berbew | 41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f

General

Target

41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Size

256KB
MD5

322936ac474786a36330c9b805e4554e
SHA1

c8ef3cff488d941fe0dd01a30d3b65465efb6971
SHA256

41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f
SHA512

4d464311aa3d34ec62bc2fecaf338325de89a7e4cf4f3c2f02666a0df85ca73bc4da641c79faaa1eb9f1e366a3919557a7728a035cd180f514a4ab277369747c
SSDEEP

3072:esveZf4NYdSr/mceG7dDM1IRwMkUIunCaRdelrOyX6gu+tAcrbFAJc+RsUi1aVDw:eGy4evfNxunXe8yhrtMsQBvli+RQFdp

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 5 IoCs

pid	Process
2880	Ngfflj32.exe
3068	Niebhf32.exe
2624	Nigome32.exe
2204	Ncpcfkbg.exe
600	Nlhgoqhh.exe

Loads dropped DLL 14 IoCs

pid	Process
2856	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
2856	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
2880	Ngfflj32.exe
2880	Ngfflj32.exe
3068	Niebhf32.exe
3068	Niebhf32.exe
2624	Nigome32.exe
2624	Nigome32.exe
2204	Ncpcfkbg.exe
2204	Ncpcfkbg.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hljdna32.dll	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Nigome32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Ngfflj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
572	600	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Nigome32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2880	2856	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe	30
PID 2856 wrote to memory of 2880	2856	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe	30
PID 2856 wrote to memory of 2880	2856	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe	30
PID 2856 wrote to memory of 2880	2856	41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe	30
PID 2880 wrote to memory of 3068	2880	Ngfflj32.exe	31
PID 2880 wrote to memory of 3068	2880	Ngfflj32.exe	31
PID 2880 wrote to memory of 3068	2880	Ngfflj32.exe	31
PID 2880 wrote to memory of 3068	2880	Ngfflj32.exe	31
PID 3068 wrote to memory of 2624	3068	Niebhf32.exe	32
PID 3068 wrote to memory of 2624	3068	Niebhf32.exe	32
PID 3068 wrote to memory of 2624	3068	Niebhf32.exe	32
PID 3068 wrote to memory of 2624	3068	Niebhf32.exe	32
PID 2624 wrote to memory of 2204	2624	Nigome32.exe	33
PID 2624 wrote to memory of 2204	2624	Nigome32.exe	33
PID 2624 wrote to memory of 2204	2624	Nigome32.exe	33
PID 2624 wrote to memory of 2204	2624	Nigome32.exe	33
PID 2204 wrote to memory of 600	2204	Ncpcfkbg.exe	34
PID 2204 wrote to memory of 600	2204	Ncpcfkbg.exe	34
PID 2204 wrote to memory of 600	2204	Ncpcfkbg.exe	34
PID 2204 wrote to memory of 600	2204	Ncpcfkbg.exe	34
PID 600 wrote to memory of 572	600	Nlhgoqhh.exe	35
PID 600 wrote to memory of 572	600	Nlhgoqhh.exe	35
PID 600 wrote to memory of 572	600	Nlhgoqhh.exe	35
PID 600 wrote to memory of 572	600	Nlhgoqhh.exe	35

C:\Users\Admin\AppData\Local\Temp\41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe
"C:\Users\Admin\AppData\Local\Temp\41796b0baadeaa26cda10314357ae4ca272bcc7b71c48353d06c5e6a3b94fd1f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Ngfflj32.exe
  C:\Windows\system32\Ngfflj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\Niebhf32.exe
    C:\Windows\system32\Niebhf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\Nigome32.exe
      C:\Windows\system32\Nigome32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
      - C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 600 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lamajm32.dll

Filesize
7KB

MD5
d6032cc3de11244a338061e9d458ad65

SHA1
33a33bcf4c502f6ae72b834637f6f01cbd0301d6

SHA256
d8a747d2868d018deacd525ed389746242e6bf3d131553841703bfda3d7184fa

SHA512
68313885658359f4f5bd50927d1ff1834d7c9fda74ebc636c8350ff6fcf0c914966c8efec8d01dd39b221b0569953f1678129dcdaec48154dd1c86476632cfce

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
256KB

MD5
e04bad936f1ef992892a4c11d2bac8a1

SHA1
7d3ccc4ba19425efed10cb4d5c357320bb6f501c

SHA256
0dc6c05724dc3b618b8483192168ccc651727101b39e7d5e6b9c3c72abacd6dc

SHA512
8fcdf432637d70dcb1d1071475eab21a85bad2850c74904d3df5dea3dfc1e0dae63221f628302c95256c9bc6a1ccf9cf7dd721c7e4f51499a66c68621b51f383

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
256KB

MD5
2b1067ab20da1bc00efa276f4af9f1b1

SHA1
c3d832cbe00ad1129187dba31f1deb28ef641019

SHA256
9e6820689dafbf729e0b6682c6a7a0da1c15c9c7d246140f0e8b4fbd9ff45ef2

SHA512
a167e07ebdbbf2eaedaee249ca135c22b57a5745805649cff4af10d8b04515504e4c100805f6e5873ed2c0007a9c288b761d8262833620ff529e3cdcf4580403

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
256KB

MD5
781dda1ce116eb3dcfc8d771555c2cf4

SHA1
b576f12a623597bd860e8b2ee7110ae09a5c1c63

SHA256
081b05cafdd5ddfa09cc55eab5298b027a0cc790ecb2bcccc10df0573fabf205

SHA512
2b1cf7c0ef837e2965abf0381e6d37166451e7a83ebf2d0fb2f243eebc3c8191b66d8e8482b9cefeb8feafb52c381fba38e90d8c7b3115096fc6a9a9601b44e7

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
256KB

MD5
e0d122478f1ac040998aca0a85e2aacd

SHA1
32d8056550ef08403647dfa626f013bf0b1f9066

SHA256
559995f69a7db755760ab947f7da593468414452c073e96f0e52985cf877197c

SHA512
d53873ad94254a24bf8a2be6bc4cf654ba1e5e1438fff705a63841087791bce82eae868ae2901c3f7a6d984ee73662ba42d36529d04fc1ba7a8ef048b957b47f

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
256KB

MD5
83957bd7518f6a49e024c7fc5c349152

SHA1
273e28a32f5d1a1679bbc49de3fb9ddad869e3f6

SHA256
cff3028d8d837538dbd7709a0b1d188b2b39ece3d0f9536df3ff59630e3a555d

SHA512
9bf2f88cbf4443263b8493c4a2f4ca5818c49949379ccba4842f84d4abebfc689bfa90ef4e6974371da62e7af2d9547bc12bd469ae9bd3cdd05c846879aee8ac

Download Submit
memory/600-75-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2204-60-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2204-52-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2204-74-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2624-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-70-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-12-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2880-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2880-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3068-34-0x00000000005E0000-0x0000000000623000-memory.dmp

Filesize
268KB

Download
memory/3068-26-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3068-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads