berbew | 5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5

General

Target

5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
Size

96KB
MD5

f6af899858cc960551e9995bc7b630bc
SHA1

1c4d2e3930df683f5246a6a7b784858af158d030
SHA256

5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5
SHA512

820d325b1cb65a5ecd4a5694206704969be80b4acf5ce0bed9c636c5cdea9481d718e8b226e1106193f6ea350197a89473e5e1a6b2cac567e435bb7c1922a7e5
SSDEEP

1536:ZiHQSinmxLxd2xLq7106AlYIG5/jp34FOgJduV9jojTIvjr:ZsXxltI+Lp8Jd69jc0v

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 5 IoCs

pid	Process
1376	Cegoqlof.exe
1732	Cgfkmgnj.exe
2804	Djdgic32.exe
2592	Dnpciaef.exe
2612	Dpapaj32.exe

Loads dropped DLL 13 IoCs

pid	Process
2088	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
2088	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
1376	Cegoqlof.exe
1376	Cegoqlof.exe
1732	Cgfkmgnj.exe
1732	Cgfkmgnj.exe
2804	Djdgic32.exe
2804	Djdgic32.exe
2592	Dnpciaef.exe
2592	Dnpciaef.exe
2864	WerFault.exe
2864	WerFault.exe
2864	WerFault.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Djdgic32.exe

Program crash 1 IoCs

pid	pid_target	Process
2864	2612	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfkmgnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1376	2088	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe	31
PID 2088 wrote to memory of 1376	2088	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe	31
PID 2088 wrote to memory of 1376	2088	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe	31
PID 2088 wrote to memory of 1376	2088	5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe	31
PID 1376 wrote to memory of 1732	1376	Cegoqlof.exe	32
PID 1376 wrote to memory of 1732	1376	Cegoqlof.exe	32
PID 1376 wrote to memory of 1732	1376	Cegoqlof.exe	32
PID 1376 wrote to memory of 1732	1376	Cegoqlof.exe	32
PID 1732 wrote to memory of 2804	1732	Cgfkmgnj.exe	33
PID 1732 wrote to memory of 2804	1732	Cgfkmgnj.exe	33
PID 1732 wrote to memory of 2804	1732	Cgfkmgnj.exe	33
PID 1732 wrote to memory of 2804	1732	Cgfkmgnj.exe	33
PID 2804 wrote to memory of 2592	2804	Djdgic32.exe	34
PID 2804 wrote to memory of 2592	2804	Djdgic32.exe	34
PID 2804 wrote to memory of 2592	2804	Djdgic32.exe	34
PID 2804 wrote to memory of 2592	2804	Djdgic32.exe	34
PID 2592 wrote to memory of 2612	2592	Dnpciaef.exe	35
PID 2592 wrote to memory of 2612	2592	Dnpciaef.exe	35
PID 2592 wrote to memory of 2612	2592	Dnpciaef.exe	35
PID 2592 wrote to memory of 2612	2592	Dnpciaef.exe	35
PID 2612 wrote to memory of 2864	2612	Dpapaj32.exe	36
PID 2612 wrote to memory of 2864	2612	Dpapaj32.exe	36
PID 2612 wrote to memory of 2864	2612	Dpapaj32.exe	36
PID 2612 wrote to memory of 2864	2612	Dpapaj32.exe	36

C:\Users\Admin\AppData\Local\Temp\5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe
"C:\Users\Admin\AppData\Local\Temp\5c36123ba64d0da237b6dc207613f1997dea23260746945cfddb26f9cf01b7d5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Cegoqlof.exe
  C:\Windows\system32\Cegoqlof.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\Cgfkmgnj.exe
    C:\Windows\system32\Cgfkmgnj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\Djdgic32.exe
      C:\Windows\system32\Djdgic32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 144
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
96KB

MD5
8d0f7a51d3ea9dcc968f45fbf6fd108e

SHA1
07d6d79923c00a3c53259ab7d244b24b6c076907

SHA256
d88296ada8d581c57db4384e9c1db7b9029f78415b0a1927d2ae928df9fad2f7

SHA512
94a2e5d6b105a98087b849f4e72cd7b9063a43cae3a53bfb78ad850273000abaef7704ee57f002a67a3b0d34dcab8458b55cd1b849c047f3cbe202b82bd6726b

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
96KB

MD5
8b756e2ce98881b5bbc42df390f2eaeb

SHA1
9f9ae3d9aa77662b612d74e4379ed91035789d14

SHA256
ac9131e0cbf7d94c77b1f1551ee5b9e0d7bad5cfc1afcb4c8899c0b3fdc13151

SHA512
45b24475d7ceb0c98a6bcb7136071cc6cb85b8ad7ac0afbfaacdc69867a26c862c34aa312a7fc0be71b907e3e45a0235e2c9c3e3cb5976376bbfdaa81b4206d1

Download Submit
C:\Windows\SysWOW64\Pdkefp32.dll

Filesize
7KB

MD5
71dd60db071c86e07af5d054dfc05c92

SHA1
bf0fd30585ca8cece58d71c85073ea84b9bde0df

SHA256
079a646d0f5ea406dce332e1cb2915956e4f0799e944839525b75ccf2149374a

SHA512
b2f3bd296201b5189745fb106005db2eb7d3c649d0243942b749085d1483c709180a15d945f2e4f27b11ed300753cc3be759cbc3e0712654802155c732e87617

Download Submit
\Windows\SysWOW64\Cegoqlof.exe

Filesize
96KB

MD5
fc4b8e93bb81b683509ec2f3e6f4e133

SHA1
bef766fa4b7ed50a395ec2b65bd2a73e2807d4db

SHA256
f3382521fc88ebc84bee554fe3386d7b033a4fe41963304964b370bc5b782843

SHA512
d207aec783150847e9e3086f0e322ec5932d5e728e0d4dca9f6427debcc1e8e71f88a8e33d4de65df0b132d0bd47e5d97f3de2b058c508477545b1ef831d9e75

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
96KB

MD5
30d957b2f0a55afb9ae2bafec9d6f604

SHA1
8fedfba7e145bcc2181e9981b6be76b61015e1e6

SHA256
8652e389c17cc36c3b3755a3ed4a9a277f1816d5aefc8c3d6570c0dfa0cc9b46

SHA512
f18b1f79fcbb29f68edf5fdfb2e2e6839cfd36e5e49abeceee5111cc9228575eeb0c02e1159072270af84af6a32017271e2142340eda381c69107102583c8ebf

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
0925f767c79fa218e2468939ed6fa534

SHA1
b5d5cf31a98be2f440bf15ec2dcdfa147eb39648

SHA256
2bbd7dd136fa18b0bb46dd64c8d3d0ba5bcc41d9435ce70c83e355c8754fad91

SHA512
30407a9da4ae267211cf3381763b6e18c82a74b0fd96f2101295494e3cc2ba617e5e3188c2dc81a080e9cc0f56a4077a48815f366c7778e22473b4f8ad8d64cc

Download Submit
memory/1376-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1376-77-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1732-34-0x0000000000620000-0x0000000000662000-memory.dmp

Filesize
264KB

Download
memory/1732-76-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2088-13-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2088-12-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2088-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-75-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-65-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/2612-74-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2612-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-78-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2804-48-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads