berbew | 01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092

General

Target

01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
Size

305KB
MD5

49b050a937c84a64241269310f85324f
SHA1

0a27d77d22e66bd153e1ac5dd9d395c78ecf9632
SHA256

01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092
SHA512

3a56492926c5f902e57a45e229b6ce60fe436142e4ca13b2d496cc31c3037f8be8d8bc209ef181462386d6e0656b62adaa445cee21aec9499cd4dbbd317bed09
SSDEEP

6144:IdWoxM2YNxunXe8yhrtMsQBvli+RQFdq:JoxMfvAO8qRMsrOQF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 3 IoCs

pid	Process
2936	Npagjpcd.exe
2596	Ncpcfkbg.exe
2584	Nlhgoqhh.exe

Loads dropped DLL 10 IoCs

pid	Process
2724	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
2724	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
2936	Npagjpcd.exe
2936	Npagjpcd.exe
2596	Ncpcfkbg.exe
2596	Ncpcfkbg.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe
3012	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Npagjpcd.exe	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ncpcfkbg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3012	2584	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2936	2724	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe	30
PID 2724 wrote to memory of 2936	2724	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe	30
PID 2724 wrote to memory of 2936	2724	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe	30
PID 2724 wrote to memory of 2936	2724	01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe	30
PID 2936 wrote to memory of 2596	2936	Npagjpcd.exe	31
PID 2936 wrote to memory of 2596	2936	Npagjpcd.exe	31
PID 2936 wrote to memory of 2596	2936	Npagjpcd.exe	31
PID 2936 wrote to memory of 2596	2936	Npagjpcd.exe	31
PID 2596 wrote to memory of 2584	2596	Ncpcfkbg.exe	32
PID 2596 wrote to memory of 2584	2596	Ncpcfkbg.exe	32
PID 2596 wrote to memory of 2584	2596	Ncpcfkbg.exe	32
PID 2596 wrote to memory of 2584	2596	Ncpcfkbg.exe	32
PID 2584 wrote to memory of 3012	2584	Nlhgoqhh.exe	33
PID 2584 wrote to memory of 3012	2584	Nlhgoqhh.exe	33
PID 2584 wrote to memory of 3012	2584	Nlhgoqhh.exe	33
PID 2584 wrote to memory of 3012	2584	Nlhgoqhh.exe	33

C:\Users\Admin\AppData\Local\Temp\01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe
"C:\Users\Admin\AppData\Local\Temp\01dad189e578b258d4496500b273466384c1694d4856dc914b080be513598092.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\Npagjpcd.exe
  C:\Windows\system32\Npagjpcd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\Ncpcfkbg.exe
    C:\Windows\system32\Ncpcfkbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Nlhgoqhh.exe
      C:\Windows\system32\Nlhgoqhh.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
305KB

MD5
fe64329e7df4a5a478b102bfd20df5a5

SHA1
e02d59bf0e8d12ed2f92378f922668f3354483dc

SHA256
652dd0a07dcf3d3d4a4f355606ef9775ac32a59630c6904f998d3d3aee41e113

SHA512
de34df8cd8ce651c90fc0f59c397a2ae1dcf2e9ddd3e1f26bf9378ae0c157d2f09b9b4521d3c1d317e076fb5771159af4fb098592e7331385c2a65c05d92984d

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
305KB

MD5
3e5670771958d76f9ba579140f47d9f8

SHA1
a38a3747b912b64052436083a210d8ac0422dda1

SHA256
ad4a0f18e9c30b60b47b99926994ffbb2f1f22600d72ae8be86373a789ca62e6

SHA512
7f42a90ee48abba36024aa09215856445dfcba4d67591a1b511143c2cd7052b0ec6ca2064130f2ab0f2da14fd543a568e90c868e52e0057bf7f1599beb2b591a

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
305KB

MD5
20e2a10394bd0c2b4e8adff0f0e5762d

SHA1
fc7df834b24e11db995453135262d4df56639a07

SHA256
9ece995bc1d059e8f2a73a369e3561b01f83fd5eaa774f505850e1ac5a297047

SHA512
a644ad67525e69c30105f54c89f4d1618857153bb6a788b08286b35cd8bae5f5ff3b42a7fa2458d5583d52f54ac9787f891206e08a743e1f520959d3fc40ad9e

Download Submit
memory/2584-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-35-0x0000000001FD0000-0x0000000002013000-memory.dmp

Filesize
268KB

Download
memory/2596-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-17-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2724-12-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2724-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-46-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-19-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-22-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads