	bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe	85
PID 4556 wrote to memory of 1408	4556	Cdnelpod.exe	86
PID 4556 wrote to memory of 1408	4556	Cdnelpod.exe	86
PID 4556 wrote to memory of 1408	4556	Cdnelpod.exe	86
PID 1408 wrote to memory of 2972	1408	Cepadh32.exe	87
PID 1408 wrote to memory of 2972	1408	Cepadh32.exe	87
PID 1408 wrote to memory of 2972	1408	Cepadh32.exe	87
PID 2972 wrote to memory of 4068	2972	Cmgjee32.exe	88
PID 2972 wrote to memory of 4068	2972	Cmgjee32.exe	88
PID 2972 wrote to memory of 4068	2972	Cmgjee32.exe	88
PID 4068 wrote to memory of 1068	4068	Clijablo.exe	91
PID 4068 wrote to memory of 1068	4068	Clijablo.exe	91
PID 4068 wrote to memory of 1068	4068	Clijablo.exe	91
PID 1068 wrote to memory of 4564	1068	Ddqbbo32.exe	92
PID 1068 wrote to memory of 4564	1068	Ddqbbo32.exe	92
PID 1068 wrote to memory of 4564	1068	Ddqbbo32.exe	92
PID 4564 wrote to memory of 376	4564	Dfonnk32.exe	93
PID 4564 wrote to memory of 376	4564	Dfonnk32.exe	93
PID 4564 wrote to memory of 376	4564	Dfonnk32.exe	93
PID 376 wrote to memory of 3932	376	Dinjjf32.exe	94
PID 376 wrote to memory of 3932	376	Dinjjf32.exe	94
PID 376 wrote to memory of 3932	376	Dinjjf32.exe	94
PID 3932 wrote to memory of 4104	3932	Dpgbgpbe.exe	95
PID 3932 wrote to memory of 4104	3932	Dpgbgpbe.exe	95
PID 3932 wrote to memory of 4104	3932	Dpgbgpbe.exe	95
PID 4104 wrote to memory of 2116	4104	Dfakcj32.exe	96
PID 4104 wrote to memory of 2116	4104	Dfakcj32.exe	96
PID 4104 wrote to memory of 2116	4104	Dfakcj32.exe	96
PID 2116 wrote to memory of 5072	2116	Dmkcpdao.exe	97
PID 2116 wrote to memory of 5072	2116	Dmkcpdao.exe	97
PID 2116 wrote to memory of 5072	2116	Dmkcpdao.exe	97
PID 5072 wrote to memory of 724	5072	Ddekmo32.exe	98
PID 5072 wrote to memory of 724	5072	Ddekmo32.exe	98
PID 5072 wrote to memory of 724	5072	Ddekmo32.exe	98
PID 724 wrote to memory of 3832	724	Dbhlikpf.exe	99
PID 724 wrote to memory of 3832	724	Dbhlikpf.exe	99
PID 724 wrote to memory of 3832	724	Dbhlikpf.exe	99
PID 3832 wrote to memory of 3672	3832	Dlqpaafg.exe	100
PID 3832 wrote to memory of 3672	3832	Dlqpaafg.exe	100
PID 3832 wrote to memory of 3672	3832	Dlqpaafg.exe	100

C:\Users\Admin\AppData\Local\Temp\bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe
"C:\Users\Admin\AppData\Local\Temp\bb367ee3df562eb633554a41e6d3b9236cb49b2632115c262bc50b4841242acb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\SysWOW64\Cdnelpod.exe
  C:\Windows\system32\Cdnelpod.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SysWOW64\Cepadh32.exe
    C:\Windows\system32\Cepadh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\Cmgjee32.exe
      C:\Windows\system32\Cmgjee32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
      - C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:376
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Dfakcj32.exe
        
        C:\Windows\system32\Dfakcj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Ddekmo32.exe
        
        C:\Windows\system32\Ddekmo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Dlqpaafg.exe
        
        C:\Windows\system32\Dlqpaafg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 416
        16⤵
        Program crash
        
        PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3672 -ip 3672
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cdnelpod.exe

Filesize
128KB

MD5
81f7c5db59101e21cae470243784ec03

SHA1
59ed4ff267becff498901fc71e44e845b7934110

SHA256
ad3a6e2d183daab7dbc9ce27878842ea45dbb4c9120c787664b820b4001a87dd

SHA512
6b8dee22a1d03016626bab4cf293ddced7aea715ccb6aceb3996ec0c966071c3eb3e1d5ce2b33fb42addb973e1331c7a29fda857a093ec7eea36ad2632695aa9

Download Submit
C:\Windows\SysWOW64\Cepadh32.exe

Filesize
128KB

MD5
a8572e77c3e32b2e5a18ccf42eedf09f

SHA1
79bc949e087c63bbfee1ce4b558c6fc466069a8d

SHA256
ccd9c7a3c545cc3f5e6dd37615393e96b3369ccb857321425f31f400a68100a0

SHA512
2ff9cd6f48a9790d01207aaab72ca49bc39d9c9fc20f06cf0224e00e96f53552eb209131ee6af4f4caaa259da72ad1610c7edaa99e52d278cf055e1a3ebace1b

Download Submit
C:\Windows\SysWOW64\Clijablo.exe

Filesize
128KB

MD5
787ba799eb1c13ce14196c42449b0dd6

SHA1
e46e77740459e677843e1b4c3118a80cde6f8fce

SHA256
78c65216363613c500109d7212406822a17f886213b57d8bf8ea4ecff2fafc22

SHA512
906288dcf7ed6f9c48e46afb279aa5866ac61fd1388c5ca7d95f7fd64d3a5e18339c3ec7aa8ed6e3006870958cce9384741e782797661bf94cc1cfd7d7a52f2e

Download Submit
C:\Windows\SysWOW64\Cmgjee32.exe

Filesize
128KB

MD5
dbcd9871a7ec064f7294a713496bd578

SHA1
5d83b02cd9eb69f8cce8871ff7d3ce527b9405e9

SHA256
b30905279b5f86dcf5da30281cc919e8deddadcd293cb0492bfd558dfd5c4f5c

SHA512
7deea58448f3a7b7726c8cdb099fecd5cf7d7f199dcca83287d8fc7192a608a8a6e93f82d30299ad3ab9048a68a5e1111e11ba8543146a06dcb02bb779f2eb5d

Download Submit
C:\Windows\SysWOW64\Dbhlikpf.exe

Filesize
128KB

MD5
125017e679386334c97fe006afc1ca47

SHA1
69d86f86af688c7658bc9e3ec6a2da7002a91320

SHA256
235ec7eb7535c5c63211a5d675703c0e189cb58060763bd816887ce37b83570a

SHA512
cabc5d16cf21fccd44f98af5cbc523348b473d9d21dfdb53193f433fbbde343ce14eb65eab750442acda29fb7232d492a33746d2535bd2c3fd2809938013ea8a

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
128KB

MD5
00b6d40fdb34b8de350ef4c00f494d32

SHA1
c53491a82d623989609f8aa06d66a6b8f7ccba8a

SHA256
3d63e00cae445e0a4a779eaee05568c10ba741cb072d4fcaf89833bfdfd5fb76

SHA512
a44bda29efc9bf39207d5cad5f58a7326416650e0f4974321979f53eb024a0712580c7bc1f16e1c5d60e2edcd76d5217c87f98e8e3630f1b959c78646065073c

Download Submit
C:\Windows\SysWOW64\Ddekmo32.exe

Filesize
128KB

MD5
af1adb5ffe2fa87b0934b14e4f854fb0

SHA1
615463a3cc9d9a42a491a2f468e56182859f1b8d

SHA256
412c5e51d1a57997f2ee6a79ebce9b3f81ccb5271f1c08c629c0949abe14d6ba

SHA512
459ab4d58ac82eb3e7ca7bb8c05eb8ed295ba6ea453b4d1930de51f2a0bf0b6c0e926426925ef398f69cddd3c484061e4b4df25322c71f9a1540fd9bb52eb32e

Download Submit
C:\Windows\SysWOW64\Ddqbbo32.exe

Filesize
128KB

MD5
1c2849bd25ca994a98da5bf0adaca495

SHA1
aa60a60459f08223d3454b48f833eccf70df8f50

SHA256
ffc971e0836f9973759e46540f55c6fcfaf9efc4be17da8e0784aacb444a2dc5

SHA512
7a48828e84101c839d433491175eff5cc3b74aa07c5eb5378b32b47662827afa2eb21b61b271d77fd1ca5062b56afcdc3b9ae6657eead97b6651dea6153504c1

Download Submit
C:\Windows\SysWOW64\Dfakcj32.exe

Filesize
128KB

MD5
373f0dc02d57b8c50de5051aa3bf80fc

SHA1
54d2d74ebb16b9af010fa91bf98780840923c816

SHA256
7760b1b0c94f1206f8c509831ceda08705321f6cd68574878c7d59b76cd55739

SHA512
1aefc808c10e134965f65785c1cd6b26774079950c43bb0bc9d80d9a3cef2d10bb87ff5f093786c0565948e6d25d35dfec315955d446f0a77968cc643b5825dd

Download Submit
C:\Windows\SysWOW64\Dfonnk32.exe

Filesize
128KB

MD5
262b1795f6a9f343a3824f4dd9e85b0d

SHA1
3c5e304016e1e43c8e1b4f28c09bbd2aebeb37b1

SHA256
41910d15fc3680c4f4d278da00fe8144a6330b0d966304e63b7a9b9966660565

SHA512
25c5d27f067d2396bc96bfc0703cd0066e0313593ce7651adca991cdceabd2d20b81bf042848cb104ca49b1dbe7c665665eca69ec572371e512a48c945ab0036

Download Submit
C:\Windows\SysWOW64\Dinjjf32.exe

Filesize
128KB

MD5
a7e64bfbab1b1d0bd64bc1ef87fad966

SHA1
bff343dbd9092b51b1cf4a505ecd25df3f3b72ac

SHA256
fcbc517ad2a3f384cfb22c6d195613183d7c4a62c2178c9eca22a72272a5b655

SHA512
251e82b6bc7b928d25d9871e2398e54be2a4579c30ce8131689be92057fdba1666f459254fa924acfb1c59e019cf40b97985d2da445ce35c70027f60a7a822ef

Download Submit
C:\Windows\SysWOW64\Dlqpaafg.exe

Filesize
128KB

MD5
f6f39c11532384d2a310c74000a9068b

SHA1
b980649dea47a6dcfab828500d77cb54f7dd9660

SHA256
045578666c38b5dcb0fe74d60eac930a7754bb8e30976b0b81fdc9370f2a604d

SHA512
428bb79e8235bcf241432d85d1d1b2e5acdb7c191bc7c71e64d3fe74fd76307e680e64abacea1056f9cbb9b3aba89020303f41296dadb0b6e138e30cadbcdaf6

Download Submit
C:\Windows\SysWOW64\Dmkcpdao.exe

Filesize
128KB

MD5
a1f06350dcf5424014d21501db4b7320

SHA1
88cc36db6f4e35ff9be0878dcff821b284ec2535

SHA256
4db623ad8270ce9e9a803eb0d5ce8edb3aee65b3e071d7a2db846df3ded9dcfe

SHA512
64edb16f36f99ba1fabe41719956140b4b0c9648a7b822f7d1826d15ba525624e11a25064d78f2142132c88d4a7c93accaa28a2baf8f5190b329352d56847881

Download Submit
C:\Windows\SysWOW64\Dpgbgpbe.exe

Filesize
128KB

MD5
279f4979b47d7da1cd840da5835178ba

SHA1
e452ab2e95d5de1e11308f2ea2d8308584f441e1

SHA256
6b9adea6899de54d2c0c59b6affc1fcfa34cf911d551d4782e4330de71a886a9

SHA512
9ac1feec2112f8315d14d7f0a23b8268b6e39eaefbe1f6f194a088fd39a1c42387686b247ad7e72d7511f82cb2749fd89b68b1dcbe1c00f31ac3d75611f9512b

Download Submit
memory/376-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/376-120-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/724-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/724-115-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1068-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1408-124-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1408-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-117-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2116-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-123-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3672-113-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3672-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3832-114-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3832-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3932-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4068-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4068-122-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4104-118-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4104-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-126-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4408-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4556-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4556-125-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-116-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5072-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads