7c70ab6bf0015e221166e74ded4a8135ce839d2a309d7c3e30de7bbc758d75c1

General

Target

NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
Size

269KB
MD5

c58c6b433692a6ce0ffe2dc2a2961610
SHA1

6a28d255cc647039a409c9b78ede46da8e1fbcda
SHA256

7c70ab6bf0015e221166e74ded4a8135ce839d2a309d7c3e30de7bbc758d75c1
SHA512

b7794098dad22af35b98c1380cc146a72a8c14e42d83fa8ee55df7b97ceb90deef85c04d178ba6ae30fbf1664d04e1cee367be63ba77d1cada32220bdc0eac9d
SSDEEP

6144:uj7C7HCiooDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55Kmj50GXoCcmASBTw2AX4:uj7+QChtMtkM71r1MSXqPix55KI5fX/Z

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmokpglb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mmokpglb.exe

Malware Backdoor - Berbew 4 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0006000000022dee-7.dat	family_berbew
behavioral2/files/0x0006000000022dee-6.dat	family_berbew
behavioral2/files/0x0006000000022df0-14.dat	family_berbew
behavioral2/files/0x0006000000022df0-16.dat	family_berbew

Executes dropped EXE 2 IoCs

pid	Process
2784	Mmokpglb.exe
4544	Mbldhn32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mmokpglb.exe	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
File opened for modification	C:\Windows\SysWOW64\Mmokpglb.exe	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
File created	C:\Windows\SysWOW64\Ibgfkq32.dll	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
File created	C:\Windows\SysWOW64\Mbldhn32.exe	Mmokpglb.exe
File opened for modification	C:\Windows\SysWOW64\Mbldhn32.exe	Mmokpglb.exe
File created	C:\Windows\SysWOW64\Kigmon32.dll	Mmokpglb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3476	4544	WerFault.exe	91

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibgfkq32.dll"	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mmokpglb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigmon32.dll"	Mmokpglb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mmokpglb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2784	1332	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe	89
PID 1332 wrote to memory of 2784	1332	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe	89
PID 1332 wrote to memory of 2784	1332	NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe	89
PID 2784 wrote to memory of 4544	2784	Mmokpglb.exe	91
PID 2784 wrote to memory of 4544	2784	Mmokpglb.exe	91
PID 2784 wrote to memory of 4544	2784	Mmokpglb.exe	91

C:\Users\Admin\AppData\Local\Temp\NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\SysWOW64\Mmokpglb.exe
  C:\Windows\system32\Mmokpglb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\Mbldhn32.exe
    C:\Windows\system32\Mbldhn32.exe
    3⤵
    - Executes dropped EXE
    PID:4544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 412
      4⤵
      Program crash
      PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4544 -ip 4544
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mbldhn32.exe

Filesize
269KB

MD5
ded612e08410b4d68030276a0b1b4abe

SHA1
d397b729e979e7c01ff188ed18bd57846e5a6f89

SHA256
9aaa265fd62d6ee72126a61f2c3ffedae9cfd379161790d1810b92e68c78de0c

SHA512
d3a87913e6707747c12bb93010329953e5400a44fdc69295aebe0a61ae5fa51b84a3d331e49e86036c5b27fa9bcf8aeb0789d4a930079b802dd2e442e44aa490

Download Submit
C:\Windows\SysWOW64\Mbldhn32.exe

Filesize
269KB

MD5
ded612e08410b4d68030276a0b1b4abe

SHA1
d397b729e979e7c01ff188ed18bd57846e5a6f89

SHA256
9aaa265fd62d6ee72126a61f2c3ffedae9cfd379161790d1810b92e68c78de0c

SHA512
d3a87913e6707747c12bb93010329953e5400a44fdc69295aebe0a61ae5fa51b84a3d331e49e86036c5b27fa9bcf8aeb0789d4a930079b802dd2e442e44aa490

Download Submit
C:\Windows\SysWOW64\Mmokpglb.exe

Filesize
269KB

MD5
12689014ba94bdc851e59558e9af9776

SHA1
e998e08064993a48a5c2d5861a6acb0d8dc29ca8

SHA256
1ed296d447dbf154648d3f58ad0b8c5d2bd377b1e09a015442f5f7663b84791c

SHA512
b7a912ec76bce042489618d83b8ae41fece9d0578539938d4effbd5c24d1205ba4d56bd14842f600bb6de9d2f745cba34977340647d1755c8f629f223aed0116

Download Submit
C:\Windows\SysWOW64\Mmokpglb.exe

Filesize
269KB

MD5
12689014ba94bdc851e59558e9af9776

SHA1
e998e08064993a48a5c2d5861a6acb0d8dc29ca8

SHA256
1ed296d447dbf154648d3f58ad0b8c5d2bd377b1e09a015442f5f7663b84791c

SHA512
b7a912ec76bce042489618d83b8ae41fece9d0578539938d4effbd5c24d1205ba4d56bd14842f600bb6de9d2f745cba34977340647d1755c8f629f223aed0116

Download Submit
memory/1332-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1332-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4544-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4544-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads