Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 04:04

General

  • Target

    39268f8d9095cfca545ed2d2e9d55dabfba4a5eca2e12867840ee3523b285fe5N.exe

  • Size

    145KB

  • MD5

    e79110365ed2b9a4726a221a04aa9070

  • SHA1

    1c91f94f29ea552122a59ab4877ee73a492b7455

  • SHA256

    39268f8d9095cfca545ed2d2e9d55dabfba4a5eca2e12867840ee3523b285fe5

  • SHA512

    1844b40ca5421220851812c6771c1501641bbe2c3949d16a10f68a5db2e2bdc822c1acd60726fa295a9a00cf5113b2e61152c2782e495d45f9b3bbffc563fb65

  • SSDEEP

    3072:4dAZics2UvSmNhXAKRGKk6o4hfi12CIeoimEzRWbNmog:4iMxhXJRG/6o4eTRMg

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Drops file in System32 directory 9 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39268f8d9095cfca545ed2d2e9d55dabfba4a5eca2e12867840ee3523b285fe5N.exe
    "C:\Users\Admin\AppData\Local\Temp\39268f8d9095cfca545ed2d2e9d55dabfba4a5eca2e12867840ee3523b285fe5N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\SysWOW64\Oomlfpdi.exe
      C:\Windows\system32\Oomlfpdi.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\SysWOW64\Opmhqc32.exe
        C:\Windows\system32\Opmhqc32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\SysWOW64\Ockdmn32.exe
          C:\Windows\system32\Ockdmn32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2964
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 140
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:580

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Ockdmn32.exe

          Filesize

          145KB

          MD5

          8fcfc24a1da9dbf0d4b58d6578dcf748

          SHA1

          a31d2f3c6d9d8410f18bd3808cfdc5732c514a4d

          SHA256

          ce30308a39d8e573fc7af9cd6f0ec45c9795d5a95dce28436424c7b5a6b0a457

          SHA512

          70d200d55fa464238a42c7925b27da643a6a14ac489c4965eec53cf78468f0b9511f8a58c63d3f8c0d6b829042c867a51e6945d6f7e272a273a9ac76ddf47df7

        • C:\Windows\SysWOW64\Oomlfpdi.exe

          Filesize

          145KB

          MD5

          c5eea070c5e2f015d04ad76395d2a8db

          SHA1

          fcbc8fdb789b085a1ba94a17b0a3c976b2ec2813

          SHA256

          2a66c44e6cbc52b1a8a4f366a700659cf79061f94dc0b07df637525701076503

          SHA512

          7361e9fe756d8e44a16b159e590822f09d64440dbbd0e23a43e24051b18412f7ac3da5ebd0ddbdf7e97ca4f27857314db3c729c4f43e798dac5b4b7863243ab8

        • C:\Windows\SysWOW64\Opmhqc32.exe

          Filesize

          145KB

          MD5

          8a348f0fa15b6511833f6f42a66a1a4e

          SHA1

          c62369abb9a8ba366fc09eb9aeb89fcd54231c97

          SHA256

          5bf475e69ee26405e0c4167e941a1060d74d99f9fd847ebef54907c69096b65f

          SHA512

          b840dc9f6495fc5394134fcc33db9fb0488aeaac0175dd806bc6221802bc03c7e1ee524a1c0ebea023f919e9839b4696289080a2526cb74a0a3cd8694346c9ba

        • memory/1724-38-0x0000000000280000-0x00000000002B4000-memory.dmp

          Filesize

          208KB

        • memory/1724-14-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/1724-48-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2300-12-0x0000000000290000-0x00000000002C4000-memory.dmp

          Filesize

          208KB

        • memory/2300-13-0x0000000000290000-0x00000000002C4000-memory.dmp

          Filesize

          208KB

        • memory/2300-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2300-50-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2348-40-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2964-41-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

        • memory/2964-52-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB