ebc9f734d7dcb88e3efffed7345c32e4367b521c30d4c8d7b3cd6c9841c3909a

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
27-11-2023 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2bcba43afcc330e01ddc2c76bd9d857.exe
Size

143KB
MD5

c2bcba43afcc330e01ddc2c76bd9d857
SHA1

4ebaf623d209130effeb51f15c24b429f8c8a897
SHA256

ebc9f734d7dcb88e3efffed7345c32e4367b521c30d4c8d7b3cd6c9841c3909a
SHA512

09d15c66413dc13f739146d39b52d667f5226c226bad1750fdca7efc42405575473abf4459e9fa6afb7a2810b510c352494245c0b2b66908a5b9f8a4ee33196f
SSDEEP

3072:N0upez+bnBRNVrPqX3N93bsGfhv0vt3y:Lez+bnBRDPqX3vLsGZv0vti

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c2bcba43afcc330e01ddc2c76bd9d857.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c2bcba43afcc330e01ddc2c76bd9d857.exe

Malware Backdoor - Berbew 17 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/memory/2516-0-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral1/memory/2516-6-0x0000000000220000-0x0000000000260000-memory.dmp	family_berbew
behavioral1/files/0x0008000000012024-5.dat	family_berbew
behavioral1/files/0x0008000000012024-12.dat	family_berbew
behavioral1/files/0x0008000000012024-14.dat	family_berbew
behavioral1/files/0x0008000000012024-9.dat	family_berbew
behavioral1/files/0x00310000000142d1-25.dat	family_berbew
behavioral1/files/0x00310000000142d1-22.dat	family_berbew
behavioral1/files/0x00310000000142d1-21.dat	family_berbew
behavioral1/files/0x00310000000142d1-19.dat	family_berbew
behavioral1/files/0x0008000000012024-8.dat	family_berbew
behavioral1/files/0x00310000000142d1-28.dat	family_berbew
behavioral1/files/0x00310000000142d1-27.dat	family_berbew
behavioral1/files/0x00310000000142d1-26.dat	family_berbew
behavioral1/files/0x00310000000142d1-29.dat	family_berbew
behavioral1/memory/2516-30-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral1/memory/2352-31-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew

Executes dropped EXE 2 IoCs

pid	Process
2352	Idceea32.exe
2788	Iagfoe32.exe

Loads dropped DLL 8 IoCs

pid	Process
2516	c2bcba43afcc330e01ddc2c76bd9d857.exe
2516	c2bcba43afcc330e01ddc2c76bd9d857.exe
2352	Idceea32.exe
2352	Idceea32.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe
3016	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Idceea32.exe	c2bcba43afcc330e01ddc2c76bd9d857.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	c2bcba43afcc330e01ddc2c76bd9d857.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	c2bcba43afcc330e01ddc2c76bd9d857.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Idceea32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3016	2788	WerFault.exe	29

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c2bcba43afcc330e01ddc2c76bd9d857.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c2bcba43afcc330e01ddc2c76bd9d857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c2bcba43afcc330e01ddc2c76bd9d857.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c2bcba43afcc330e01ddc2c76bd9d857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	c2bcba43afcc330e01ddc2c76bd9d857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c2bcba43afcc330e01ddc2c76bd9d857.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2352	2516	c2bcba43afcc330e01ddc2c76bd9d857.exe	28
PID 2516 wrote to memory of 2352	2516	c2bcba43afcc330e01ddc2c76bd9d857.exe	28
PID 2516 wrote to memory of 2352	2516	c2bcba43afcc330e01ddc2c76bd9d857.exe	28
PID 2516 wrote to memory of 2352	2516	c2bcba43afcc330e01ddc2c76bd9d857.exe	28
PID 2352 wrote to memory of 2788	2352	Idceea32.exe	29
PID 2352 wrote to memory of 2788	2352	Idceea32.exe	29
PID 2352 wrote to memory of 2788	2352	Idceea32.exe	29
PID 2352 wrote to memory of 2788	2352	Idceea32.exe	29
PID 2788 wrote to memory of 3016	2788	Iagfoe32.exe	30
PID 2788 wrote to memory of 3016	2788	Iagfoe32.exe	30
PID 2788 wrote to memory of 3016	2788	Iagfoe32.exe	30
PID 2788 wrote to memory of 3016	2788	Iagfoe32.exe	30

C:\Users\Admin\AppData\Local\Temp\c2bcba43afcc330e01ddc2c76bd9d857.exe
"C:\Users\Admin\AppData\Local\Temp\c2bcba43afcc330e01ddc2c76bd9d857.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\Idceea32.exe
  C:\Windows\system32\Idceea32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\Iagfoe32.exe
    C:\Windows\system32\Iagfoe32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
143KB

MD5
dc2dd885883759df1ba2aec9ad278946

SHA1
2aa792d9606c6af6b8f535677c56b226c73cc7c3

SHA256
9fc0987845c2cf5a5054379aafa7dd22199cca5e79fb9065ba5d76ac1fb18c86

SHA512
9667781aa02ce1381ccadedca25d8a07d6d66fb685c69d7e50dd330afa7a51f00bc288dd70b98e0f55cfb1bd23f558299c603a663bdd3e3c40b050d8b3107a30

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
143KB

MD5
dc2dd885883759df1ba2aec9ad278946

SHA1
2aa792d9606c6af6b8f535677c56b226c73cc7c3

SHA256
9fc0987845c2cf5a5054379aafa7dd22199cca5e79fb9065ba5d76ac1fb18c86

SHA512
9667781aa02ce1381ccadedca25d8a07d6d66fb685c69d7e50dd330afa7a51f00bc288dd70b98e0f55cfb1bd23f558299c603a663bdd3e3c40b050d8b3107a30

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
143KB

MD5
a6c65808c54d96a8151692c46f5bbea8

SHA1
b066a991278de615075e45be25bf0890d1826490

SHA256
254a6df95d0062f0391f0afdd4d015b69dd875e924c48fe939c33ec9209a1dd8

SHA512
ac9f398fc6de5582c1586e402b2576a84fbd833a1b575248840f54195417fd807d3e94ba11a253552431de6cbde2c094690e1691c4a4f19db3d5279caa7013ad

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
143KB

MD5
a6c65808c54d96a8151692c46f5bbea8

SHA1
b066a991278de615075e45be25bf0890d1826490

SHA256
254a6df95d0062f0391f0afdd4d015b69dd875e924c48fe939c33ec9209a1dd8

SHA512
ac9f398fc6de5582c1586e402b2576a84fbd833a1b575248840f54195417fd807d3e94ba11a253552431de6cbde2c094690e1691c4a4f19db3d5279caa7013ad

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
143KB

MD5
a6c65808c54d96a8151692c46f5bbea8

SHA1
b066a991278de615075e45be25bf0890d1826490

SHA256
254a6df95d0062f0391f0afdd4d015b69dd875e924c48fe939c33ec9209a1dd8

SHA512
ac9f398fc6de5582c1586e402b2576a84fbd833a1b575248840f54195417fd807d3e94ba11a253552431de6cbde2c094690e1691c4a4f19db3d5279caa7013ad

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
143KB

MD5
dc2dd885883759df1ba2aec9ad278946

SHA1
2aa792d9606c6af6b8f535677c56b226c73cc7c3

SHA256
9fc0987845c2cf5a5054379aafa7dd22199cca5e79fb9065ba5d76ac1fb18c86

SHA512
9667781aa02ce1381ccadedca25d8a07d6d66fb685c69d7e50dd330afa7a51f00bc288dd70b98e0f55cfb1bd23f558299c603a663bdd3e3c40b050d8b3107a30

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
143KB

MD5
dc2dd885883759df1ba2aec9ad278946

SHA1
2aa792d9606c6af6b8f535677c56b226c73cc7c3

SHA256
9fc0987845c2cf5a5054379aafa7dd22199cca5e79fb9065ba5d76ac1fb18c86

SHA512
9667781aa02ce1381ccadedca25d8a07d6d66fb685c69d7e50dd330afa7a51f00bc288dd70b98e0f55cfb1bd23f558299c603a663bdd3e3c40b050d8b3107a30

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
143KB

MD5
dc2dd885883759df1ba2aec9ad278946

SHA1
2aa792d9606c6af6b8f535677c56b226c73cc7c3

SHA256
9fc0987845c2cf5a5054379aafa7dd22199cca5e79fb9065ba5d76ac1fb18c86

SHA512
9667781aa02ce1381ccadedca25d8a07d6d66fb685c69d7e50dd330afa7a51f00bc288dd70b98e0f55cfb1bd23f558299c603a663bdd3e3c40b050d8b3107a30

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
143KB

MD5
dc2dd885883759df1ba2aec9ad278946

SHA1
2aa792d9606c6af6b8f535677c56b226c73cc7c3

SHA256
9fc0987845c2cf5a5054379aafa7dd22199cca5e79fb9065ba5d76ac1fb18c86

SHA512
9667781aa02ce1381ccadedca25d8a07d6d66fb685c69d7e50dd330afa7a51f00bc288dd70b98e0f55cfb1bd23f558299c603a663bdd3e3c40b050d8b3107a30

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
143KB

MD5
dc2dd885883759df1ba2aec9ad278946

SHA1
2aa792d9606c6af6b8f535677c56b226c73cc7c3

SHA256
9fc0987845c2cf5a5054379aafa7dd22199cca5e79fb9065ba5d76ac1fb18c86

SHA512
9667781aa02ce1381ccadedca25d8a07d6d66fb685c69d7e50dd330afa7a51f00bc288dd70b98e0f55cfb1bd23f558299c603a663bdd3e3c40b050d8b3107a30

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
143KB

MD5
dc2dd885883759df1ba2aec9ad278946

SHA1
2aa792d9606c6af6b8f535677c56b226c73cc7c3

SHA256
9fc0987845c2cf5a5054379aafa7dd22199cca5e79fb9065ba5d76ac1fb18c86

SHA512
9667781aa02ce1381ccadedca25d8a07d6d66fb685c69d7e50dd330afa7a51f00bc288dd70b98e0f55cfb1bd23f558299c603a663bdd3e3c40b050d8b3107a30

Download Submit
\Windows\SysWOW64\Idceea32.exe

Filesize
143KB

MD5
a6c65808c54d96a8151692c46f5bbea8

SHA1
b066a991278de615075e45be25bf0890d1826490

SHA256
254a6df95d0062f0391f0afdd4d015b69dd875e924c48fe939c33ec9209a1dd8

SHA512
ac9f398fc6de5582c1586e402b2576a84fbd833a1b575248840f54195417fd807d3e94ba11a253552431de6cbde2c094690e1691c4a4f19db3d5279caa7013ad

Download Submit
\Windows\SysWOW64\Idceea32.exe

Filesize
143KB

MD5
a6c65808c54d96a8151692c46f5bbea8

SHA1
b066a991278de615075e45be25bf0890d1826490

SHA256
254a6df95d0062f0391f0afdd4d015b69dd875e924c48fe939c33ec9209a1dd8

SHA512
ac9f398fc6de5582c1586e402b2576a84fbd833a1b575248840f54195417fd807d3e94ba11a253552431de6cbde2c094690e1691c4a4f19db3d5279caa7013ad

Download Submit
memory/2352-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-6-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2516-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-13-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2516-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads