berbew | 6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf

General

Target

6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
Size

128KB
MD5

a86367a258bb28cfe17edd9258663258
SHA1

2c4aee944cbe09f8bc9619327bfa8b44ad757e87
SHA256

6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf
SHA512

94695408f8e78bc36c6dcc63b00ed0fd340fb56fbcaa3317d725f2dfaa70e902f4c925bc8f92c303df1ee66a38e1c0d7b0dfb6041aae53476cbeeec4dfc55dfc
SSDEEP

3072:bayUZwQNxPXO7o4m3TRXimW2wS7IrHrYj:2yU/NxPXcmRSmHwMOHm

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 2 IoCs

pid	Process
2848	Dmbcen32.exe
1040	Dpapaj32.exe

Loads dropped DLL 7 IoCs

pid	Process
2688	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
2688	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
2848	Dmbcen32.exe
2848	Dmbcen32.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3060	1040	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2848	2688	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe	31
PID 2688 wrote to memory of 2848	2688	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe	31
PID 2688 wrote to memory of 2848	2688	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe	31
PID 2688 wrote to memory of 2848	2688	6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe	31
PID 2848 wrote to memory of 1040	2848	Dmbcen32.exe	32
PID 2848 wrote to memory of 1040	2848	Dmbcen32.exe	32
PID 2848 wrote to memory of 1040	2848	Dmbcen32.exe	32
PID 2848 wrote to memory of 1040	2848	Dmbcen32.exe	32
PID 1040 wrote to memory of 3060	1040	Dpapaj32.exe	33
PID 1040 wrote to memory of 3060	1040	Dpapaj32.exe	33
PID 1040 wrote to memory of 3060	1040	Dpapaj32.exe	33
PID 1040 wrote to memory of 3060	1040	Dpapaj32.exe	33

C:\Users\Admin\AppData\Local\Temp\6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe
"C:\Users\Admin\AppData\Local\Temp\6e1fe431a13dfd68e98997d3b0586dd3cc96f3ab870fcbaab17dd5a81996f9bf.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Dmbcen32.exe
  C:\Windows\system32\Dmbcen32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Dpapaj32.exe
    C:\Windows\system32\Dpapaj32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 144
      4⤵
      Loads dropped DLL
      Program crash
      PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
128KB

MD5
3b1e993288067e7b8c3aa5eca1b13ac0

SHA1
a45eb113d75175769bd47695e1c8469eb6ca2dae

SHA256
9d476a0711c71231357152bab9b37d328437b6bf3e74c432a7d142d967f8a202

SHA512
f612ec5297547992f6eaa743e6f07ab32157584a1bf2984a7b49ca295b6719f800af39dfe9d9ff43eba8565a3b74157859792ad70c6c781e133efa7a9d8e2b4a

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
128KB

MD5
868a0687a401169d31f064b1790be2bc

SHA1
084e6bdac0d300c3c8bbe3e8e03bc1c064addaf3

SHA256
0438b3aef2b4111e088d484ffebef017c50790e768852f0e78f39d8f323d4610

SHA512
707d31359eee346a49f368f9a67f6f46c7981bd1aa5617ccb2266970a941a3f7e3706421ac322fabe4101a515e5201cf52f3f50b56ba963ab55bf6e69cb565c6

Download Submit
memory/1040-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-37-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-12-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2688-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2848-27-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2848-26-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2848-36-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads