Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 04:10

General

  • Target

    c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe

  • Size

    192KB

  • MD5

    fa25e3687e0857faeb8e353edbae3385

  • SHA1

    a88940ed7ec2cdc0e4d382c2e5e2441c2e54098d

  • SHA256

    c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774

  • SHA512

    0977c66b3cd495675475200f27a9ab8aa02c0413a72720cd25b7d7fc9241c8d781ab7b720dd8b1ea309268b0125ba423972af5aa4dc6bb8783c40f75c82cfd2d

  • SSDEEP

    3072:11lr4huqkXEVKMuUop4PmebD5Vo3gLJbGFE22VasiZoR6sCtACou3ZfO:1154huHUVKXZoHbD5W3glbGFIasUDsIq

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe
    "C:\Users\Admin\AppData\Local\Temp\c5d280853b04b270c2b38dee4d1f3f9fa88f60cbce07b03b2794ac8a5307a774.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\Dfpgffpm.exe
      C:\Windows\system32\Dfpgffpm.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Windows\SysWOW64\Dogogcpo.exe
        C:\Windows\system32\Dogogcpo.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Windows\SysWOW64\Dknpmdfc.exe
          C:\Windows\system32\Dknpmdfc.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3628
          • C:\Windows\SysWOW64\Dmllipeg.exe
            C:\Windows\system32\Dmllipeg.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3460
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 408
              6⤵
              • Program crash
              PID:1816
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3460 -ip 3460
    1⤵
      PID:4524

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Dfpgffpm.exe

            Filesize

            192KB

            MD5

            e898a4489f8b5085e0012ba1ab22c464

            SHA1

            a479908726421698ab93ddd787165d6f2188d42d

            SHA256

            f3823a0dd8543e6c2b853f4b43d9e28a1a8a67da043eacba020f84bddfcd1e23

            SHA512

            a07f73bb35461d4c351e55eed84fcf5c02870e7e355745a146c97bdfbbddcd858518f4a61cf1ebbda062d3e90e3b62a1861a7fcc59b535347d2ab8eba69b86d0

          • C:\Windows\SysWOW64\Dknpmdfc.exe

            Filesize

            192KB

            MD5

            d7bec3b8ab3a9400b2073ec552972550

            SHA1

            a8f5e09e1ec5b166aac68a4080c3c57198f80684

            SHA256

            eae38e8ec08de210e0ee110603e5aca81a2c7ddaa6be043284bc4212b7caba4e

            SHA512

            8996b80ac456004b647ec16b7d7c42da46853e46be85418ef69ffd34fc20b4944417b3e3c9afc3d54ba8746e9e3cd5b81c56330ee0436bb22dc15c950d0e3f66

          • C:\Windows\SysWOW64\Dmllipeg.exe

            Filesize

            192KB

            MD5

            c844ea8a784bb532c6fc06417984a8db

            SHA1

            29b5a96ca4986204fdc528f32b8afa5c016f19a1

            SHA256

            0330995cd17e94c83a1124d87d391880b91ad77960593277096ffa984d5262c3

            SHA512

            e974ad671fed6a9668089712a1729a8a91d384380eba3afc5d3a4e5e266eff594c01b887dfca3f80b010c6c482aa87c36b44fc6d641c466eb863c522591b6a67

          • C:\Windows\SysWOW64\Dogogcpo.exe

            Filesize

            192KB

            MD5

            7aacab53d1fb1452b27431f205dd052e

            SHA1

            3e9c3ce1f744b401180a0ceb491689451191dca3

            SHA256

            42b9f3468f6648d675dd3c9abd4197a0ce08f7f27d2ada8e79918880dd99659d

            SHA512

            18e49e4e2ca6828e466a13e5cac193872ee4e8bfe16061478903fadb015464aae0a459af570620163d0aaa0e4413b7b870ccc09f2b91ccb36a7ad149682651c8

          • memory/2876-36-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/2876-0-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/3460-31-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/3460-33-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/3508-35-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/3508-15-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/3628-23-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/3628-34-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/4344-8-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/4344-37-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB