berbew | 9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42

General

Target

9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
Size

347KB
MD5

8a4386dc5aaf8c91c98e57ab58c57ab0
SHA1

fc87b894e5c62bb41f098d5aa07826a3eb315627
SHA256

9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42
SHA512

71a6c44de8369aa30750039fe29125e4ff38a682e97d6578f73515afab5b38d3eceaa3e0caf081a2f09e37bf55420229801fbf478a31247d761240d394ab8923
SSDEEP

6144:wvX51zqth7G5vx4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:wv51zGh7Ax4brRGFB24lwR45FB24lEk

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oegdcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oegdcj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opmhqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opmhqc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 3 IoCs

pid	Process
1760	Oegdcj32.exe
2192	Opmhqc32.exe
2964	Ockdmn32.exe

Loads dropped DLL 10 IoCs

pid	Process
2296	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
2296	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
1760	Oegdcj32.exe
1760	Oegdcj32.exe
2192	Opmhqc32.exe
2192	Opmhqc32.exe
2660	WerFault.exe
2660	WerFault.exe
2660	WerFault.exe
2660	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oegdcj32.exe	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
File opened for modification	C:\Windows\SysWOW64\Oegdcj32.exe	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
File created	C:\Windows\SysWOW64\Khhaomjd.dll	Opmhqc32.exe
File created	C:\Windows\SysWOW64\Lncacf32.dll	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
File created	C:\Windows\SysWOW64\Opmhqc32.exe	Oegdcj32.exe
File opened for modification	C:\Windows\SysWOW64\Opmhqc32.exe	Oegdcj32.exe
File created	C:\Windows\SysWOW64\Cdhbbpkh.dll	Oegdcj32.exe
File created	C:\Windows\SysWOW64\Ockdmn32.exe	Opmhqc32.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmn32.exe	Opmhqc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2660	2964	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opmhqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oegdcj32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oegdcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhaomjd.dll"	Opmhqc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncacf32.dll"	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oegdcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhbbpkh.dll"	Oegdcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opmhqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opmhqc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1760	2296	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe	30
PID 2296 wrote to memory of 1760	2296	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe	30
PID 2296 wrote to memory of 1760	2296	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe	30
PID 2296 wrote to memory of 1760	2296	9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe	30
PID 1760 wrote to memory of 2192	1760	Oegdcj32.exe	31
PID 1760 wrote to memory of 2192	1760	Oegdcj32.exe	31
PID 1760 wrote to memory of 2192	1760	Oegdcj32.exe	31
PID 1760 wrote to memory of 2192	1760	Oegdcj32.exe	31
PID 2192 wrote to memory of 2964	2192	Opmhqc32.exe	32
PID 2192 wrote to memory of 2964	2192	Opmhqc32.exe	32
PID 2192 wrote to memory of 2964	2192	Opmhqc32.exe	32
PID 2192 wrote to memory of 2964	2192	Opmhqc32.exe	32
PID 2964 wrote to memory of 2660	2964	Ockdmn32.exe	33
PID 2964 wrote to memory of 2660	2964	Ockdmn32.exe	33
PID 2964 wrote to memory of 2660	2964	Ockdmn32.exe	33
PID 2964 wrote to memory of 2660	2964	Ockdmn32.exe	33

C:\Users\Admin\AppData\Local\Temp\9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe
"C:\Users\Admin\AppData\Local\Temp\9aa8cd9832d4df2112ab821b4265ebef836e3e3b51e7cf3ec1130d4b716ccd42N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Oegdcj32.exe
  C:\Windows\system32\Oegdcj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\Opmhqc32.exe
    C:\Windows\system32\Opmhqc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\Ockdmn32.exe
      C:\Windows\system32\Ockdmn32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Oegdcj32.exe

Filesize
347KB

MD5
f90dc082cba41da12db653882133aba1

SHA1
462bd81b2e7fddf5b5fe864818f2344168c464e3

SHA256
d4e26948eb0191cd8c88ed93f74738c89e1061158dac56c884f9ff78ec9a5e49

SHA512
51818dc75b2f494d1e2ea6f7f269bcdc392be15c8b11b173fbaf39aa52dcd5f5f8394ffb95b5b83dd14de9c26b7d4d848b57c867e1eb9f16e5af0fbe4706395c

Download Submit
C:\Windows\SysWOW64\Opmhqc32.exe

Filesize
347KB

MD5
ce5a0c4c3c5a5a1f8bc9af8839394d9e

SHA1
9265f6722bc7b1350ffa6d3b6ead5254c3e6d8fd

SHA256
eb4040c969c24d3b0fe19ee6dc09ce2e8e5ca03061b11efcec89d3b58183322e

SHA512
d493b5d3f371c166a9c81951abe8cd641a0fc1099781970471eae923b574cf084667bd1842b3e7055527719320668182b3d1e181e2b29e48fc474d732e77bddf

Download Submit
\Windows\SysWOW64\Ockdmn32.exe

Filesize
347KB

MD5
145bea12e42d168b39f6dd9f83d357b4

SHA1
794e616f33d4d415c12572ff9761234212f50a04

SHA256
7b1920adcb48cd857b7a44136329153364feb83e245668dd2ca4da5afb7a576e

SHA512
f09b538268cfe01bd05d16f75cb2ea19b9fe309df24d9c68137b28ba47154d9b41a06421f89592d52dffe9df212037d2771414cb570066c3950acde0d4a08143

Download Submit
memory/1760-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2192-40-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2296-11-0x0000000000460000-0x00000000004A3000-memory.dmp

Filesize
268KB

Download
memory/2296-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-12-0x0000000000460000-0x00000000004A3000-memory.dmp

Filesize
268KB

Download
memory/2296-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads