berbew | a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f

General

Target

a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
Size

148KB
MD5

b71d9c898514c981d1b631582e7274ad
SHA1

f7cffd34b51fa72f94d2f243472e6448ec653429
SHA256

a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f
SHA512

f5d640ecb83990c34ea59c087c5813626800bbb3af0f53b00ca2ef34636da698d03ce4515cdf482e24ca1733c713483da01f3a915c48a31f25352ef86be6230c
SSDEEP

3072:USXFRj8IBsV+SVnY5OdzOdjKtlDoNQQ9wlHOdj+UCRQKOdj+U:US7vwnKOdzOdkOdezOd

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 3 IoCs

pid	Process
980	Dhocqigp.exe
2200	Dknpmdfc.exe
4020	Dmllipeg.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhocqigp.exe	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4536	4020	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 980	3108	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe	83
PID 3108 wrote to memory of 980	3108	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe	83
PID 3108 wrote to memory of 980	3108	a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe	83
PID 980 wrote to memory of 2200	980	Dhocqigp.exe	85
PID 980 wrote to memory of 2200	980	Dhocqigp.exe	85
PID 980 wrote to memory of 2200	980	Dhocqigp.exe	85
PID 2200 wrote to memory of 4020	2200	Dknpmdfc.exe	86
PID 2200 wrote to memory of 4020	2200	Dknpmdfc.exe	86
PID 2200 wrote to memory of 4020	2200	Dknpmdfc.exe	86

C:\Users\Admin\AppData\Local\Temp\a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe
"C:\Users\Admin\AppData\Local\Temp\a79e7f993e43a34ea719f086fbf689d1976c4bda22a173bf01a80a243ea59a3f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\SysWOW64\Dhocqigp.exe
  C:\Windows\system32\Dhocqigp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\Dknpmdfc.exe
    C:\Windows\system32\Dknpmdfc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\Dmllipeg.exe
      C:\Windows\system32\Dmllipeg.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 396
        5⤵
        Program crash
        
        PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4020 -ip 4020
1⤵
PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
148KB

MD5
c334343d7109a4a8c98f729f0c2a940b

SHA1
9113a4223c4e9a7453470c5fcd3915991cb866cb

SHA256
d2f1b5df04581af801fd6339fbc49861b74a10fee66bbc78425f2a684314f03d

SHA512
7dcd108b1501eae7c9d185bc359e560289c0b4aef1965435488d337fd1a2bbca45557816a5b378176158bdf9765791ff00fc2952a2108ce7e45cc8859e843752

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
148KB

MD5
e1aa990d0c3c2d49b754a83be5c0f302

SHA1
dcdefe197405cf665548c1ca9f4f6ae842192f0d

SHA256
841bc1d668d3b7afd44875b3d1e7c9771dcd926640fb239d5b9dca9ac8c97395

SHA512
57aef30299ef625e59ec0c0a700ecaf47526e924736968ed46c1fb55d34c85ec2912106ae77fb3fee0613c30792c7df7a35f0c642286b6be5b1d386d3ddcf4ce

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
148KB

MD5
cf711d648779bb6d92fe312a7e964013

SHA1
830a280459880dd3da86f3f6e633f47660762e82

SHA256
d66de91c112c0279726b827766692525c05c758cfde8805020856ad5116063e1

SHA512
3a2bf05963e9af5f963c81aeb0f7339e6ad2a0adfec44e0929af5e81070319ef6a10fcd259ee3663cc3f7479a8a6fd88f5cf9d55d039cd03d67f80cab46ae08c

Download Submit
memory/980-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/980-32-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2200-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2200-29-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3108-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3108-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3108-33-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4020-25-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4020-28-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads