berbew | 1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Size

208KB
MD5

287db9475f35361a4314acacef65fbb1
SHA1

879b289585d31e0f07e122af08813bda46470ef1
SHA256

1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c
SHA512

759404e5eafad079f90fc7384829f27856c19db448b24330ada0bd261b92cea2f360364963229bf0ccd348f74840a4586c0ebc7c86429e80afe4482706558ab8
SSDEEP

3072:BTI8C5gD2/QHZpRJBmrg6+oXO56hKpi9poF5aY6+oocpGHHQnNJuIb:1HZ9BQh+Eu6QnFw5+0pU8b

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 10 IoCs

pid	Process
936	Bffbdadk.exe
396	Bmpkqklh.exe
2836	Boogmgkl.exe
2764	Cocphf32.exe
2656	Ckjamgmk.exe
2676	Cinafkkd.exe
2704	Caifjn32.exe
2036	Cnmfdb32.exe
1872	Djdgic32.exe
3052	Dpapaj32.exe

Loads dropped DLL 23 IoCs

pid	Process
2560	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
2560	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
936	Bffbdadk.exe
936	Bffbdadk.exe
396	Bmpkqklh.exe
396	Bmpkqklh.exe
2836	Boogmgkl.exe
2836	Boogmgkl.exe
2764	Cocphf32.exe
2764	Cocphf32.exe
2656	Ckjamgmk.exe
2656	Ckjamgmk.exe
2676	Cinafkkd.exe
2676	Cinafkkd.exe
2704	Caifjn32.exe
2704	Caifjn32.exe
2036	Cnmfdb32.exe
2036	Cnmfdb32.exe
1872	Djdgic32.exe
1872	Djdgic32.exe
2888	WerFault.exe
2888	WerFault.exe
2888	WerFault.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cinafkkd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2888	3052	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffbdadk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 936	2560	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe	31
PID 2560 wrote to memory of 936	2560	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe	31
PID 2560 wrote to memory of 936	2560	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe	31
PID 2560 wrote to memory of 936	2560	1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe	31
PID 936 wrote to memory of 396	936	Bffbdadk.exe	32
PID 936 wrote to memory of 396	936	Bffbdadk.exe	32
PID 936 wrote to memory of 396	936	Bffbdadk.exe	32
PID 936 wrote to memory of 396	936	Bffbdadk.exe	32
PID 396 wrote to memory of 2836	396	Bmpkqklh.exe	33
PID 396 wrote to memory of 2836	396	Bmpkqklh.exe	33
PID 396 wrote to memory of 2836	396	Bmpkqklh.exe	33
PID 396 wrote to memory of 2836	396	Bmpkqklh.exe	33
PID 2836 wrote to memory of 2764	2836	Boogmgkl.exe	34
PID 2836 wrote to memory of 2764	2836	Boogmgkl.exe	34
PID 2836 wrote to memory of 2764	2836	Boogmgkl.exe	34
PID 2836 wrote to memory of 2764	2836	Boogmgkl.exe	34
PID 2764 wrote to memory of 2656	2764	Cocphf32.exe	35
PID 2764 wrote to memory of 2656	2764	Cocphf32.exe	35
PID 2764 wrote to memory of 2656	2764	Cocphf32.exe	35
PID 2764 wrote to memory of 2656	2764	Cocphf32.exe	35
PID 2656 wrote to memory of 2676	2656	Ckjamgmk.exe	36
PID 2656 wrote to memory of 2676	2656	Ckjamgmk.exe	36
PID 2656 wrote to memory of 2676	2656	Ckjamgmk.exe	36
PID 2656 wrote to memory of 2676	2656	Ckjamgmk.exe	36
PID 2676 wrote to memory of 2704	2676	Cinafkkd.exe	37
PID 2676 wrote to memory of 2704	2676	Cinafkkd.exe	37
PID 2676 wrote to memory of 2704	2676	Cinafkkd.exe	37
PID 2676 wrote to memory of 2704	2676	Cinafkkd.exe	37
PID 2704 wrote to memory of 2036	2704	Caifjn32.exe	38
PID 2704 wrote to memory of 2036	2704	Caifjn32.exe	38
PID 2704 wrote to memory of 2036	2704	Caifjn32.exe	38
PID 2704 wrote to memory of 2036	2704	Caifjn32.exe	38
PID 2036 wrote to memory of 1872	2036	Cnmfdb32.exe	39
PID 2036 wrote to memory of 1872	2036	Cnmfdb32.exe	39
PID 2036 wrote to memory of 1872	2036	Cnmfdb32.exe	39
PID 2036 wrote to memory of 1872	2036	Cnmfdb32.exe	39
PID 1872 wrote to memory of 3052	1872	Djdgic32.exe	40
PID 1872 wrote to memory of 3052	1872	Djdgic32.exe	40
PID 1872 wrote to memory of 3052	1872	Djdgic32.exe	40
PID 1872 wrote to memory of 3052	1872	Djdgic32.exe	40
PID 3052 wrote to memory of 2888	3052	Dpapaj32.exe	41
PID 3052 wrote to memory of 2888	3052	Dpapaj32.exe	41
PID 3052 wrote to memory of 2888	3052	Dpapaj32.exe	41
PID 3052 wrote to memory of 2888	3052	Dpapaj32.exe	41

C:\Users\Admin\AppData\Local\Temp\1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe
"C:\Users\Admin\AppData\Local\Temp\1e5fa01c8cb1ff584c5d76319ef8064180784ff14022fb3424481c5c9a30e43c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\Bffbdadk.exe
  C:\Windows\system32\Bffbdadk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\Bmpkqklh.exe
    C:\Windows\system32\Bmpkqklh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\SysWOW64\Boogmgkl.exe
      C:\Windows\system32\Boogmgkl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 144
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
208KB

MD5
dc3e0180ca977e4740b2b9a02e3d216d

SHA1
b7aa8bebfeca93950808d577e561a53c26db12d3

SHA256
ac0cc63d4efbfd6eb48532cb6cebef36d106e611bc5c186f12f03c9f54d136db

SHA512
fd671a2cc7da343d4919270e8e806e4b1f5a268d3a02e0c6e6c84f73e6c96608a5c9b2a84866d3475e9b56399700de24f5d3efc27ef217f490d74ae3cac77572

Download Submit
C:\Windows\SysWOW64\Fbnbckhg.dll

Filesize
7KB

MD5
bacc4695d34da49329818c11b67818a3

SHA1
0e42062f953c711f60c80df07f85fb71cc8c8bcd

SHA256
a8987cf37dd7be280a83128cbb7bcc08b848236f982910225998b343df0fdd79

SHA512
e5d8ea59c78aa81b00ce91b52518c02deee01a35cdd62ff5161f617978eee4381c85c0911b2b900e76b9340962afa1126abd71d35f9519242dd045af39bb0458

Download Submit
\Windows\SysWOW64\Bmpkqklh.exe

Filesize
208KB

MD5
fe0a4225c3a704f5b6cb809dc584ab62

SHA1
9bb908beb7365e9e07f2e17fc1a3ac7be436e99a

SHA256
6e95ac1438d1e7b098fd838f42868ca706d0e9a511b2395dff1b68262ccd5712

SHA512
41e3fe3ede93901d776ffcc008b5dafae549f3f3d06531ccaac6f66fb0e83c49d20ad6cdbf5859bad2bf60ab07c6824276f19f7e8c33217057a36c6e8f62d0a8

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
208KB

MD5
f700fbd6d038441445e1e64e2754cae8

SHA1
77b19885d9dedc612be3e693911f27d55329c3a5

SHA256
972a348d870245526e35dd41f78c5a1482a8befaf284d6383b11b217f1406005

SHA512
38d9e89756bca9a78593fc462fde9bc5c41b66be531472d24e3b97cb243cb1b193a1368cae3f4446e0d1f5f8440667a93104c28b6f045524e77cf708f800f0eb

Download Submit
\Windows\SysWOW64\Caifjn32.exe

Filesize
208KB

MD5
e08cbb36f1649dae021375c7c93d9cf9

SHA1
f388b87a00cb16e2944f7406dcf6aa39926dd7c0

SHA256
ed81adbe73d9dcbe0c6e4ca28d06888ac5b6555ac6f5e08387d6b65ba3058dbf

SHA512
615a24b2c5791ea708b50617f083e3f79d80efb0765c4f274f8ef78b7a085f676f918fca4144c128b3a86bd18cd009335fb9d4c9cd850221ebf279b0a787a703

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
208KB

MD5
310cf51d98bb618e52e12e6490d555b3

SHA1
ea921bcd9349ff6c1a4c794a08ba6a3ff1eada91

SHA256
565304aea0292826679b29a503e25a1ae2ed37182e7896e1e208e86da79e7489

SHA512
4fdca75af8c667b7b62421e3a535b5eec2c26c043d0030929c0562757a93bb28ad42d3653fb858cb626d4141c2c7772e9abef350cf5d227ab055d4075b428476

Download Submit
\Windows\SysWOW64\Ckjamgmk.exe

Filesize
208KB

MD5
42f593c66b1535d514c54244bdbb46b0

SHA1
3218ef50c88e25c8de0fdc144d591405baf687e6

SHA256
6f9126cc2b42e4a00c56e55e1535a771d88d74b32c28ab11c57a107cb548110c

SHA512
b20f023c1f0fadb937715ec27f005ce22424bf13b2015b0bd5c9c7b828eaf0c156a0b7ffac0962fff3d14695fa90bed87c79e588bcf01b33e4df0b2975803ba6

Download Submit
\Windows\SysWOW64\Cnmfdb32.exe

Filesize
208KB

MD5
862c487c6443190f9a8f755583aaf4e9

SHA1
f01131af41862af4596990a088ffb377e8d1eb75

SHA256
409278d3b33f95d23d79f125107129c27e7667f7e1cfaa167fbcda3d7258c974

SHA512
cb0912e91e361cd35c9c0b1e54c6bdacf2341d0dd697f49b6278dd0b8acddebbff91a3fe4d6da58cd2a535b3115f006efd579437fef2d2c802f1b276271d62ca

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
208KB

MD5
b0d5c03697948f8f892e458dc5ac0cf3

SHA1
941629ffdd502268027e503298db35a0b4d47a82

SHA256
44cd140ef202e8f4025a12475f118c3a5318d5cedc38b5cf43187aef517e0ec0

SHA512
e8c6ededac1118242588e3e75958ce58fd4006bf6d140516173fa3f02ea35b007efcd7fd6dcc3f8719680e56a86aa1bf59a7c7da97e4861dfe83775c02dfdc21

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
208KB

MD5
0a2e098c1d79ef33dc4ea28822ccf7dd

SHA1
9923fc748e0367d0b0d2048e8941916cae1c052f

SHA256
2df77f2e0f2834d22804a93e541a81ad9be4e7bea37ac5eb5836a8d8a36550ae

SHA512
1936432ea33f5460d09cce3aef33e6dafa6a8dfcea22d1b39b246b4af22e8bc5f337c687bf24e0d680d9d15b935cd036b9b14bc989f249abc8e51bf95f0f1445

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
208KB

MD5
16a6ba907fa2295563e867fc59e18aa1

SHA1
691cad1008cd8dc6d9a06d44c9271833e58c0245

SHA256
4a52742dc8e5dd2b261d2f5184d593dc4fdf219948cbcca1157bbf907d7ae4eb

SHA512
426e472bbf5b5948088a4c56fb676ad8052b3831cb01661399db607bdda1a07b352bac2339371bb27876bd8597431d63f8297df979b069891749289020f14324

Download Submit
memory/396-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/396-34-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/396-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/936-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1872-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1872-131-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2036-106-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-113-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2560-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-18-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2560-17-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2560-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-78-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2656-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-66-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2676-86-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2704-104-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2704-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads