Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 14:48

General

  • Target

    TrojanDownloader.Win32.Berbew.exe

  • Size

    64KB

  • MD5

    cccdf86e63e00b3fde66914adbbb2a10

  • SHA1

    a7a05109891f2d74edf0b4a50e41a6f7cce9b660

  • SHA256

    9aeb72328f6bf79156c5886dde8b93c4316e0401883e21fd5a58fba9cd8f0398

  • SHA512

    5aa16914b219e40ca627ab34012ada4891e06bd277fa84e930636b3ab292dc4d9e9cf8925d4e3a70f4786a7064520b128a5eb4e9564cf607d75a41888b99c4da

  • SSDEEP

    1536:nfDbH2f2S1IK93IaAY+puMdEWy6rPFW2iwTbW:nf3Q2S2K93IDYMuMdEXuFW2VTbW

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 32 IoCs
  • Drops file in System32 directory 42 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 45 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe
    "C:\Users\Admin\AppData\Local\Temp\TrojanDownloader.Win32.Berbew.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\SysWOW64\Klecfkff.exe
      C:\Windows\system32\Klecfkff.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\Kmfpmc32.exe
        C:\Windows\system32\Kmfpmc32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\SysWOW64\Kdphjm32.exe
          C:\Windows\system32\Kdphjm32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Windows\SysWOW64\Kfodfh32.exe
            C:\Windows\system32\Kfodfh32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\Kmimcbja.exe
              C:\Windows\system32\Kmimcbja.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:796
              • C:\Windows\SysWOW64\Kpgionie.exe
                C:\Windows\system32\Kpgionie.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:316
                • C:\Windows\SysWOW64\Kdbepm32.exe
                  C:\Windows\system32\Kdbepm32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1972
                  • C:\Windows\SysWOW64\Kfaalh32.exe
                    C:\Windows\system32\Kfaalh32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1804
                    • C:\Windows\SysWOW64\Kageia32.exe
                      C:\Windows\system32\Kageia32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2256
                      • C:\Windows\SysWOW64\Kbhbai32.exe
                        C:\Windows\system32\Kbhbai32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2648
                        • C:\Windows\SysWOW64\Kgcnahoo.exe
                          C:\Windows\system32\Kgcnahoo.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2116
                          • C:\Windows\SysWOW64\Lmmfnb32.exe
                            C:\Windows\system32\Lmmfnb32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:568
                            • C:\Windows\SysWOW64\Lplbjm32.exe
                              C:\Windows\system32\Lplbjm32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2380
                              • C:\Windows\SysWOW64\Lbjofi32.exe
                                C:\Windows\system32\Lbjofi32.exe
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:2084
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 140
                                  16⤵
                                  • Loads dropped DLL
                                  • Program crash
                                  PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Kageia32.exe

    Filesize

    64KB

    MD5

    2e80d3671f0fb42a2b5a9788b580eef7

    SHA1

    4ac28b0615f96c547f26aa3f18f424b2700b27ef

    SHA256

    45882413f7982c57b6203d31953711aa319e3df8a2e1a484ade69d3babfe7191

    SHA512

    70087969bea3c754da1f0b911f969b08c3c5e686d17a9875a2849ce2fdace53696daad297d8ce948e75e7a223464704fb7ac4d7a9a577f4c8a301d80a13dd480

  • C:\Windows\SysWOW64\Kbhbai32.exe

    Filesize

    64KB

    MD5

    312782883d20ccc65c6532255730733e

    SHA1

    3e838b9a2b46769773904b3c179cbd6824f795b0

    SHA256

    8a5969d54d64e537d20feaff97223a88b64c19a2f51cf8a7ac91d1b4a0b8a377

    SHA512

    9493e9d6e9ae18ce56cb5c5dbf7206d1f15c3216bfe2d68fbe11691fb53cb49469bc2ba3ee1b4e42488173c71758136342ba00a675a6c23045b216117c8e6e81

  • C:\Windows\SysWOW64\Kdbepm32.exe

    Filesize

    64KB

    MD5

    325dfede2b16070a7efd81a2685bddc1

    SHA1

    ba0e043d325c5df2c202974b17c64bdf4c1ba974

    SHA256

    81e6c9cf2e535b069126f1ad976dd331538c671e33fd34b9b1ce752bab98b7eb

    SHA512

    3fa98a6045f0a6d2112d66527d961ea2ca07f773f0efe47614aa0489307c72e02f1296f0a3ac80167fd7812649cae5eaf0ca5211c7c9f495323afc8ed5af868f

  • C:\Windows\SysWOW64\Kdphjm32.exe

    Filesize

    64KB

    MD5

    9dfa1e154c857eef86969906130a479e

    SHA1

    863b542c253523953e7909b8a6b662f582f9609c

    SHA256

    62dced18b5a17cfb9f72620728bffd9cdaa777047d8e619328c366108c236659

    SHA512

    7baf46ae5385240b4fb1802e5dae024e42d3ee6a80cafebe9d220d59411890927dba58e1ca77da3a94e27a8082045301e6f7afcf7486b04e546f6e1311c4d8e9

  • C:\Windows\SysWOW64\Kfaalh32.exe

    Filesize

    64KB

    MD5

    d8da1ed37e200279f601978fefa41a84

    SHA1

    180cfb72e487694a4af2b529498b1594508740d5

    SHA256

    a66e785392c835cdc7bc7f2c6ffd91bd92f294a23045359e5faa7a65bc0fcff1

    SHA512

    3de14e92c92d6f400d4f0644b9e67a71adfd2ad0780da924b66b929fb963b0249be408c5e97d064202855c48898b47148d059a665306c6847c7ec82b973335d3

  • C:\Windows\SysWOW64\Kfodfh32.exe

    Filesize

    64KB

    MD5

    535e53dcb59b296a5ee3e9c8911e24bb

    SHA1

    b549c468d27125cf69e16d1bcff38603c1c8b1e8

    SHA256

    fbc364079323578611c6540a8b61471528e2ea9a1fb44227bb361c1197f866cb

    SHA512

    37c3e75cd1265dc158ee5664c759c51f1f0a61cebaf7a7b04e5982863b2fb09cd166f61042e794e207510ad694d670ab2e5c4da8a2d5fb9c68a788530d71b76b

  • C:\Windows\SysWOW64\Kmfpmc32.exe

    Filesize

    64KB

    MD5

    3dc21ba35f6ddda038221f9cb78b123c

    SHA1

    23e79e77b735dffafc4eaf861f58d5533d3563a4

    SHA256

    cea101525106add3f95c3cbf0220f2a524bcee74f1d4acb6b8d6d542a604c755

    SHA512

    f170c72a48304be5c05967d9447f384ab9b85dc66272db3e45bf6c9ceff7e8455aca5271f2832fd3a81b7f7bbcaa1dd992b3520765a06b27dfdec5db12a818a6

  • C:\Windows\SysWOW64\Kmimcbja.exe

    Filesize

    64KB

    MD5

    422c968e2a8674b943abb42cdaf0f5a1

    SHA1

    c3cd012fff7834b5124c7ee11733a228747c25a0

    SHA256

    6aa166d500631ff2c79b386b3b0fa6f9d2ce2760b5bbf7a05cf645f98b4c5d45

    SHA512

    01903d2526da76615848a87f46bbdddde43df0075e26d55f4c2b2b038df982dced4e60961c9d42f1a976056e8ab23bc5333db02abfd0979f3951846f8d31a6e7

  • C:\Windows\SysWOW64\Kpgionie.exe

    Filesize

    64KB

    MD5

    f69557fd3964ef90aa90e2c7a81e7095

    SHA1

    04cf25d3da14e8e319e5dc4d8c06a3e1b350f843

    SHA256

    8dc3e6ad80b2f7ffc0e8c5ade24990dab309e0b03cddb090d48770d06643186a

    SHA512

    eae431e65159d275a1fb6836ba63237e12070da82b8c71faf29b61d9bdb8f9ef4d7f0b00d3355b5b0c4585adc2ea1a754b266fcb3d8579600ce5e55011c28aec

  • C:\Windows\SysWOW64\Lplbjm32.exe

    Filesize

    64KB

    MD5

    c47cf66c62cd99a96c49d27434f9832c

    SHA1

    11864a078070592e63b2852b9ec409160c323b95

    SHA256

    e7c3327b2d0613f8698d7f38178ca276d42257ceadb0169304f775aae35d6266

    SHA512

    9fd7bdaedbf7322beba72196623db7b923fbbd194a1bc17ec092e9afac82d36372f962b601c69c95f1c020e654a71795c37f7511a89d8c8143e3dd4026ca9024

  • \Windows\SysWOW64\Kgcnahoo.exe

    Filesize

    64KB

    MD5

    23e3ebecd8744a91295f9ca379776476

    SHA1

    0b07bd9feea5d6f27a878fb1db21df0ff84b44bc

    SHA256

    2dbaa3b67e98380a793ebd62a11d6e3be3d9d2eb2c9814f041b071f73e8f3f88

    SHA512

    36c2ecb2a67145595822d8f98fe765f97af411d7658d792e97d1fa4b2a981805861f2c3f434deffaed85023b4920e329ae507a6eddbba5586de08a10591ce9f6

  • \Windows\SysWOW64\Klecfkff.exe

    Filesize

    64KB

    MD5

    e8d4288b0d9a110fba656811c72b0884

    SHA1

    aab64a1e5d00625eb49c12736069c8f096d02162

    SHA256

    ab4ae7a5eb15b413585cc93141d70d68475f87f0b4bdbf30a122518a573d1673

    SHA512

    f4f072140dd8f4d2941323e910f2fd8ced8467aa2d73d5d3e5270464b1d0c378722677ae1caab749f5447dfd1634f681cc97191101aeed1ea7c75d8c78fdc448

  • \Windows\SysWOW64\Lbjofi32.exe

    Filesize

    64KB

    MD5

    607dc370a7422d5c847c9ff6933aac1b

    SHA1

    ce9a1157164b99b949bc42ab49f2da4b3fdf623b

    SHA256

    93af9adba5d9e4019735b5a167df861d8b01022810ea82bca21de4f60f8bbf69

    SHA512

    93f3c55cc5076a2ee46773ae1b615fb6869cb6663a2c555cccb420c6d708c40f016a53b656c89f4b2d562c8d5d866ab2e3b0947f0792ba5e5dd168504d82da7a

  • \Windows\SysWOW64\Lmmfnb32.exe

    Filesize

    64KB

    MD5

    a34b72f62e5de40bb075b3f2930116d5

    SHA1

    c70acb91b199fcdcf79e26c521fdf4f65bbcbe6d

    SHA256

    3832b432b15be2648a0f41a2f6c37d307d0a94dbe80205072c204ed30388c909

    SHA512

    f9181c094f68129ec46f855b9ffb6f30972f44be62d295d2207ba772f5dedaee750e76ae11ebf00fe63dfdb98a13619552f9f6de8b70cebcf7ce354285fb45e3

  • memory/316-86-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/316-143-0x0000000000250000-0x000000000028B000-memory.dmp

    Filesize

    236KB

  • memory/316-98-0x0000000000250000-0x000000000028B000-memory.dmp

    Filesize

    236KB

  • memory/316-142-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/568-211-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/796-84-0x0000000000250000-0x000000000028B000-memory.dmp

    Filesize

    236KB

  • memory/796-127-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1804-168-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1804-126-0x0000000001F30000-0x0000000001F6B000-memory.dmp

    Filesize

    236KB

  • memory/1972-145-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1972-113-0x0000000000310000-0x000000000034B000-memory.dmp

    Filesize

    236KB

  • memory/1972-106-0x0000000000310000-0x000000000034B000-memory.dmp

    Filesize

    236KB

  • memory/1972-161-0x0000000000310000-0x000000000034B000-memory.dmp

    Filesize

    236KB

  • memory/2080-18-0x00000000002D0000-0x000000000030B000-memory.dmp

    Filesize

    236KB

  • memory/2080-17-0x00000000002D0000-0x000000000030B000-memory.dmp

    Filesize

    236KB

  • memory/2080-76-0x00000000002D0000-0x000000000030B000-memory.dmp

    Filesize

    236KB

  • memory/2080-0-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2080-69-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2080-78-0x00000000002D0000-0x000000000030B000-memory.dmp

    Filesize

    236KB

  • memory/2084-213-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2084-204-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2116-210-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2116-160-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2116-170-0x0000000000440000-0x000000000047B000-memory.dmp

    Filesize

    236KB

  • memory/2256-137-0x0000000000250000-0x000000000028B000-memory.dmp

    Filesize

    236KB

  • memory/2256-189-0x0000000000250000-0x000000000028B000-memory.dmp

    Filesize

    236KB

  • memory/2256-129-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2256-183-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2380-203-0x0000000000290000-0x00000000002CB000-memory.dmp

    Filesize

    236KB

  • memory/2380-190-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2380-212-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2588-53-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2616-112-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2616-67-0x0000000000280000-0x00000000002BB000-memory.dmp

    Filesize

    236KB

  • memory/2616-55-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2648-205-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2648-153-0x0000000000250000-0x000000000028B000-memory.dmp

    Filesize

    236KB

  • memory/2648-159-0x0000000000250000-0x000000000028B000-memory.dmp

    Filesize

    236KB

  • memory/2692-19-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2692-27-0x0000000000250000-0x000000000028B000-memory.dmp

    Filesize

    236KB

  • memory/2968-85-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2968-46-0x00000000002F0000-0x000000000032B000-memory.dmp

    Filesize

    236KB

  • memory/2968-28-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB