berbew | 5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70

General

Target

5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
Size

59KB
MD5

620b7d75fc1a0f2071369a44dc1cb7c0
SHA1

f7e70312ed796671e25083ef7c41b5b7ac7acafe
SHA256

5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70
SHA512

138685e5786054fabcf586cd814c242335b599daadfea079b20eccb706510d5a8bb67158c6a3b548e957448f3ba32d6d23cda40d8ab6cbd9b42ac089e6319a91
SSDEEP

1536:Gr6sMzqQSqCDkl/OiWq8r4UJ7YnR5NCyVs:u6hz9OS/OiEr4TKes

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oheppe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oheppe32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 2 IoCs

pid	Process
1760	Oheppe32.exe
2192	Ockdmn32.exe

Loads dropped DLL 8 IoCs

pid	Process
2296	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
2296	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
1760	Oheppe32.exe
1760	Oheppe32.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oheppe32.exe	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
File opened for modification	C:\Windows\SysWOW64\Oheppe32.exe	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
File created	C:\Windows\SysWOW64\Fapapi32.dll	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
File created	C:\Windows\SysWOW64\Ockdmn32.exe	Oheppe32.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmn32.exe	Oheppe32.exe
File created	C:\Windows\SysWOW64\Khhaomjd.dll	Oheppe32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	2192	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheppe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmn32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oheppe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapapi32.dll"	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhaomjd.dll"	Oheppe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oheppe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1760	2296	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe	30
PID 2296 wrote to memory of 1760	2296	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe	30
PID 2296 wrote to memory of 1760	2296	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe	30
PID 2296 wrote to memory of 1760	2296	5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe	30
PID 1760 wrote to memory of 2192	1760	Oheppe32.exe	31
PID 1760 wrote to memory of 2192	1760	Oheppe32.exe	31
PID 1760 wrote to memory of 2192	1760	Oheppe32.exe	31
PID 1760 wrote to memory of 2192	1760	Oheppe32.exe	31
PID 2192 wrote to memory of 2948	2192	Ockdmn32.exe	32
PID 2192 wrote to memory of 2948	2192	Ockdmn32.exe	32
PID 2192 wrote to memory of 2948	2192	Ockdmn32.exe	32
PID 2192 wrote to memory of 2948	2192	Ockdmn32.exe	32

C:\Users\Admin\AppData\Local\Temp\5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe
"C:\Users\Admin\AppData\Local\Temp\5dba93aeb810e2519eee8e111e6edf5e07f6dbdfd4e74a59f97379934fe92f70N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Oheppe32.exe
  C:\Windows\system32\Oheppe32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\Ockdmn32.exe
    C:\Windows\system32\Ockdmn32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Ockdmn32.exe

Filesize
59KB

MD5
d51979c7ba838d6940ea25164de14dd8

SHA1
6c7dddff7d1e93fded50f992aba64b609981e052

SHA256
b0d7104dfaa69ca2673ad9a745736ff73428193e5d7f000e847178c73603d158

SHA512
9ee10f67acefc7667517f8a5cb390d8f5500115d5699635a07e1c18e1d0214339e26556c188723aa465b8fd32bd08464ea634970ddbd7f80b5647102cbbe5427

Download Submit
\Windows\SysWOW64\Oheppe32.exe

Filesize
59KB

MD5
95b29b5b6ba6ec9a4cd61fcccb51ea46

SHA1
95565ae5a6dd0b7cccf76d4eb07f5b1f06be3377

SHA256
71c1bdb170a2c9f34892351b2c167213436a8e3ba1920730782166fc05fbd52b

SHA512
144f219b113c76d5f9ca63d63c19b0e6baf5f359bee470594da5e3aa26c1d9988c0e5bd997fd04945cc415c0a10daad90377c6485de934d98034b6f810522adf

Download Submit
memory/1760-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1760-27-0x0000000000270000-0x00000000002AA000-memory.dmp

Filesize
232KB

Download
memory/1760-34-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2192-28-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2192-35-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2296-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2296-13-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2296-12-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2296-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads