4ee19dee0a7a3abac981c8a0537c84821a7df4ea04601a95363e4e270092c48e

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f905c019ac841541722fded3bb57ecf0.exe
Size

398KB
MD5

f905c019ac841541722fded3bb57ecf0
SHA1

d59281bc5351a377c8968eca9521c0ec536be9e9
SHA256

4ee19dee0a7a3abac981c8a0537c84821a7df4ea04601a95363e4e270092c48e
SHA512

4294407bc9f83de4cfd6abd2353424d1d77ef390514990bacb2c6c4389089b7dd1671d17514f04cf05862ee7ed66e55374a0053bfd43a7209ff9df7a0394fcbb
SSDEEP

12288:2wW3zp6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:I3zp6t3XGpvr4B9f01ZmQvrimipWf0Aq

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.f905c019ac841541722fded3bb57ecf0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dahmfpap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.f905c019ac841541722fded3bb57ecf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chkobkod.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgqlcg32.exe

Malware Backdoor - Berbew 10 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0008000000022c9c-6.dat	family_berbew
behavioral2/files/0x0008000000022c9c-8.dat	family_berbew
behavioral2/files/0x0008000000022cc4-14.dat	family_berbew
behavioral2/files/0x0008000000022cc4-16.dat	family_berbew
behavioral2/files/0x0007000000022d82-22.dat	family_berbew
behavioral2/files/0x0007000000022d82-24.dat	family_berbew
behavioral2/files/0x0007000000022d84-30.dat	family_berbew
behavioral2/files/0x0007000000022d84-32.dat	family_berbew
behavioral2/files/0x0007000000022d86-38.dat	family_berbew
behavioral2/files/0x0007000000022d86-39.dat	family_berbew

Executes dropped EXE 5 IoCs

pid	Process
1084	Chkobkod.exe
3536	Cgqlcg32.exe
1424	Dddllkbf.exe
4584	Dahmfpap.exe
2284	Dkqaoe32.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chkobkod.exe	NEAS.f905c019ac841541722fded3bb57ecf0.exe
File created	C:\Windows\SysWOW64\Jhijep32.dll	Chkobkod.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Cgqlcg32.exe
File opened for modification	C:\Windows\SysWOW64\Dahmfpap.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Ipjijkpg.dll	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Mbkkam32.dll	NEAS.f905c019ac841541722fded3bb57ecf0.exe
File created	C:\Windows\SysWOW64\Cgqlcg32.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Dddllkbf.exe	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dahmfpap.exe
File opened for modification	C:\Windows\SysWOW64\Chkobkod.exe	NEAS.f905c019ac841541722fded3bb57ecf0.exe
File opened for modification	C:\Windows\SysWOW64\Cgqlcg32.exe	Chkobkod.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Cgqlcg32.exe
File created	C:\Windows\SysWOW64\Dahmfpap.exe	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dahmfpap.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
440	2284	WerFault.exe	90

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.f905c019ac841541722fded3bb57ecf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.f905c019ac841541722fded3bb57ecf0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgqlcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dahmfpap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.f905c019ac841541722fded3bb57ecf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll"	NEAS.f905c019ac841541722fded3bb57ecf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.f905c019ac841541722fded3bb57ecf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chkobkod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Cgqlcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.f905c019ac841541722fded3bb57ecf0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dahmfpap.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3252 wrote to memory of 1084	3252	NEAS.f905c019ac841541722fded3bb57ecf0.exe	86
PID 3252 wrote to memory of 1084	3252	NEAS.f905c019ac841541722fded3bb57ecf0.exe	86
PID 3252 wrote to memory of 1084	3252	NEAS.f905c019ac841541722fded3bb57ecf0.exe	86
PID 1084 wrote to memory of 3536	1084	Chkobkod.exe	87
PID 1084 wrote to memory of 3536	1084	Chkobkod.exe	87
PID 1084 wrote to memory of 3536	1084	Chkobkod.exe	87
PID 3536 wrote to memory of 1424	3536	Cgqlcg32.exe	88
PID 3536 wrote to memory of 1424	3536	Cgqlcg32.exe	88
PID 3536 wrote to memory of 1424	3536	Cgqlcg32.exe	88
PID 1424 wrote to memory of 4584	1424	Dddllkbf.exe	89
PID 1424 wrote to memory of 4584	1424	Dddllkbf.exe	89
PID 1424 wrote to memory of 4584	1424	Dddllkbf.exe	89
PID 4584 wrote to memory of 2284	4584	Dahmfpap.exe	90
PID 4584 wrote to memory of 2284	4584	Dahmfpap.exe	90
PID 4584 wrote to memory of 2284	4584	Dahmfpap.exe	90

C:\Users\Admin\AppData\Local\Temp\NEAS.f905c019ac841541722fded3bb57ecf0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f905c019ac841541722fded3bb57ecf0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\SysWOW64\Chkobkod.exe
  C:\Windows\system32\Chkobkod.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\Cgqlcg32.exe
    C:\Windows\system32\Cgqlcg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\SysWOW64\Dddllkbf.exe
      C:\Windows\system32\Dddllkbf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\SysWOW64\Dahmfpap.exe
        
        C:\Windows\system32\Dahmfpap.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        6⤵
        Executes dropped EXE
        
        PID:2284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 412
        7⤵
        Program crash
        
        PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 2284
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
398KB

MD5
c9177cf70b985bfa33926c085d9b39d4

SHA1
9c0967edd03b8b24f88ecde108a8d4fb84e98056

SHA256
53dde8ca22434c8e88b8c1698bf44c7a9a7ac06f3cb704884da6fec1225d3d48

SHA512
a1a97dbc053730ce9cbfdf9af37937838edc48412ec975fda8e549f22b1b344d51dcd0c5feebce7014e2d5a988a9729359e6a307b5618b9440e8e647f37efefe

Download Submit
C:\Windows\SysWOW64\Cgqlcg32.exe

Filesize
398KB

MD5
c9177cf70b985bfa33926c085d9b39d4

SHA1
9c0967edd03b8b24f88ecde108a8d4fb84e98056

SHA256
53dde8ca22434c8e88b8c1698bf44c7a9a7ac06f3cb704884da6fec1225d3d48

SHA512
a1a97dbc053730ce9cbfdf9af37937838edc48412ec975fda8e549f22b1b344d51dcd0c5feebce7014e2d5a988a9729359e6a307b5618b9440e8e647f37efefe

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
398KB

MD5
bf025ea56d9322773cfd0cef2b1087ab

SHA1
b8f583f50c52c8a1fe8f42ff1940dc1374577fa4

SHA256
0e988a84c23df196671ce77ebc11da4935477b39626f4736b3e2c54a065ed7cf

SHA512
3bce8549f6bfbaa993cf125cf4ba1e9a5eb63951bf68505034d4f9fb7c4ebbd752337d901f75f826ca728ff5d066692cd72778b9edc12fd9cf60a06c7a4cea93

Download Submit
C:\Windows\SysWOW64\Chkobkod.exe

Filesize
398KB

MD5
bf025ea56d9322773cfd0cef2b1087ab

SHA1
b8f583f50c52c8a1fe8f42ff1940dc1374577fa4

SHA256
0e988a84c23df196671ce77ebc11da4935477b39626f4736b3e2c54a065ed7cf

SHA512
3bce8549f6bfbaa993cf125cf4ba1e9a5eb63951bf68505034d4f9fb7c4ebbd752337d901f75f826ca728ff5d066692cd72778b9edc12fd9cf60a06c7a4cea93

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
398KB

MD5
0916d4a2592b96f33f80937effdc20ec

SHA1
2bd5642e129587d75200ed65e487f287b6f92afd

SHA256
737dd5c7264f620b0d9f7ce0fbb626f8491e60fec4cffec4ab8a638a651b1aad

SHA512
1f96758fe49b963b44aa3cfbfa281db00228e5a04fd1246e4d02f39fe50084f083eaf718db6dc6fe64e00882a073b5d312fb197f48ed97ad9f12dd0581d8899f

Download Submit
C:\Windows\SysWOW64\Dahmfpap.exe

Filesize
398KB

MD5
0916d4a2592b96f33f80937effdc20ec

SHA1
2bd5642e129587d75200ed65e487f287b6f92afd

SHA256
737dd5c7264f620b0d9f7ce0fbb626f8491e60fec4cffec4ab8a638a651b1aad

SHA512
1f96758fe49b963b44aa3cfbfa281db00228e5a04fd1246e4d02f39fe50084f083eaf718db6dc6fe64e00882a073b5d312fb197f48ed97ad9f12dd0581d8899f

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
398KB

MD5
e36979ad7fa0149c80f01ad81c97add4

SHA1
af2184fb0c96426708f3d68df9d2e3546e9d4c57

SHA256
2075abccabbf05fafa3590014b70e997f9355f97ebfdb1056e54438e347c16b8

SHA512
0790255ad6835e80403b1662bd94d0322d4793fc7d8d401d0b96ce93a881f8ec864e803622e0dc0e9f4ad837fd850c25988d703ee7936df10d371bcc465cf986

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
398KB

MD5
e36979ad7fa0149c80f01ad81c97add4

SHA1
af2184fb0c96426708f3d68df9d2e3546e9d4c57

SHA256
2075abccabbf05fafa3590014b70e997f9355f97ebfdb1056e54438e347c16b8

SHA512
0790255ad6835e80403b1662bd94d0322d4793fc7d8d401d0b96ce93a881f8ec864e803622e0dc0e9f4ad837fd850c25988d703ee7936df10d371bcc465cf986

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
398KB

MD5
fc15b9cd6fc1a5f76ef6170c8725793c

SHA1
5f5e9aac6e799d0ae39dda0fd415dd7feeb20c03

SHA256
24278ec300dc053af72d4bb3df1c88947567695ff66cc41705370e0a2431ff4a

SHA512
cdbee595a304612a43e2bfd4b27849c9939d7a8293beffafff55bcf8baf7db11d7decf3e42fd4d2fb731cdd309652f7eb8fe12e9c4b80af251e2efca2ec0023b

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
398KB

MD5
fc15b9cd6fc1a5f76ef6170c8725793c

SHA1
5f5e9aac6e799d0ae39dda0fd415dd7feeb20c03

SHA256
24278ec300dc053af72d4bb3df1c88947567695ff66cc41705370e0a2431ff4a

SHA512
cdbee595a304612a43e2bfd4b27849c9939d7a8293beffafff55bcf8baf7db11d7decf3e42fd4d2fb731cdd309652f7eb8fe12e9c4b80af251e2efca2ec0023b

Download Submit
C:\Windows\SysWOW64\Glfdiedd.dll

Filesize
7KB

MD5
ce9d9bdc9a371081ab93b864b31e44a5

SHA1
5255b61f4e328d54ef8bb83274133a0df0761043

SHA256
5cfaab5dac577e8918e520149172af80b468d3c68a64dd6bd982384e57b20d66

SHA512
f675bf75fb56c54a1fa8e86204c1ab65cdb00b6b73aa74733e8b3c31697a9d7f002dffed4158f847320bd4eca22208fb428d4c6acb2a2e826e84f4530c9ab98a

Download Submit
memory/1084-7-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1084-45-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1424-43-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1424-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2284-40-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2284-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3252-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3252-46-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3536-44-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3536-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4584-42-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4584-31-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads