berbew | e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
Size

259KB
MD5

6c75c65e67c246ac38c7658ca24b179b
SHA1

5bbc42186d650b92d089e8444726f76faaab7bc2
SHA256

e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63
SHA512

d1d041e4b24a77ee39c4471fa96933aaf385edceaf1e11af6c89c5bfc06361b547fcf5d1ea85b4c756aa0e8929c511874e36cb015a594c71773f79d6bc66486e
SSDEEP

3072:5S0Gfe4DyEJ9IDlRxyhTbhgu+tAcrzkAqSxYIhOmTsF93UYfwC6GIoutz5yLp:AfbyEsDshsrYIcm4FmowdHoSa

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnielm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkpqn32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 8 IoCs

pid	Process
2820	Bilmcf32.exe
2956	Blkioa32.exe
2724	Bnielm32.exe
2192	Bhfcpb32.exe
480	Bfkpqn32.exe
268	Bmeimhdj.exe
2896	Cklfll32.exe
2220	Ceegmj32.exe

Loads dropped DLL 20 IoCs

pid	Process
2928	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
2928	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
2820	Bilmcf32.exe
2820	Bilmcf32.exe
2956	Blkioa32.exe
2956	Blkioa32.exe
2724	Bnielm32.exe
2724	Bnielm32.exe
2192	Bhfcpb32.exe
2192	Bhfcpb32.exe
480	Bfkpqn32.exe
480	Bfkpqn32.exe
268	Bmeimhdj.exe
268	Bmeimhdj.exe
2896	Cklfll32.exe
2896	Cklfll32.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cklfll32.exe
File created	C:\Windows\SysWOW64\Bnielm32.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Bnielm32.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Cklfll32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Lgahjhop.dll	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
File opened for modification	C:\Windows\SysWOW64\Blkioa32.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Ajpjcomh.dll	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bnielm32.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Aheefb32.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cklfll32.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
File opened for modification	C:\Windows\SysWOW64\Bnielm32.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Blkioa32.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Ennlme32.dll	Blkioa32.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Bnielm32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cklfll32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cklfll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1384	2220	WerFault.exe	37

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklfll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blkioa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnielm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aheefb32.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnielm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cklfll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklfll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bnielm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennlme32.dll"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnielm32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2820	2928	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe	30
PID 2928 wrote to memory of 2820	2928	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe	30
PID 2928 wrote to memory of 2820	2928	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe	30
PID 2928 wrote to memory of 2820	2928	e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe	30
PID 2820 wrote to memory of 2956	2820	Bilmcf32.exe	31
PID 2820 wrote to memory of 2956	2820	Bilmcf32.exe	31
PID 2820 wrote to memory of 2956	2820	Bilmcf32.exe	31
PID 2820 wrote to memory of 2956	2820	Bilmcf32.exe	31
PID 2956 wrote to memory of 2724	2956	Blkioa32.exe	32
PID 2956 wrote to memory of 2724	2956	Blkioa32.exe	32
PID 2956 wrote to memory of 2724	2956	Blkioa32.exe	32
PID 2956 wrote to memory of 2724	2956	Blkioa32.exe	32
PID 2724 wrote to memory of 2192	2724	Bnielm32.exe	33
PID 2724 wrote to memory of 2192	2724	Bnielm32.exe	33
PID 2724 wrote to memory of 2192	2724	Bnielm32.exe	33
PID 2724 wrote to memory of 2192	2724	Bnielm32.exe	33
PID 2192 wrote to memory of 480	2192	Bhfcpb32.exe	34
PID 2192 wrote to memory of 480	2192	Bhfcpb32.exe	34
PID 2192 wrote to memory of 480	2192	Bhfcpb32.exe	34
PID 2192 wrote to memory of 480	2192	Bhfcpb32.exe	34
PID 480 wrote to memory of 268	480	Bfkpqn32.exe	35
PID 480 wrote to memory of 268	480	Bfkpqn32.exe	35
PID 480 wrote to memory of 268	480	Bfkpqn32.exe	35
PID 480 wrote to memory of 268	480	Bfkpqn32.exe	35
PID 268 wrote to memory of 2896	268	Bmeimhdj.exe	36
PID 268 wrote to memory of 2896	268	Bmeimhdj.exe	36
PID 268 wrote to memory of 2896	268	Bmeimhdj.exe	36
PID 268 wrote to memory of 2896	268	Bmeimhdj.exe	36
PID 2896 wrote to memory of 2220	2896	Cklfll32.exe	37
PID 2896 wrote to memory of 2220	2896	Cklfll32.exe	37
PID 2896 wrote to memory of 2220	2896	Cklfll32.exe	37
PID 2896 wrote to memory of 2220	2896	Cklfll32.exe	37
PID 2220 wrote to memory of 1384	2220	Ceegmj32.exe	38
PID 2220 wrote to memory of 1384	2220	Ceegmj32.exe	38
PID 2220 wrote to memory of 1384	2220	Ceegmj32.exe	38
PID 2220 wrote to memory of 1384	2220	Ceegmj32.exe	38

C:\Users\Admin\AppData\Local\Temp\e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe
"C:\Users\Admin\AppData\Local\Temp\e26311efb895ef0052e5a93f83e416a0fa1284bed47fb11f08affb7b93578c63.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\Bilmcf32.exe
  C:\Windows\system32\Bilmcf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\Blkioa32.exe
    C:\Windows\system32\Blkioa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\Bnielm32.exe
      C:\Windows\system32\Bnielm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\Cklfll32.exe
        
        C:\Windows\system32\Cklfll32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 140
        10⤵
        Loads dropped DLL
        Program crash
        
        PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
259KB

MD5
0884d5d8ee2b225668ff8ad3ea7a9782

SHA1
254bbe196a8bb63fdea3a154b85c9d27bf4623e1

SHA256
0635c228b7aba6cf31adfd5e7304eaede2b65128556f5d714102c79ac667ac71

SHA512
8ad962a62287dd03df4b98ce0efde16af809cc8f813692c9de69bf0735af988f8f3f26c62cd75c1358a40950498223789a9da5e112ef75372d3301c7011f97bd

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
259KB

MD5
f1861e35d3ebb463a1670775da7ed658

SHA1
ab7ef2fd06a73d4d75f3014fe71a097559391934

SHA256
3036f728cfd2376c5a25c9910be39410c272aff89e2a8a20cd39d7f8fc17523f

SHA512
b7498655389a77be5576e1934fbb4e65f6f74e847d904aa7aabae8d35f41aab6e1d61b803bb250784cfe4ec416a0cbac62483e4d2825fe49ea3bc0f5e78d5c3e

Download Submit
\Windows\SysWOW64\Bfkpqn32.exe

Filesize
259KB

MD5
f88a7fe9b91f7bdce34ce31e42a501ab

SHA1
a8d09cdec316df82593f6ecb8bbdd5bed445c432

SHA256
9b61a11e04798e71c62415dd8360497ee33ee18a6560f716f68f0472bb18df59

SHA512
88a517d32b0fd4ded78afcf7f85c919e8f290be4ed4607b4eaee78062377d64107ab4474fa2741c83cb75b588670837e6ee93358cebecd84e0d0ffa4616b59ed

Download Submit
\Windows\SysWOW64\Bhfcpb32.exe

Filesize
259KB

MD5
48609998d7d64fe2726f7f4aefb90a39

SHA1
42c2622bebcdb12f1dc3953660625f0ba5a3b492

SHA256
a534006e346cae33d1952408155e4be905a98db54fbb7a02cde044a6bd9aec3d

SHA512
281f508d49b76fcfadea96febf37390fbb4dd60e540523519cc1e1c88042a13a626f7e9045c4b9315f27ce8a07f87fbd2e119f05aa1e4327d6d5f10fdb4a186b

Download Submit
\Windows\SysWOW64\Blkioa32.exe

Filesize
259KB

MD5
8c2a66c36912eda0e4ba197ef27c890b

SHA1
f8f2154c0b9c6ce514e8228cefa0c371f7aeb1b4

SHA256
b10061feeffd8b839ba545ab6535cd4b9d9fa9b6c7993d6669393a85fc0ecccd

SHA512
591d270ea13bdc61ae11608fab7c323816bb07d6a5ecad477fbfd483a8fdd71189c195035df67a081ddbdd095636cbf912c234929a0260a4d159c55c42969582

Download Submit
\Windows\SysWOW64\Bnielm32.exe

Filesize
259KB

MD5
0ab0b1748b70be657043fdc8354a55c1

SHA1
950306bf2ed575af549aa427bf5702a5a82a29ae

SHA256
cace5cb8a0f43098e5a9d0dbdba043c6a66873a056ebc603d59cbc86634182e2

SHA512
af666786cf34735270ad52267373211e0935e2636c56e31d20e03b1deb6cd4f6aac119668346289aedc634f739feadbbb8974965f6666e73d3ebc4dd76d192a8

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
259KB

MD5
dc17e0e42a8d770b82f8f62e04c0d7b2

SHA1
95bac1fbd50ce2b4118c9b110e77dfd55c34db08

SHA256
eb5f1f0a5e4bf2d97860dd48cdd1549e9ed4d2e656b58f103aae11258cdfd17d

SHA512
2fa540c7d84ec284396e497febd652f3fcf05ef433f8ab36e20c34e1b9b5414900ea5ff1cbd21774a1df25772b4b5ce1c0317da3f388d14c762087ee437068bf

Download Submit
\Windows\SysWOW64\Cklfll32.exe

Filesize
259KB

MD5
298a2c0d760997b2212bf09122f6175c

SHA1
695858226bdcc0757dbcd75c16f2d11ea0f6c737

SHA256
5896459ffa91612543a32024f3ec68ee7ed02fc8e9e2ec16c2df3600c69a4129

SHA512
20a82db7136ee94132033f2facf95cd0af708c4643b14decdaeabd37adce6cf0d43985964c268262149abc2c6c0944fe6222143e7b5c62c304502a2fc407bba9

Download Submit
memory/268-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/268-92-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/268-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/480-82-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/480-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/480-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-68-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2192-67-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2220-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2220-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2724-53-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2724-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-109-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2896-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2928-24-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2928-25-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2956-41-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2956-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-35-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2956-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads