Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

4f7e5ad566...2N.exe

windows7-x64

10

4f7e5ad566...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2024, 03:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f7e5ad566c9096701f58a6c59d2b33c704a002151241a0d4418bda33e6ae0c2N.exe

  • Size

    136KB

  • MD5

    6bd742efe069b7307aee8cdedb07df10

  • SHA1

    b82c54954267280e4da57b2333e6065504e95e93

  • SHA256

    4f7e5ad566c9096701f58a6c59d2b33c704a002151241a0d4418bda33e6ae0c2

  • SHA512

    fa074eab297cc960711b29cf7939757eccb0037b52f989ed97d138f03e6ceb0db15ffecbb55937d871f710ca6f2dbf9f576d5ce64c3d500d518825cd15230f4a

  • SSDEEP

    3072:Rj8JZHnLOfBCgc1gsohLwdNbw+Y92xQuohLwdNbw5bxH0zVWccA:Rj+ZHnLOZxigsohxd2Quohdbd0zscj

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Executes dropped EXE 7 IoCs
  • Drops file in System32 directory 21 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 24 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f7e5ad566c9096701f58a6c59d2b33c704a002151241a0d4418bda33e6ae0c2N.exe
    "C:\Users\Admin\AppData\Local\Temp\4f7e5ad566c9096701f58a6c59d2b33c704a002151241a0d4418bda33e6ae0c2N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Windows\SysWOW64\Dmgbnq32.exe
      C:\Windows\system32\Dmgbnq32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\SysWOW64\Deokon32.exe
        C:\Windows\system32\Deokon32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Windows\SysWOW64\Dkkcge32.exe
          C:\Windows\system32\Dkkcge32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\SysWOW64\Daekdooc.exe
            C:\Windows\system32\Daekdooc.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3972
            • C:\Windows\SysWOW64\Dhocqigp.exe
              C:\Windows\system32\Dhocqigp.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3024
              • C:\Windows\SysWOW64\Dknpmdfc.exe
                C:\Windows\system32\Dknpmdfc.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1224
                • C:\Windows\SysWOW64\Dmllipeg.exe
                  C:\Windows\system32\Dmllipeg.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2856
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 396
                    9⤵
                    • Program crash
                    PID:440
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2856 -ip 2856
    1⤵
      PID:2688

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Daekdooc.exe
      Filesize

      136KB

      MD5

      1834128e4461a8b35ccdc660556a60e3

      SHA1

      27c996deef1d78232ffe9af6a18a40bb014f6f82

      SHA256

      9f8c74218ce6573052f760499c5960318751a12ffb1305ef84b360c5f1076aa3

      SHA512

      1eed28bd3e9af26f67674f2ad862fe045242de7fda8f093dd2727932980ad81199e981cea47f89434f480117a3bc3e866edd13fc3837c056f63af382c18ca9aa

      Download Submit

    • C:\Windows\SysWOW64\Deokon32.exe
      Filesize

      136KB

      MD5

      7f2d3bcecf6a9b9e434303cc893d0455

      SHA1

      fbcf581b03ce56af85e4c81fd9ebdc5512ef4ba8

      SHA256

      8c36d3209e3440429c32bd7fd7fcb1cdbbfc88dace7db00e0f466893e14fa43f

      SHA512

      7fbf0210c6e31a9f2d194bee3b1d5d7403ea98d26b893a129701ead87f1ac631e43ccf0378830ef46fd143f0ac4a520e9062ac4091b4f2c810c2e43915cafc7a

      Download Submit

    • C:\Windows\SysWOW64\Dhocqigp.exe
      Filesize

      136KB

      MD5

      b3d25758f3e6a6477952559848bffc06

      SHA1

      4d00539e15c27b2a3ee40aa2000354c554a19600

      SHA256

      9641be103ae16399a8ea3fbf11ff5a23f2da675f96675c46b4c983c13e9dbfcf

      SHA512

      9e7718c4037a72e66c6f17edd718521c58af7bb9aacf08c4c4d8664f4661c4b25f7a9079dbe2ede720cb6f1d9e2cbbd60ede23dd6dc27a27f33c8686b756f717

      Download Submit

    • C:\Windows\SysWOW64\Dkkcge32.exe
      Filesize

      136KB

      MD5

      827e3a1dea841c849259eaa1a82fd673

      SHA1

      4c339eda4ee47cf668ffda59bceaea3ae3e481d8

      SHA256

      fb30de815f02f892b3558bf6112ecbe60a1a334bc5ccaf47f523e162d4971f16

      SHA512

      294a7f77c5023da9cf9d37dce0a7bb34a4c6c151b0869009ba335a9111523ecdf227715a0261ee4f15296910f1259d01baabbae4b2b740500b57248d1319ece2

      Download Submit

    • C:\Windows\SysWOW64\Dknpmdfc.exe
      Filesize

      136KB

      MD5

      16e9a5e2c5ba2ee57a95889a35c800bc

      SHA1

      006c7101b238301a7a6f24f6a449c83d3f7fa3c4

      SHA256

      694cda93337cd740500df9ed06ec5f9317399050de50fc15be383039b7fe636d

      SHA512

      d9400962b6ce00cdb282bc4f8ef5b01dee7e508f58b64dbacf6809dc3c24d1c3910ce7d7105875e1af6bc400a56a4e3b451ace78caec0d49bc7508e0866e7ef3

      Download Submit

    • C:\Windows\SysWOW64\Dmgbnq32.exe
      Filesize

      136KB

      MD5

      15e5e64269e9c0de1b67adc8f407924a

      SHA1

      bb68a55f1f6c18e780f3736ccb40053ecd32dd81

      SHA256

      a8e6bcb507efd8aa50912415b2ae8ed1d4f0f6da41382faddc26995a77d8c115

      SHA512

      5b407f661d9329e4bd0d6f01fade82e2b31f47cb1903e5016fd7b86a7ae98c9a36e2051557f3b4693ab650229092dfc4896bdee7ffffa0c81e7e4f854c7f8a3c

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      136KB

      MD5

      eeefcad7f8f79b8d5e8b14a258f36db9

      SHA1

      2ef6ee468969ebef204ff78ac2c4c34de2ed52bd

      SHA256

      9df049c7eae3623059e08f413aab6b048ceca7b5a3e7b36cb170be2151f811ae

      SHA512

      2f4cc223a3e8ef663a1d2731de95ff5b05c216ccf81ac1c61115eb4d741b5b1249248cf3d6efecabd74c92cadd3630f3025787fca27413942a56bf570dc7302b

      Download Submit

    • memory/1224-62-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1224-48-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2848-24-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2848-67-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2856-56-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2856-59-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3024-63-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3024-40-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3972-32-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3972-65-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4116-9-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4116-71-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4412-0-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4412-73-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4412-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5068-69-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/5068-17-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download