Analysis

  • max time kernel
    32s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 03:32

General

  • Target

    604fab64dff393d0d546e64ca044f12479d27a5bf87e0a1687ff67df8e4c2df2N.exe

  • Size

    55KB

  • MD5

    d8c5f007acdf22c2eac98e64bddc63a0

  • SHA1

    6942d8e420bf4d6e9d36cfd07584da844c984b78

  • SHA256

    604fab64dff393d0d546e64ca044f12479d27a5bf87e0a1687ff67df8e4c2df2

  • SHA512

    a74152ef006af4f20bb83589734c78bf2c6e59f9ac9546b0fa8a582e312936f1642bf449958e4fc2a10c39c5e837c7fa4edc7499faf305a251b97f97ef509bbb

  • SSDEEP

    768:k3XUbn311+UTzfmJ8mmwkMbPv4haXfeUBzY45gpZFKDhAsdwkwYIH2p/1H5GXdnh:iELWemJkfMbfnE8Lhlwlz2LO

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 16 IoCs
  • Drops file in System32 directory 18 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 21 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\604fab64dff393d0d546e64ca044f12479d27a5bf87e0a1687ff67df8e4c2df2N.exe
    "C:\Users\Admin\AppData\Local\Temp\604fab64dff393d0d546e64ca044f12479d27a5bf87e0a1687ff67df8e4c2df2N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SysWOW64\Eqgnokip.exe
      C:\Windows\system32\Eqgnokip.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\SysWOW64\Ecejkf32.exe
        C:\Windows\system32\Ecejkf32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Windows\SysWOW64\Emnndlod.exe
          C:\Windows\system32\Emnndlod.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Windows\SysWOW64\Ebjglbml.exe
            C:\Windows\system32\Ebjglbml.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\SysWOW64\Fidoim32.exe
              C:\Windows\system32\Fidoim32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2616
              • C:\Windows\SysWOW64\Fkckeh32.exe
                C:\Windows\system32\Fkckeh32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3000
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 140
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:772

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Ecejkf32.exe

          Filesize

          55KB

          MD5

          107dde67e9cc1d5a2ec0ed2e5d6e3f31

          SHA1

          7cbbc3f1c334e7eebad454124a4fca0aaf97e406

          SHA256

          d8e164305c9cf63402c1d45c6202a8f1059e0e2a09be8959cc26bcb2adf4c1f0

          SHA512

          fe678e3eb8283e777d4a163d3dd59c3365d400b1b139f62450e96cf25068a5f347b6e3b02e892a6c0d42884e293ce58de9ed31b073885dec7ec56e44b64179ab

        • C:\Windows\SysWOW64\Eqgnokip.exe

          Filesize

          55KB

          MD5

          5ccedd12b0a5c9f62615fba9e91cf458

          SHA1

          867d7cfaa54bf225fc8ab9ed4a1e61a55db67fd1

          SHA256

          6480c738adfb961310422a86ae28b23d50d288850495f056140821443e497448

          SHA512

          8d9c143a78156931a9da7575601b210914e8d5b509f8f39d3d33c152084381b194266ee50f1b13e52653f0686acdeb5f8b3014edaf8e721be1cd37278441802d

        • \Windows\SysWOW64\Ebjglbml.exe

          Filesize

          55KB

          MD5

          9303f7d5f05f0555c2c4616ee6516fb8

          SHA1

          230adb3aa3ad29e77cc684b1160fb891c82adc27

          SHA256

          82dd9aaeea21b1094bce466964d8c05dfbbb53ccbbf263e0bb298690b789cbec

          SHA512

          bb948450bd047f5b1734beebd11d0d7e291dd385b26673c2f94023fe762bee1f61eca380c35e94a8432aff9d4004bf093d75fcafbd33fc4656a05e935371ec38

        • \Windows\SysWOW64\Emnndlod.exe

          Filesize

          55KB

          MD5

          88292c9b827886bf8806145b330821a2

          SHA1

          77691830304f51346d2aae70828d4859262aa965

          SHA256

          74d6d9a7ba43c42b3aae7ac7e2ae3080d93423aa615ed7fc5e99b68cc3e7c260

          SHA512

          8d0860de501f2e356eed3261a7613b1e251c25db5cbfeffc797563610213446cc9b56deacae0b3b05561283cb92880eb801a87014e83f01ae9eb69a931727de3

        • \Windows\SysWOW64\Fidoim32.exe

          Filesize

          55KB

          MD5

          35adf687e9bb886ca92158647e8a9d64

          SHA1

          ad36f93ba478e23f51fc1ee5ed0f96fef5f06ad2

          SHA256

          5a052b88e13ea833b04e3bd7a03bd54b3399cd46a54aa27c8663105ea2e21fd0

          SHA512

          d66f22f6f12d6d2b2ac263f7c2bab6c4df86433826a7199223235e6ff207c8816d3f66a4656f969955a111dce331410771a001a4dde0f8c7a1ae56b1f289e1cb

        • \Windows\SysWOW64\Fkckeh32.exe

          Filesize

          55KB

          MD5

          14e1cb49f90c76068a156416530f617d

          SHA1

          0c5177b105bacf8f212bd9c1edd3ff79f359fe76

          SHA256

          99c9bedf91ded7d3e221a9827d032af279c66906bee4350df8656c7fe762f0fd

          SHA512

          7e7400aa2d91462d0add150ed6bc91a7430a958b634f038336e4553cd1f193986ca2ba26c61a96fd6cb3b2ca9f636abf1050d50ac0d2ecb4c40211d816332d54

        • memory/2432-12-0x0000000000270000-0x00000000002A3000-memory.dmp

          Filesize

          204KB

        • memory/2432-92-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2432-0-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2616-86-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2680-26-0x0000000000250000-0x0000000000283000-memory.dmp

          Filesize

          204KB

        • memory/2680-13-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2680-91-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2688-60-0x0000000000270000-0x00000000002A3000-memory.dmp

          Filesize

          204KB

        • memory/2688-87-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2692-34-0x0000000000250000-0x0000000000283000-memory.dmp

          Filesize

          204KB

        • memory/2692-88-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2692-27-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/2712-52-0x0000000000250000-0x0000000000283000-memory.dmp

          Filesize

          204KB

        • memory/2712-95-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3000-96-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB

        • memory/3000-79-0x0000000000400000-0x0000000000433000-memory.dmp

          Filesize

          204KB