Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Backdoor.Win32.Berbew.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Backdoor.Win32.Berbew.exe
Resource
win10v2004-20240802-en
General
-
Target
Backdoor.Win32.Berbew.exe
-
Size
94KB
-
MD5
8df2899392b9d766c6b603398b137f30
-
SHA1
c7a4808f609f5a30958011e8b3ebdae04351d7d4
-
SHA256
ba04bfb3cb877388a1f3a8fe89d187270cdbba181fc005294e57c0b4abd03793
-
SHA512
7a1ea6dca82ed63671d3967403fc42383bf875545e66a4da62ae463a22160533e20fe4161960b0c93e47db143fee5fc612c9d8160711c80a0decf2ce05ddc85d
-
SSDEEP
1536:uVQ7q65UdZQ8kHGPSmLD8QGuomb2B2LHRMQ262AjCsQ2PCZZrqOlNfVSLUKkJr4:uouQ+hkrmfHRMQH2qC7ZQOlzSLUK64
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs
Processes:
Dopigd32.exeBackdoor.Win32.Berbew.exeDejacond.exeDobfld32.exeDhkjej32.exeDmgbnq32.exeDhocqigp.exeDdmaok32.exeDdakjkqi.exeDogogcpo.exeDfiafg32.exeDelnin32.exeDfpgffpm.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopigd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejacond.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmgbnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhocqigp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhkjej32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobfld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddakjkqi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmaok32.exe -
Executes dropped EXE 13 IoCs
Processes:
Dfiafg32.exeDopigd32.exeDejacond.exeDdmaok32.exeDobfld32.exeDelnin32.exeDhkjej32.exeDmgbnq32.exeDdakjkqi.exeDfpgffpm.exeDogogcpo.exeDhocqigp.exeDmllipeg.exepid process 460 Dfiafg32.exe 1748 Dopigd32.exe 2280 Dejacond.exe 3172 Ddmaok32.exe 1916 Dobfld32.exe 4408 Delnin32.exe 228 Dhkjej32.exe 4844 Dmgbnq32.exe 436 Ddakjkqi.exe 2864 Dfpgffpm.exe 3208 Dogogcpo.exe 2700 Dhocqigp.exe 2704 Dmllipeg.exe -
Drops file in System32 directory 39 IoCs
Processes:
Dopigd32.exeDejacond.exeDdmaok32.exeDfpgffpm.exeDogogcpo.exeDobfld32.exeDelnin32.exeDhkjej32.exeBackdoor.Win32.Berbew.exeDdakjkqi.exeDfiafg32.exeDmgbnq32.exeDhocqigp.exedescription ioc process File created C:\Windows\SysWOW64\Dejacond.exe Dopigd32.exe File created C:\Windows\SysWOW64\Ddmaok32.exe Dejacond.exe File opened for modification C:\Windows\SysWOW64\Ddmaok32.exe Dejacond.exe File created C:\Windows\SysWOW64\Jjjald32.dll Dejacond.exe File created C:\Windows\SysWOW64\Alcidkmm.dll Ddmaok32.exe File created C:\Windows\SysWOW64\Lbabpnmn.dll Dfpgffpm.exe File created C:\Windows\SysWOW64\Elkadb32.dll Dogogcpo.exe File created C:\Windows\SysWOW64\Gmcfdb32.dll Dobfld32.exe File created C:\Windows\SysWOW64\Jbpbca32.dll Delnin32.exe File created C:\Windows\SysWOW64\Dmgbnq32.exe Dhkjej32.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dfpgffpm.exe File opened for modification C:\Windows\SysWOW64\Dhocqigp.exe Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Dfiafg32.exe Backdoor.Win32.Berbew.exe File created C:\Windows\SysWOW64\Kkmjgool.dll Backdoor.Win32.Berbew.exe File created C:\Windows\SysWOW64\Dhkjej32.exe Delnin32.exe File created C:\Windows\SysWOW64\Ihidnp32.dll Dhkjej32.exe File created C:\Windows\SysWOW64\Dhocqigp.exe Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Dobfld32.exe Ddmaok32.exe File created C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe Ddakjkqi.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll Ddakjkqi.exe File created C:\Windows\SysWOW64\Dopigd32.exe Dfiafg32.exe File created C:\Windows\SysWOW64\Dobfld32.exe Ddmaok32.exe File created C:\Windows\SysWOW64\Ddakjkqi.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Hcjccj32.dll Dfiafg32.exe File opened for modification C:\Windows\SysWOW64\Dhkjej32.exe Delnin32.exe File opened for modification C:\Windows\SysWOW64\Dmgbnq32.exe Dhkjej32.exe File opened for modification C:\Windows\SysWOW64\Dopigd32.exe Dfiafg32.exe File opened for modification C:\Windows\SysWOW64\Dejacond.exe Dopigd32.exe File created C:\Windows\SysWOW64\Delnin32.exe Dobfld32.exe File opened for modification C:\Windows\SysWOW64\Ddakjkqi.exe Dmgbnq32.exe File created C:\Windows\SysWOW64\Gifhkeje.dll Dmgbnq32.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dhocqigp.exe File created C:\Windows\SysWOW64\Dfiafg32.exe Backdoor.Win32.Berbew.exe File created C:\Windows\SysWOW64\Hpnkaj32.dll Dopigd32.exe File opened for modification C:\Windows\SysWOW64\Delnin32.exe Dobfld32.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dhocqigp.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dhocqigp.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3356 2704 WerFault.exe Dmllipeg.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Dfiafg32.exeDdmaok32.exeDhkjej32.exeDelnin32.exeDmgbnq32.exeDdakjkqi.exeBackdoor.Win32.Berbew.exeDopigd32.exeDobfld32.exeDmllipeg.exeDfpgffpm.exeDogogcpo.exeDhocqigp.exeDejacond.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkjej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgbnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddakjkqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.Berbew.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopigd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhocqigp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejacond.exe -
Modifies registry class 42 IoCs
Processes:
Dejacond.exeDdmaok32.exeDhkjej32.exeDmgbnq32.exeBackdoor.Win32.Berbew.exeDfpgffpm.exeDogogcpo.exeDopigd32.exeDelnin32.exeDdakjkqi.exeDhocqigp.exeDobfld32.exeDfiafg32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dejacond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll" Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll" Dhkjej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dopigd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dopigd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll" Dopigd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll" Dejacond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddmaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Delnin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhkjej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddakjkqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" Ddakjkqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhkjej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgbnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dhocqigp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejacond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll" Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Backdoor.Win32.Berbew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll" Dfiafg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll" Backdoor.Win32.Berbew.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll" Dmgbnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node Backdoor.Win32.Berbew.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
Backdoor.Win32.Berbew.exeDfiafg32.exeDopigd32.exeDejacond.exeDdmaok32.exeDobfld32.exeDelnin32.exeDhkjej32.exeDmgbnq32.exeDdakjkqi.exeDfpgffpm.exeDogogcpo.exeDhocqigp.exedescription pid process target process PID 884 wrote to memory of 460 884 Backdoor.Win32.Berbew.exe Dfiafg32.exe PID 884 wrote to memory of 460 884 Backdoor.Win32.Berbew.exe Dfiafg32.exe PID 884 wrote to memory of 460 884 Backdoor.Win32.Berbew.exe Dfiafg32.exe PID 460 wrote to memory of 1748 460 Dfiafg32.exe Dopigd32.exe PID 460 wrote to memory of 1748 460 Dfiafg32.exe Dopigd32.exe PID 460 wrote to memory of 1748 460 Dfiafg32.exe Dopigd32.exe PID 1748 wrote to memory of 2280 1748 Dopigd32.exe Dejacond.exe PID 1748 wrote to memory of 2280 1748 Dopigd32.exe Dejacond.exe PID 1748 wrote to memory of 2280 1748 Dopigd32.exe Dejacond.exe PID 2280 wrote to memory of 3172 2280 Dejacond.exe Ddmaok32.exe PID 2280 wrote to memory of 3172 2280 Dejacond.exe Ddmaok32.exe PID 2280 wrote to memory of 3172 2280 Dejacond.exe Ddmaok32.exe PID 3172 wrote to memory of 1916 3172 Ddmaok32.exe Dobfld32.exe PID 3172 wrote to memory of 1916 3172 Ddmaok32.exe Dobfld32.exe PID 3172 wrote to memory of 1916 3172 Ddmaok32.exe Dobfld32.exe PID 1916 wrote to memory of 4408 1916 Dobfld32.exe Delnin32.exe PID 1916 wrote to memory of 4408 1916 Dobfld32.exe Delnin32.exe PID 1916 wrote to memory of 4408 1916 Dobfld32.exe Delnin32.exe PID 4408 wrote to memory of 228 4408 Delnin32.exe Dhkjej32.exe PID 4408 wrote to memory of 228 4408 Delnin32.exe Dhkjej32.exe PID 4408 wrote to memory of 228 4408 Delnin32.exe Dhkjej32.exe PID 228 wrote to memory of 4844 228 Dhkjej32.exe Dmgbnq32.exe PID 228 wrote to memory of 4844 228 Dhkjej32.exe Dmgbnq32.exe PID 228 wrote to memory of 4844 228 Dhkjej32.exe Dmgbnq32.exe PID 4844 wrote to memory of 436 4844 Dmgbnq32.exe Ddakjkqi.exe PID 4844 wrote to memory of 436 4844 Dmgbnq32.exe Ddakjkqi.exe PID 4844 wrote to memory of 436 4844 Dmgbnq32.exe Ddakjkqi.exe PID 436 wrote to memory of 2864 436 Ddakjkqi.exe Dfpgffpm.exe PID 436 wrote to memory of 2864 436 Ddakjkqi.exe Dfpgffpm.exe PID 436 wrote to memory of 2864 436 Ddakjkqi.exe Dfpgffpm.exe PID 2864 wrote to memory of 3208 2864 Dfpgffpm.exe Dogogcpo.exe PID 2864 wrote to memory of 3208 2864 Dfpgffpm.exe Dogogcpo.exe PID 2864 wrote to memory of 3208 2864 Dfpgffpm.exe Dogogcpo.exe PID 3208 wrote to memory of 2700 3208 Dogogcpo.exe Dhocqigp.exe PID 3208 wrote to memory of 2700 3208 Dogogcpo.exe Dhocqigp.exe PID 3208 wrote to memory of 2700 3208 Dogogcpo.exe Dhocqigp.exe PID 2700 wrote to memory of 2704 2700 Dhocqigp.exe Dmllipeg.exe PID 2700 wrote to memory of 2704 2700 Dhocqigp.exe Dmllipeg.exe PID 2700 wrote to memory of 2704 2700 Dhocqigp.exe Dmllipeg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"C:\Users\Admin\AppData\Local\Temp\Backdoor.Win32.Berbew.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\Dopigd32.exeC:\Windows\system32\Dopigd32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Ddakjkqi.exeC:\Windows\system32\Ddakjkqi.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Dhocqigp.exeC:\Windows\system32\Dhocqigp.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 21615⤵
- Program crash
PID:3356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2704 -ip 27041⤵PID:872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5a066b5ea886ca6f94ef8d0fbebff69ed
SHA12a6fa1bfb9ce8fb14193602b87ae5fa5a80f9138
SHA256487a16269004e06c1c25ea3f4434f7df31de019a59c4093b29a35882512efe84
SHA5120c4360bb43ff6ae05992ba41930c548b0de79067cebace2a8d74a114f2d8690f27295be3f8e9a24f351ec5762b64121364ffe4d43e265d634677738a166be8b2
-
Filesize
94KB
MD5a33620401695a154e7a227a10c9fe2bd
SHA1c72af06a19da4380b8493557c6d93691b33fb554
SHA256cc6d2ce94d296aae0641857aaa3fffb305a64cae8b954a5fe033971d31853663
SHA5126d26a871b288bd6cb705cc06d4ffb7dc88090c397fe94953b37330c509d2a48a3b347c2bd65d0b005ecc3a673025bbc509734585dd4a44bb9d6c45d8ee75417c
-
Filesize
94KB
MD5763c718445665c9b24068c0bae0dc1cb
SHA1aaf4a60f503dc1478665e361703f5e3891b3f7e6
SHA256ee11d2d4cea6377c684082dcc42cb2a6faf2b87f7add4527a326c422132981b3
SHA512a6f2dd094b22928d164d4e7cc77442b37a4b1cb1ee0ca831483f6bcc545d4926ec177939b0caf6acc6ab8b8d6545c8dafd0362c6fb9c262d3e1324971454b2ed
-
Filesize
94KB
MD578a6d2bfb8502ed058713d6300385c86
SHA157bec98cb9bf10b761667ab46ebcc8c5004ee08e
SHA256fe50b45264bca0d350218a0e96cdcaa3250fa1d2cab93e41880f58b62c12fc81
SHA512f63101060915d7d84c2096f969fa45302c591149f402fed762140d9fd18dfc522bbe7dd920f9f7bec0fd6fa795d2acf3ed251a080dc8667952f2b35324ea8d5b
-
Filesize
94KB
MD508b2e828baf32b14aeedcd998944d732
SHA1c4067a16313f14fcbb2f4185e8b852d5b50d04a8
SHA2560baaf8fd74219aca591475d2b1b454abde29fcf16e1e9aff8e33ce6978a1739f
SHA512252e1d3af6d30ec124e161fb4353ab37206594fb6512de0da098fb8bfbbefdb9c3c55d9c9d1996402de687a1422a0aca21fef41c925f72cb869e81875742d5d0
-
Filesize
94KB
MD5f1e696b2a789d4713106d47777b0afc2
SHA1e48b0e0f2126e8423cbcfa356bd3926e85f6fe01
SHA2568fc5585ae3df9f0a16caeda6d67b28c10d2c550aa3b5939a731cc1c9049b6eea
SHA512540b80ffebcce18990b3dc5e15a85b80f7e817375e9bcf92b08c651e58a644f4203d944c73e08b50f0d03ed47fca853ddee33f0bc661b0c87b67e3858e16c49c
-
Filesize
94KB
MD5e7c7b3cc29afd3fc8d22528d4a04e4d9
SHA158243b9a7f54eceb4f4f1ba90eb4a84d9a01549a
SHA2565351172fa70ad49e6a2c15158a165df3f9c4d29c7418928f05c1d608b215eea3
SHA512511bb274acf92b641204711c188e32cb28caa4593ad524e8488beadb6ae76f73386d9bdef03f814c165be1af70e9b11f5956820b402e23c806144b38e52a3861
-
Filesize
94KB
MD5f3a40027be1987a9822c78a23a81a6d7
SHA16e0bc88765b6d0074416b2be16dbfed6e343e929
SHA256c8af088a2ec1311309db836f83c8035fed5648f3c21c64b64d9ae95279fad135
SHA5124b1a755e122ac01eacf23189ce8aedb377a6f24b03ad0ca896b906dbab4bbfc4ae4b22d57a38287965b513e98c463aac495a34008eae317ce6e07fa99361e1e1
-
Filesize
94KB
MD513f5d4e970c11dbcea4a31e660bf0e0d
SHA1d70de24392421cb3fe1248a1f5a3a19a8dbdcb54
SHA2562005b07b2dcc274fb833df686892797c93d76b4fe3b0583e2cba05af8b48a059
SHA51200a37524ce0bb81e32005ad47b46839a415f3db6d48d29aaac627f0260a5dd287163ab045259fbcee2f5ec18ce7cae18765740068c2dd0814c02121e92dad50d
-
Filesize
94KB
MD57b50bf34d1d33b9fcd3c1f4727bd1fa6
SHA1986a2f31c78a915d3f31a3987b25a45c011b0f85
SHA256ad645a9ee797163552ed5dd7508ddf2360ec9fce731a1cf6aac7c324d2c512ef
SHA5127cc05664eb7d68dd1979499f01e6831fee4150045cdc521c534618770a9588d9190016794f312107ce5718b8a734ff1050832d2f58ce352c3d86561073decbcc
-
Filesize
94KB
MD5e5b179c49b096168bb5172ab3f09fa2f
SHA1268a03d781260264b6ae9ebe7e29bbb0dc5822b4
SHA25624e47f69c87f6a733a8c20fb516bc85375378902f91e6596cae4930fa685a8a3
SHA5122572c1a567f4a3554bd380e72fbdf0ed8dd95ebb291b975bb3c6e7f068d6b4e7206a7002595e206aed548493516430b6e571d738f09e9dd3290b841b60b77333
-
Filesize
94KB
MD55ba89478726832dce0ce2965620ce3c4
SHA1c15d5cb1c9540468fdc1ed039de810444cb64d2e
SHA25603d88ad6316f7be8700ff67852d78cc52b0cc10f4eebe4c0b2d108386bf482c5
SHA512288114790574d74ce1482a1270812a5f0f51c18fb812099735329967b224f19e230d4002b2591459e218f26e89255d72c4fb0c0c55578d1c45275757f6109231
-
Filesize
94KB
MD550a21d68a87afb102b22df4c4311bd8d
SHA1b2953029beb5c1f9a2a0d6464758c74dd9d35de3
SHA256178ee77e76c94270a65ccf61618da8b4e7e32803c6e1f04f3dfa7556f802752e
SHA512e266ebec86245e29e51fc6274cb7eb2039a4d3ae3b53e8cd5fe603a02259635a766c1482cb23933cf3b1cd8880ff8269c957fa4dd8c60df45c2fc1841eab5d4c