Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 10:36

General

  • Target

    Backdoor.Win32.Berbew.exe

  • Size

    94KB

  • MD5

    8df2899392b9d766c6b603398b137f30

  • SHA1

    c7a4808f609f5a30958011e8b3ebdae04351d7d4

  • SHA256

    ba04bfb3cb877388a1f3a8fe89d187270cdbba181fc005294e57c0b4abd03793

  • SHA512

    7a1ea6dca82ed63671d3967403fc42383bf875545e66a4da62ae463a22160533e20fe4161960b0c93e47db143fee5fc612c9d8160711c80a0decf2ce05ddc85d

  • SSDEEP

    1536:uVQ7q65UdZQ8kHGPSmLD8QGuomb2B2LHRMQ262AjCsQ2PCZZrqOlNfVSLUKkJr4:uouQ+hkrmfHRMQH2qC7ZQOlzSLUK64

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Executes dropped EXE 13 IoCs
  • Drops file in System32 directory 39 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 42 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe
    "C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Windows\SysWOW64\Dfiafg32.exe
      C:\Windows\system32\Dfiafg32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\SysWOW64\Dopigd32.exe
        C:\Windows\system32\Dopigd32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1748
        • C:\Windows\SysWOW64\Dejacond.exe
          C:\Windows\system32\Dejacond.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2280
          • C:\Windows\SysWOW64\Ddmaok32.exe
            C:\Windows\system32\Ddmaok32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3172
            • C:\Windows\SysWOW64\Dobfld32.exe
              C:\Windows\system32\Dobfld32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1916
              • C:\Windows\SysWOW64\Delnin32.exe
                C:\Windows\system32\Delnin32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4408
                • C:\Windows\SysWOW64\Dhkjej32.exe
                  C:\Windows\system32\Dhkjej32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:228
                  • C:\Windows\SysWOW64\Dmgbnq32.exe
                    C:\Windows\system32\Dmgbnq32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4844
                    • C:\Windows\SysWOW64\Ddakjkqi.exe
                      C:\Windows\system32\Ddakjkqi.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:436
                      • C:\Windows\SysWOW64\Dfpgffpm.exe
                        C:\Windows\system32\Dfpgffpm.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2864
                        • C:\Windows\SysWOW64\Dogogcpo.exe
                          C:\Windows\system32\Dogogcpo.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:3208
                          • C:\Windows\SysWOW64\Dhocqigp.exe
                            C:\Windows\system32\Dhocqigp.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2700
                            • C:\Windows\SysWOW64\Dmllipeg.exe
                              C:\Windows\system32\Dmllipeg.exe
                              14⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:2704
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 216
                                15⤵
                                • Program crash
                                PID:3356
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2704 -ip 2704
    1⤵
      PID:872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Ddakjkqi.exe

      Filesize

      94KB

      MD5

      a066b5ea886ca6f94ef8d0fbebff69ed

      SHA1

      2a6fa1bfb9ce8fb14193602b87ae5fa5a80f9138

      SHA256

      487a16269004e06c1c25ea3f4434f7df31de019a59c4093b29a35882512efe84

      SHA512

      0c4360bb43ff6ae05992ba41930c548b0de79067cebace2a8d74a114f2d8690f27295be3f8e9a24f351ec5762b64121364ffe4d43e265d634677738a166be8b2

    • C:\Windows\SysWOW64\Ddmaok32.exe

      Filesize

      94KB

      MD5

      a33620401695a154e7a227a10c9fe2bd

      SHA1

      c72af06a19da4380b8493557c6d93691b33fb554

      SHA256

      cc6d2ce94d296aae0641857aaa3fffb305a64cae8b954a5fe033971d31853663

      SHA512

      6d26a871b288bd6cb705cc06d4ffb7dc88090c397fe94953b37330c509d2a48a3b347c2bd65d0b005ecc3a673025bbc509734585dd4a44bb9d6c45d8ee75417c

    • C:\Windows\SysWOW64\Dejacond.exe

      Filesize

      94KB

      MD5

      763c718445665c9b24068c0bae0dc1cb

      SHA1

      aaf4a60f503dc1478665e361703f5e3891b3f7e6

      SHA256

      ee11d2d4cea6377c684082dcc42cb2a6faf2b87f7add4527a326c422132981b3

      SHA512

      a6f2dd094b22928d164d4e7cc77442b37a4b1cb1ee0ca831483f6bcc545d4926ec177939b0caf6acc6ab8b8d6545c8dafd0362c6fb9c262d3e1324971454b2ed

    • C:\Windows\SysWOW64\Delnin32.exe

      Filesize

      94KB

      MD5

      78a6d2bfb8502ed058713d6300385c86

      SHA1

      57bec98cb9bf10b761667ab46ebcc8c5004ee08e

      SHA256

      fe50b45264bca0d350218a0e96cdcaa3250fa1d2cab93e41880f58b62c12fc81

      SHA512

      f63101060915d7d84c2096f969fa45302c591149f402fed762140d9fd18dfc522bbe7dd920f9f7bec0fd6fa795d2acf3ed251a080dc8667952f2b35324ea8d5b

    • C:\Windows\SysWOW64\Dfiafg32.exe

      Filesize

      94KB

      MD5

      08b2e828baf32b14aeedcd998944d732

      SHA1

      c4067a16313f14fcbb2f4185e8b852d5b50d04a8

      SHA256

      0baaf8fd74219aca591475d2b1b454abde29fcf16e1e9aff8e33ce6978a1739f

      SHA512

      252e1d3af6d30ec124e161fb4353ab37206594fb6512de0da098fb8bfbbefdb9c3c55d9c9d1996402de687a1422a0aca21fef41c925f72cb869e81875742d5d0

    • C:\Windows\SysWOW64\Dfpgffpm.exe

      Filesize

      94KB

      MD5

      f1e696b2a789d4713106d47777b0afc2

      SHA1

      e48b0e0f2126e8423cbcfa356bd3926e85f6fe01

      SHA256

      8fc5585ae3df9f0a16caeda6d67b28c10d2c550aa3b5939a731cc1c9049b6eea

      SHA512

      540b80ffebcce18990b3dc5e15a85b80f7e817375e9bcf92b08c651e58a644f4203d944c73e08b50f0d03ed47fca853ddee33f0bc661b0c87b67e3858e16c49c

    • C:\Windows\SysWOW64\Dhkjej32.exe

      Filesize

      94KB

      MD5

      e7c7b3cc29afd3fc8d22528d4a04e4d9

      SHA1

      58243b9a7f54eceb4f4f1ba90eb4a84d9a01549a

      SHA256

      5351172fa70ad49e6a2c15158a165df3f9c4d29c7418928f05c1d608b215eea3

      SHA512

      511bb274acf92b641204711c188e32cb28caa4593ad524e8488beadb6ae76f73386d9bdef03f814c165be1af70e9b11f5956820b402e23c806144b38e52a3861

    • C:\Windows\SysWOW64\Dhocqigp.exe

      Filesize

      94KB

      MD5

      f3a40027be1987a9822c78a23a81a6d7

      SHA1

      6e0bc88765b6d0074416b2be16dbfed6e343e929

      SHA256

      c8af088a2ec1311309db836f83c8035fed5648f3c21c64b64d9ae95279fad135

      SHA512

      4b1a755e122ac01eacf23189ce8aedb377a6f24b03ad0ca896b906dbab4bbfc4ae4b22d57a38287965b513e98c463aac495a34008eae317ce6e07fa99361e1e1

    • C:\Windows\SysWOW64\Dmgbnq32.exe

      Filesize

      94KB

      MD5

      13f5d4e970c11dbcea4a31e660bf0e0d

      SHA1

      d70de24392421cb3fe1248a1f5a3a19a8dbdcb54

      SHA256

      2005b07b2dcc274fb833df686892797c93d76b4fe3b0583e2cba05af8b48a059

      SHA512

      00a37524ce0bb81e32005ad47b46839a415f3db6d48d29aaac627f0260a5dd287163ab045259fbcee2f5ec18ce7cae18765740068c2dd0814c02121e92dad50d

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      94KB

      MD5

      7b50bf34d1d33b9fcd3c1f4727bd1fa6

      SHA1

      986a2f31c78a915d3f31a3987b25a45c011b0f85

      SHA256

      ad645a9ee797163552ed5dd7508ddf2360ec9fce731a1cf6aac7c324d2c512ef

      SHA512

      7cc05664eb7d68dd1979499f01e6831fee4150045cdc521c534618770a9588d9190016794f312107ce5718b8a734ff1050832d2f58ce352c3d86561073decbcc

    • C:\Windows\SysWOW64\Dobfld32.exe

      Filesize

      94KB

      MD5

      e5b179c49b096168bb5172ab3f09fa2f

      SHA1

      268a03d781260264b6ae9ebe7e29bbb0dc5822b4

      SHA256

      24e47f69c87f6a733a8c20fb516bc85375378902f91e6596cae4930fa685a8a3

      SHA512

      2572c1a567f4a3554bd380e72fbdf0ed8dd95ebb291b975bb3c6e7f068d6b4e7206a7002595e206aed548493516430b6e571d738f09e9dd3290b841b60b77333

    • C:\Windows\SysWOW64\Dogogcpo.exe

      Filesize

      94KB

      MD5

      5ba89478726832dce0ce2965620ce3c4

      SHA1

      c15d5cb1c9540468fdc1ed039de810444cb64d2e

      SHA256

      03d88ad6316f7be8700ff67852d78cc52b0cc10f4eebe4c0b2d108386bf482c5

      SHA512

      288114790574d74ce1482a1270812a5f0f51c18fb812099735329967b224f19e230d4002b2591459e218f26e89255d72c4fb0c0c55578d1c45275757f6109231

    • C:\Windows\SysWOW64\Dopigd32.exe

      Filesize

      94KB

      MD5

      50a21d68a87afb102b22df4c4311bd8d

      SHA1

      b2953029beb5c1f9a2a0d6464758c74dd9d35de3

      SHA256

      178ee77e76c94270a65ccf61618da8b4e7e32803c6e1f04f3dfa7556f802752e

      SHA512

      e266ebec86245e29e51fc6274cb7eb2039a4d3ae3b53e8cd5fe603a02259635a766c1482cb23933cf3b1cd8880ff8269c957fa4dd8c60df45c2fc1841eab5d4c

    • memory/228-117-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/228-56-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/436-74-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/436-115-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/460-8-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/460-90-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/884-73-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/884-0-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/884-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

    • memory/1748-16-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1748-99-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1916-119-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1916-40-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2280-107-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2280-24-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2700-112-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2700-100-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2704-108-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2704-111-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2864-114-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2864-82-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/3172-33-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/3172-110-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/3208-91-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/3208-113-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4408-49-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4408-118-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4844-64-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4844-116-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB