Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 04:10
Behavioral task
behavioral1
Sample
c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe
Resource
win10v2004-20241007-en
General
-
Target
c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe
-
Size
192KB
-
MD5
fa25e3687e0857faeb8e353edbae3385
-
SHA1
a88940ed7ec2cdc0e4d382c2e5e2441c2e54098d
-
SHA256
c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774
-
SHA512
0977c66b3cd495675475200f27a9ab8aa02c0413a72720cd25b7d7fc9241c8d781ab7b720dd8b1ea309268b0125ba423972af5aa4dc6bb8783c40f75c82cfd2d
-
SSDEEP
3072:11lr4huqkXEVKMuUop4PmebD5Vo3gLJbGFE22VasiZoR6sCtACou3ZfO:1154huHUVKXZoHbD5W3glbGFIasUDsIq
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfpgffpm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogogcpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dogogcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpgffpm.exe -
Berbew family
-
Executes dropped EXE 4 IoCs
pid Process 4344 Dfpgffpm.exe 3508 Dogogcpo.exe 3628 Dknpmdfc.exe 3460 Dmllipeg.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dfpgffpm.exe c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe File opened for modification C:\Windows\SysWOW64\Dfpgffpm.exe c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Dogogcpo.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dogogcpo.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File created C:\Windows\SysWOW64\Kmdjdl32.dll c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Dfpgffpm.exe File opened for modification C:\Windows\SysWOW64\Dogogcpo.exe Dfpgffpm.exe File created C:\Windows\SysWOW64\Lbabpnmn.dll Dfpgffpm.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Dogogcpo.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1816 3460 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpgffpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogogcpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfpgffpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Dogogcpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll" c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll" Dfpgffpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dogogcpo.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2876 wrote to memory of 4344 2876 c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe 85 PID 2876 wrote to memory of 4344 2876 c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe 85 PID 2876 wrote to memory of 4344 2876 c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe 85 PID 4344 wrote to memory of 3508 4344 Dfpgffpm.exe 86 PID 4344 wrote to memory of 3508 4344 Dfpgffpm.exe 86 PID 4344 wrote to memory of 3508 4344 Dfpgffpm.exe 86 PID 3508 wrote to memory of 3628 3508 Dogogcpo.exe 87 PID 3508 wrote to memory of 3628 3508 Dogogcpo.exe 87 PID 3508 wrote to memory of 3628 3508 Dogogcpo.exe 87 PID 3628 wrote to memory of 3460 3628 Dknpmdfc.exe 88 PID 3628 wrote to memory of 3460 3628 Dknpmdfc.exe 88 PID 3628 wrote to memory of 3460 3628 Dknpmdfc.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe"C:\Users\Admin\AppData\Local\Temp\c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 4086⤵
- Program crash
PID:1816
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3460 -ip 34601⤵PID:4524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
MD5e898a4489f8b5085e0012ba1ab22c464
SHA1a479908726421698ab93ddd787165d6f2188d42d
SHA256f3823a0dd8543e6c2b853f4b43d9e28a1a8a67da043eacba020f84bddfcd1e23
SHA512a07f73bb35461d4c351e55eed84fcf5c02870e7e355745a146c97bdfbbddcd858518f4a61cf1ebbda062d3e90e3b62a1861a7fcc59b535347d2ab8eba69b86d0
-
Filesize
192KB
MD5d7bec3b8ab3a9400b2073ec552972550
SHA1a8f5e09e1ec5b166aac68a4080c3c57198f80684
SHA256eae38e8ec08de210e0ee110603e5aca81a2c7ddaa6be043284bc4212b7caba4e
SHA5128996b80ac456004b647ec16b7d7c42da46853e46be85418ef69ffd34fc20b4944417b3e3c9afc3d54ba8746e9e3cd5b81c56330ee0436bb22dc15c950d0e3f66
-
Filesize
192KB
MD5c844ea8a784bb532c6fc06417984a8db
SHA129b5a96ca4986204fdc528f32b8afa5c016f19a1
SHA2560330995cd17e94c83a1124d87d391880b91ad77960593277096ffa984d5262c3
SHA512e974ad671fed6a9668089712a1729a8a91d384380eba3afc5d3a4e5e266eff594c01b887dfca3f80b010c6c482aa87c36b44fc6d641c466eb863c522591b6a67
-
Filesize
192KB
MD57aacab53d1fb1452b27431f205dd052e
SHA13e9c3ce1f744b401180a0ceb491689451191dca3
SHA25642b9f3468f6648d675dd3c9abd4197a0ce08f7f27d2ada8e79918880dd99659d
SHA51218e49e4e2ca6828e466a13e5cac193872ee4e8bfe16061478903fadb015464aae0a459af570620163d0aaa0e4413b7b870ccc09f2b91ccb36a7ad149682651c8