Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 20:56
Behavioral task
behavioral1
Sample
0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
Resource
win7-20240220-en
General
-
Target
0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
-
Size
282KB
-
MD5
1dddabcb33a8af52dbd5d14a31f8bfa0
-
SHA1
af44bc450e24fa311d34cf1016396e4da3987509
-
SHA256
0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246
-
SHA512
f27c767a50c9629c4ef66e0a6a2e337a6b8d40503bd596ac4c1f83e4ae30774b23f00c5e4a57199c3b155d339b13caf8fcebe6cff469444600af84188b07cbf6
-
SSDEEP
6144:iXu/YXoz+PglGhhx9ebK7mOoS3C+kEjiPISUOgW9X+hOGzC/:GmYXoqPgl+9eaNv3C+kmZzcukG2/
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\RIIND.exe family_berbew -
Executes dropped EXE 1 IoCs
Processes:
RIIND.exepid process 2532 RIIND.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1036 cmd.exe 1036 cmd.exe -
Drops file in System32 directory 3 IoCs
Processes:
0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exedescription ioc process File created C:\windows\SysWOW64\RIIND.exe 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe File opened for modification C:\windows\SysWOW64\RIIND.exe 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe File created C:\windows\SysWOW64\RIIND.exe.bat 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exeRIIND.exepid process 2192 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe 2532 RIIND.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exeRIIND.exepid process 2192 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe 2192 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe 2532 RIIND.exe 2532 RIIND.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.execmd.exedescription pid process target process PID 2192 wrote to memory of 1036 2192 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe cmd.exe PID 2192 wrote to memory of 1036 2192 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe cmd.exe PID 2192 wrote to memory of 1036 2192 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe cmd.exe PID 2192 wrote to memory of 1036 2192 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe cmd.exe PID 1036 wrote to memory of 2532 1036 cmd.exe RIIND.exe PID 1036 wrote to memory of 2532 1036 cmd.exe RIIND.exe PID 1036 wrote to memory of 2532 1036 cmd.exe RIIND.exe PID 1036 wrote to memory of 2532 1036 cmd.exe RIIND.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe"C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\RIIND.exe.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\RIIND.exeC:\windows\system32\RIIND.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\RIIND.exe.batFilesize
74B
MD5bff55cdd2819120c3a49a4fa8d6581a8
SHA14e5a2787bae1b515bad285a717cd701da56e9f72
SHA25696e6f0d0430ef4397a508c208a661494cf2d54cb70c3799f3919d5e622098b04
SHA512691725ff5a311dd28822f2e3d707dc73939c85e5df45fdbcf09b987242db84428bc0735cccc2977c9693b4ed4005588dd562eb940cfb002f65fb3b936199813b
-
\Windows\SysWOW64\RIIND.exeFilesize
282KB
MD5d2ffe8c41c62b4d304f9de64cb3ee352
SHA17a6adf74addcd5a3151652efc8cb759cf70d58d8
SHA256b123465ae62c7e1ea36ab7a7f981273e4f8a2b3f2ee97ef11c81c041ad692ca3
SHA51242a309ffc64ac484e9a26dc48bfb8f45b19832a1ce86100d2a80f3b84dcbf38548602c128b13878167821a83d08ac0029448ba21987d6385af115fbfee2c8b02
-
memory/1036-17-0x0000000000170000-0x00000000001A9000-memory.dmpFilesize
228KB
-
memory/1036-18-0x0000000000170000-0x00000000001A9000-memory.dmpFilesize
228KB
-
memory/2192-0-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2192-12-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2532-20-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2532-21-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB