Analysis

  • max time kernel
    130s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 19:24

General

  • Target

    063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe

  • Size

    343KB

  • MD5

    126d70536cbb21f71eb2f0a8d7cd8b60

  • SHA1

    a13c0c208551c48b0877e46f040a9398fd668553

  • SHA256

    063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741

  • SHA512

    c0e664fddc69a2a635a1252754af34cd7d709febe94be17e107000be960d7cfbff52b851b43c8b97ecb3403232c6a26c7b69d333fb3fc177d311e811edcf9497

  • SSDEEP

    6144:4S7MzAFEhRTqO+uNk54t3haeTFLel6ZfoPPB2I5BjopZ7TngrVIeoKhyCjonootK:pPFECO+uNk54t3hJVKOfoHBfByZPgrVF

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
  • Malware Dropper & Backdoor - Berbew 2 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe
    "C:\Users\Admin\AppData\Local\Temp\063f96b834e208e5c6c0d3c2cb425f837517dac56bd183eefe81991bfc1ae741.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Windows\SysWOW64\Njcpee32.exe
      C:\Windows\system32\Njcpee32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Windows\SysWOW64\Nkcmohbg.exe
        C:\Windows\system32\Nkcmohbg.exe
        3⤵
        • Executes dropped EXE
        PID:4452
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 412
          4⤵
          • Program crash
          PID:336
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4452 -ip 4452
    1⤵
      PID:3988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Njcpee32.exe

      Filesize

      343KB

      MD5

      57fad6c379eac5bf5c8d6938aa54e406

      SHA1

      2d1e1e93b0726a3e5281e2220bdfd2ce8641e406

      SHA256

      0eae331debf6a6c1e7ba394254a24b83fd2238ab418d3f9c7be7c6c8a9ec6e95

      SHA512

      b1d999bc5ea1a5c6f262394904d01a869960a36dba3e5e60ab0a5e73b7450cf1e247619add93c46cba13da2f0696d13c0a25226eadd4b81b39b95e9e46638e86

    • C:\Windows\SysWOW64\Nkcmohbg.exe

      Filesize

      343KB

      MD5

      6905949fb185f68dae7987004bd13752

      SHA1

      0017a1710be96c14b6c04dd100f352803b0f8963

      SHA256

      7817d58b9c97d756ec7ce112c1ab413bffc213733690b194caa58db4f5da672e

      SHA512

      65dee0230bb2aed061d8e6cb85cf86d4176aa16727105af3190127d78d8bb8f6aab0ee8157777e46a61ed20ecf5960b9072bfbe6a75281776239bf7b3b55652e

    • memory/116-0-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/116-19-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1428-7-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/1428-18-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4452-16-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

    • memory/4452-17-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB