Overview

overview

10

Static

static

3

6fddd08fb6...63.exe

windows7-x64

10

6fddd08fb6...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2024, 23:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6fddd08fb6867db8ee3519a48544f90c7776bf9df60612e651997b8e35d22163.exe

  • Size

    391KB

  • MD5

    ae8d748d66b0870dce99ffd5a227fc6a

  • SHA1

    e9f1fbb8692973135188256ebaac8bc28efb2595

  • SHA256

    6fddd08fb6867db8ee3519a48544f90c7776bf9df60612e651997b8e35d22163

  • SHA512

    4e059aede450a2997bcfa669cbdd5c8599a22797a6d8a601749d4f19d5fc9aa8e28a33bea6801e6b4b3216b4969a85d1dd7eaabd835f415b77ea44cde30bb467

  • SSDEEP

    12288:KF8myxZvT9XvEhdfJkKSkU3kHyuaRB5t6k0IJogZ+SZE:KF8myX79XvEhdfJkKSkU3kHyuaRB5t6f

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Executes dropped EXE 7 IoCs
  • Drops file in System32 directory 21 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 24 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fddd08fb6867db8ee3519a48544f90c7776bf9df60612e651997b8e35d22163.exe
    "C:\Users\Admin\AppData\Local\Temp\6fddd08fb6867db8ee3519a48544f90c7776bf9df60612e651997b8e35d22163.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Windows\SysWOW64\Djgjlelk.exe
      C:\Windows\system32\Djgjlelk.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\SysWOW64\Delnin32.exe
        C:\Windows\system32\Delnin32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3572
        • C:\Windows\SysWOW64\Dkifae32.exe
          C:\Windows\system32\Dkifae32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:5032
          • C:\Windows\SysWOW64\Ddakjkqi.exe
            C:\Windows\system32\Ddakjkqi.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4052
            • C:\Windows\SysWOW64\Dkkcge32.exe
              C:\Windows\system32\Dkkcge32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4800
              • C:\Windows\SysWOW64\Dddhpjof.exe
                C:\Windows\system32\Dddhpjof.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1744
                • C:\Windows\SysWOW64\Dmllipeg.exe
                  C:\Windows\system32\Dmllipeg.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:628
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 408
                    9⤵
                    • Program crash
                    PID:4204
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 628 -ip 628
    1⤵
      PID:4020

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Ddakjkqi.exe
            Filesize

            391KB

            MD5

            8056ca14e6d465f82042fa8e127c02f9

            SHA1

            2685793460f6f00516dbc388aaa3495979f14169

            SHA256

            c9aeb8deff481f1c13bc4a43726e0660710ad1e581e4c0a4192a416f3723d325

            SHA512

            143712400d14b5739f2d7ea1f80c832c1b31ba6fdcb94c7c635b27e7af6768334fe5b2b1b6d2bf3ff6240fa00151252f55d93aaade81b087c3a57648aaaee8c5

            Download Submit

          • C:\Windows\SysWOW64\Ddakjkqi.exe
            Filesize

            391KB

            MD5

            6fc0f9ed9bed8934033fae1b82738be7

            SHA1

            a19a6f0e1d69e1599216e2f4402c611baf442992

            SHA256

            458cf9ab4ca2ecd57638b52a3ad79e1347b395dc6e66cbacbcfc7f571c52822f

            SHA512

            e561f75be87604578452fcee02f8de9b8a3e63296dfc559e138b5e787738be3e9d3c165aabf5cd2423bfd2fa46460c0d615f4348b104a4fb833f03e3b57caf67

            Download Submit

          • C:\Windows\SysWOW64\Dddhpjof.exe
            Filesize

            192KB

            MD5

            7bc12d402622f8ee2f3d5a37fe760593

            SHA1

            02831827fb9450a44858908017e960fb17321296

            SHA256

            dbbb9a5477bc9b9db0009dcbf1c18e6b35c666ebef7967caea6a7f2c8e483199

            SHA512

            338120eeb9e93292be36577cda5c753ce47313e2a02e64e76d40e005b558d125ca0670ef70ee77829a998d25bfb0d1f5a27dde8ce7044963fb117399c72d81f5

            Download Submit

          • C:\Windows\SysWOW64\Dddhpjof.exe
            Filesize

            391KB

            MD5

            d52555295083f06f4a11656d32072da2

            SHA1

            a93d905e52fa4d1caafe7a5f178fe6c794e8170e

            SHA256

            8d9028c96e01296c1f8d0880a49898f916f5313b0edcc8ffe086920019f82c5e

            SHA512

            a6c33a8c586570a60b27ad4c42c442caed3203d7556abe533c5ea680a8dbcc886a59886408413d55bcf4570e0821a757d6e9447f3dd9a82bc0e5147bfbde6416

            Download Submit

          • C:\Windows\SysWOW64\Delnin32.exe
            Filesize

            391KB

            MD5

            3993b7a64c34e4ecfa60a1f432e50afe

            SHA1

            b4140005d260cb0d1d06dea0ed37a844eba3b4f1

            SHA256

            57a7ad111a6cdf8f9516b3d79fdc4be6df88fdd3aaf6578afdf1ef9f3b041b2e

            SHA512

            ada5449093a022835776f0a8b988f05851d2ad25f34c61b70ac89f40b7001be19d90d6777fab1089bbe4c0af2bf9242d534f34a564ba650391160f6c229f613a

            Download Submit

          • C:\Windows\SysWOW64\Djgjlelk.exe
            Filesize

            391KB

            MD5

            915da34e187204feb60a31c3f6e23fec

            SHA1

            77677687ba78114f16f19369ec5cf39cd4e6abb7

            SHA256

            7c1308d1b61ac9a8643f36ac01237cde89bf2f65f205a39fb8830bee3a0cd1a7

            SHA512

            384fd4228862236691d715b08f5f4830965b9c8f49fac1effd25acff605a12f4ae1dd7f1bd1175c8290591308aa508a4e54f58092b6b285b944aaf8fee68b753

            Download Submit

          • C:\Windows\SysWOW64\Dkifae32.exe
            Filesize

            391KB

            MD5

            8762b166bc9a15225b3011e69e67900b

            SHA1

            128488163cb68809a09cecde937f27b3ea26de4e

            SHA256

            814302cce186cd1a7a2959a2b1cf6fc19c64d27972b6ec07ee8c19d7bc73a9cb

            SHA512

            e647df3015c8abf91369cc5696397143ba7c95c8d1f11f671fa092c886b9ec2fd7fb15d3c0c95bc838070b9e65fd2a8fe1bcaed4f18d2940fc4c41c88bdf0047

            Download Submit

          • C:\Windows\SysWOW64\Dkkcge32.exe
            Filesize

            391KB

            MD5

            a739491ff0e104c9358fd0477b966a67

            SHA1

            d6329c979b42399976704cf5be1f7175d1c7cf47

            SHA256

            1dd89afb5a5ff5d31fb64bcef4ca8ab74f86163fd3bfbe3e598b529b7e212074

            SHA512

            57114e57153fba1fe5c8f178d90b21a0f57abb7e5f0e39c187a7faad818b3a3de76aaab4666a111cd1ccfc3f5a911febad0596ecb62b20e543cfe6633580994b

            Download Submit

          • C:\Windows\SysWOW64\Dmllipeg.exe
            Filesize

            391KB

            MD5

            9d7f1f0fd11aa21729a7072effd57598

            SHA1

            8e84dd3d5cbd98614fb29447c253f197b95ad364

            SHA256

            6d53f1a749f4ab230c2da0791f23637c1ed2761a69c97608ac23dae3997f3d99

            SHA512

            2da94f8d32e191faf97947afd98209b6a8d589b77dbe2af53f13b7bbacbea5723002829f0da1ad0b778ec5bd1b1aa845fcf647eeceb30fb9b326f7bda5ad01c1

            Download Submit

          • C:\Windows\SysWOW64\Jcbdhp32.dll
            Filesize

            7KB

            MD5

            ea653277c7fcf80820eeab446fd685a6

            SHA1

            a7bc4116dec01a7e1357c25e18db46b025cf5001

            SHA256

            502d101d7bd85a62587f9e1d68b1e7833e93ca15d1586686ba08d4eee7c1868c

            SHA512

            10f987862d9d669b770f3a507bfda8012d5f3ebe25aaebb15c9b7d0f50ce4a61d4f3895c35cdda2736200564605076aa0c44d834420e214abe0570f126d9234a

            Download Submit

          • memory/628-56-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/628-57-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/1744-58-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/1744-47-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/3572-63-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/3572-16-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/4052-31-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/4052-61-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/4568-0-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/4568-64-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/4800-39-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/4800-59-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/4980-62-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/4980-7-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/5032-60-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download

          • memory/5032-23-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

            Download