0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246

General

Target

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
Size

282KB
MD5

1dddabcb33a8af52dbd5d14a31f8bfa0
SHA1

af44bc450e24fa311d34cf1016396e4da3987509
SHA256

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246
SHA512

f27c767a50c9629c4ef66e0a6a2e337a6b8d40503bd596ac4c1f83e4ae30774b23f00c5e4a57199c3b155d339b13caf8fcebe6cff469444600af84188b07cbf6
SSDEEP

6144:iXu/YXoz+PglGhhx9ebK7mOoS3C+kEjiPISUOgW9X+hOGzC/:GmYXoqPgl+9eaNv3C+kmZzcukG2/

Score

10^/10

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Windows\SysWOW64\RIIND.exe	family_berbew

Executes dropped EXE 1 IoCs

Processes:

RIIND.exe

pid process

2532 RIIND.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1036 cmd.exe
1036 cmd.exe

pid	process
2532	RIIND.exe

pid	process
1036	cmd.exe
1036	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe

description	ioc	process
File created	C:\windows\SysWOW64\RIIND.exe	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
File opened for modification	C:\windows\SysWOW64\RIIND.exe	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
File created	C:\windows\SysWOW64\RIIND.exe.bat	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exeRIIND.exe

pid process

2192 0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
2532 RIIND.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exeRIIND.exe

pid	process
2192	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
2192	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
2532	RIIND.exe
2532	RIIND.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.execmd.exe

description	pid	process	target process
PID 2192 wrote to memory of 1036	2192	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe	cmd.exe
PID 2192 wrote to memory of 1036	2192	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe	cmd.exe
PID 2192 wrote to memory of 1036	2192	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe	cmd.exe
PID 2192 wrote to memory of 1036	2192	0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe	cmd.exe
PID 1036 wrote to memory of 2532	1036	cmd.exe	RIIND.exe
PID 1036 wrote to memory of 2532	1036	cmd.exe	RIIND.exe
PID 1036 wrote to memory of 2532	1036	cmd.exe	RIIND.exe
PID 1036 wrote to memory of 2532	1036	cmd.exe	RIIND.exe

C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe
"C:\Users\Admin\AppData\Local\Temp\0dfe3d8158f64c497e62344493f2f6ae5a87be1a4ed09b477cc66e28f3d68246.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\RIIND.exe.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\windows\SysWOW64\RIIND.exe
C:\windows\system32\RIIND.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2532

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\RIIND.exe.bat
Filesize
74B

MD5
bff55cdd2819120c3a49a4fa8d6581a8

SHA1
4e5a2787bae1b515bad285a717cd701da56e9f72

SHA256
96e6f0d0430ef4397a508c208a661494cf2d54cb70c3799f3919d5e622098b04

SHA512
691725ff5a311dd28822f2e3d707dc73939c85e5df45fdbcf09b987242db84428bc0735cccc2977c9693b4ed4005588dd562eb940cfb002f65fb3b936199813b

Download Submit
\Windows\SysWOW64\RIIND.exe
Filesize
282KB

MD5
d2ffe8c41c62b4d304f9de64cb3ee352

SHA1
7a6adf74addcd5a3151652efc8cb759cf70d58d8

SHA256
b123465ae62c7e1ea36ab7a7f981273e4f8a2b3f2ee97ef11c81c041ad692ca3

SHA512
42a309ffc64ac484e9a26dc48bfb8f45b19832a1ce86100d2a80f3b84dcbf38548602c128b13878167821a83d08ac0029448ba21987d6385af115fbfee2c8b02

Download Submit
memory/1036-17-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download
memory/1036-18-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download
memory/2192-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2192-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2532-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2532-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads