Analysis
-
max time kernel
130s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 19:24
Behavioral task
behavioral1
Sample
063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe
Resource
win10v2004-20240426-en
General
-
Target
063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe
-
Size
343KB
-
MD5
126d70536cbb21f71eb2f0a8d7cd8b60
-
SHA1
a13c0c208551c48b0877e46f040a9398fd668553
-
SHA256
063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741
-
SHA512
c0e664fddc69a2a635a1252754af34cd7d709febe94be17e107000be960d7cfbff52b851b43c8b97ecb3403232c6a26c7b69d333fb3fc177d311e811edcf9497
-
SSDEEP
6144:4S7MzAFEhRTqO+uNk54t3haeTFLel6ZfoPPB2I5BjopZ7TngrVIeoKhyCjonootK:pPFECO+uNk54t3hJVKOfoHBfByZPgrVF
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njcpee32.exe -
Malware Dropper & Backdoor - Berbew 2 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022fa8-6.dat family_berbew behavioral2/files/0x0007000000023467-15.dat family_berbew -
Executes dropped EXE 2 IoCs
pid Process 1428 Njcpee32.exe 4452 Nkcmohbg.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Njcpee32.exe 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe File opened for modification C:\Windows\SysWOW64\Njcpee32.exe 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe File created C:\Windows\SysWOW64\Ddpfgd32.dll 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Njcpee32.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Njcpee32.exe File created C:\Windows\SysWOW64\Hnibdpde.dll Njcpee32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 336 4452 WerFault.exe 83 -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Njcpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Njcpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll" 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 116 wrote to memory of 1428 116 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe 82 PID 116 wrote to memory of 1428 116 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe 82 PID 116 wrote to memory of 1428 116 063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe 82 PID 1428 wrote to memory of 4452 1428 Njcpee32.exe 83 PID 1428 wrote to memory of 4452 1428 Njcpee32.exe 83 PID 1428 wrote to memory of 4452 1428 Njcpee32.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe"C:\Users\Admin\AppData\Local\Temp\063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Njcpee32.exeC:\Windows\system32\Njcpee32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe3⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 4124⤵
- Program crash
PID:336
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4452 -ip 44521⤵PID:3988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
343KB
MD557fad6c379eac5bf5c8d6938aa54e406
SHA12d1e1e93b0726a3e5281e2220bdfd2ce8641e406
SHA2560eae331debf6a6c1e7ba394254a24b83fd2238ab418d3f9c7be7c6c8a9ec6e95
SHA512b1d999bc5ea1a5c6f262394904d01a869960a36dba3e5e60ab0a5e73b7450cf1e247619add93c46cba13da2f0696d13c0a25226eadd4b81b39b95e9e46638e86
-
Filesize
343KB
MD56905949fb185f68dae7987004bd13752
SHA10017a1710be96c14b6c04dd100f352803b0f8963
SHA2567817d58b9c97d756ec7ce112c1ab413bffc213733690b194caa58db4f5da672e
SHA51265dee0230bb2aed061d8e6cb85cf86d4176aa16727105af3190127d78d8bb8f6aab0ee8157777e46a61ed20ecf5960b9072bfbe6a75281776239bf7b3b55652e