Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 04:13

General

  • Target

    894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe

  • Size

    74KB

  • MD5

    a7ee6165f7cb793b1226f9f27a24c0f0

  • SHA1

    420b7c28aab5466eddc1f1b462a4e5942cf1c7bb

  • SHA256

    894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fb

  • SHA512

    d2a8a1d7cab1ae2a44bcc6b6306485d737d24c2bebe8f3b8e25a395101c06be0f59266c1ab400c25d12cf8eb66ccdf55a8f45d127b2aa27f51c6498d3fbcf950

  • SSDEEP

    1536:38oW484sGOWyMYtnrCIq3iYiWzzVD6iqdX:38JusPWyRn27Sgz4iqt

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 24 IoCs
  • Drops file in System32 directory 29 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 33 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe
    "C:\Users\Admin\AppData\Local\Temp\894b7925596453122639ec7fe6eb57e5948ca6c92f314eb4dbc62153e8b565fbN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SysWOW64\Ndhipoob.exe
      C:\Windows\system32\Ndhipoob.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\SysWOW64\Ngfflj32.exe
        C:\Windows\system32\Ngfflj32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Windows\SysWOW64\Ngfflj32.exe
          C:\Windows\system32\Ngfflj32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2668
          • C:\Windows\SysWOW64\Nkbalifo.exe
            C:\Windows\system32\Nkbalifo.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2684
            • C:\Windows\SysWOW64\Nekbmgcn.exe
              C:\Windows\system32\Nekbmgcn.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2000
              • C:\Windows\SysWOW64\Nmbknddp.exe
                C:\Windows\system32\Nmbknddp.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:292
                • C:\Windows\SysWOW64\Nodgel32.exe
                  C:\Windows\system32\Nodgel32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:528
                  • C:\Windows\SysWOW64\Ngkogj32.exe
                    C:\Windows\system32\Ngkogj32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2560
                    • C:\Windows\SysWOW64\Niikceid.exe
                      C:\Windows\system32\Niikceid.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2860
                      • C:\Windows\SysWOW64\Nlhgoqhh.exe
                        C:\Windows\system32\Nlhgoqhh.exe
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:2864
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 140
                          12⤵
                          • Loads dropped DLL
                          • Program crash
                          PID:856

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Hljdna32.dll

          Filesize

          7KB

          MD5

          82da3253d66b7d445f57e548c2386423

          SHA1

          abc7d3ed05c6b09078aba7f2cab0e1880c460b17

          SHA256

          23c2af27c3e28df0732faf148b5d67e9dd3ed1ca2c3f47c58932772de5baccdf

          SHA512

          160bbe047140d9808af93acbed2f72baa4be13ecdbc6ce108733bb9fa5a5def1d001f6fc47b00c5ce1c6ec2ddfada090673f0982d343bffc1126eaa57d1c1605

        • C:\Windows\SysWOW64\Ngfflj32.exe

          Filesize

          74KB

          MD5

          2a72158b9e3e3a00bf980b6799ff7db7

          SHA1

          cd9953556779810042f1195b3fb12452b8108268

          SHA256

          e3bcee96641de012cbe591f1ae37732bdf1f5bd42b4b23743b7d7111efb6a55a

          SHA512

          7ce9f2a99fa71e9db437d940f4beb4c20dc0ae22110aac0e30d3cdaab018b6276e61c77c621be0ec9e9ca6b483c0ab31750d994bf880d15518669c529e014a82

        • C:\Windows\SysWOW64\Nkbalifo.exe

          Filesize

          74KB

          MD5

          d75406a0c58db0bda6bc86dcf3db547c

          SHA1

          229057b07ad559847655b6e666814140386a4868

          SHA256

          e3705d0ab3a06430510b029bdb16f9c16016cd99a55c5138de4fb4194b6a26c9

          SHA512

          ae0f1e88091c054b35ab9c942623a0daf398a437a5889ea29ee1b8a7f7a7099395992428f89cdd168c9282b95229aee7139e64a6837ebac81470a225fa5ca31f

        • C:\Windows\SysWOW64\Nlhgoqhh.exe

          Filesize

          74KB

          MD5

          7dcb361cb59b56d420d407bc136bc73e

          SHA1

          0456f4dd7aaf213bddf49154560d21c8903c8981

          SHA256

          4245ea3bb588a4791ac765f108a7ad6865d37ec2b856967d6bf3f4307b20166e

          SHA512

          a377f610aafd13fa553930e34779e1916f498c89c68912ec5673aedcdc4e42816cf633204904db8ae75be7037fd576a8bdc3c4730695eef5509aa80cbb65c2a8

        • C:\Windows\SysWOW64\Pjclpeak.dll

          Filesize

          7KB

          MD5

          7e4268c7997482cbf802736bcef85509

          SHA1

          54f3aaf64ea9e2bf6f2715228511ecd9e9456578

          SHA256

          07e128654c908b70987b46e06cb37929f4aa221a95fc025c5bcaebd19e4e77f4

          SHA512

          1298f247a62efdbd777dd1329d2e83fbcada5d2099fea33564f7eff575c4f24fe46a686b2e14959df01ea185ff9af253fb34c00354318437b9c91597fe028388

        • \Windows\SysWOW64\Ndhipoob.exe

          Filesize

          74KB

          MD5

          1d4fd494eb8d5fff8d140b4dcc89bb0c

          SHA1

          796511862f8652e331456a2e2991e1329038e87b

          SHA256

          496a419355efb4a701aaba6ad5550437d3c7605464ee3e528e82046c64e70919

          SHA512

          b3b6cf79d8f2f0408bd34d777e6cb497d9a8b31877c7cfd3e2ded0e72fd893fbccadbdd9b27e5974be4a52b929a2e89f8390f9f053988360dac803c36957fa90

        • \Windows\SysWOW64\Nekbmgcn.exe

          Filesize

          74KB

          MD5

          2a5b4cdfe5dbc9df64f9c93a455c99bd

          SHA1

          4adb1559eecb525cc79934fa80be7ef4c67bfb84

          SHA256

          b61557fa92c1ea85a80bfa0af82594645a477f9007c1311e15877e50dc26fe15

          SHA512

          d1942ddd56d55775909338e1076e107e04cd8104b5877924d97d14da445e98279ba4836d354de79996b61cc4e6a48f2426707b1d85e9ad7dd2a136860a780801

        • \Windows\SysWOW64\Ngkogj32.exe

          Filesize

          74KB

          MD5

          2abf0da6ab106ac9f43d5861f5a13dbc

          SHA1

          af28eb51a4bf61fab7689f68b3d569567934a3cd

          SHA256

          edd67c34e3c4d6c68f7e188e178b8c39cd8cbdc129ecab980b1488f7542c1a11

          SHA512

          de6058b10ac00f5c86c9d1e8b588e60e4f077fb0c969efa09cba9c7457be7ced41886759f37cbf7d7fa09da3859265eb9f387d52c8afd2ef622d8274b51686ec

        • \Windows\SysWOW64\Niikceid.exe

          Filesize

          74KB

          MD5

          cc9382b099ef5a204aeb18a813ea9581

          SHA1

          84fcb9d2b3a1074812f559476b0e538a48e95365

          SHA256

          a89a5dd2c10028902442828f5d7079c3b87ad0939517a7dc25ab5f481e7c675b

          SHA512

          d347b39b1ba86f7620810de648f4551c109fc01bdb6ef22f7b53aa0d65f693236e85a0223fb802511e1b0ba3080be630211eba28c89e17fd6d2b21d9d2e2011d

        • \Windows\SysWOW64\Nmbknddp.exe

          Filesize

          74KB

          MD5

          7b4232c367b85e94dde86ba1cfc1f405

          SHA1

          543b090c90c6c6d8744ab56b244ed8f7ad2bd730

          SHA256

          98ef517dade27988e2958c74a7707e877e37ddeb846f84bff07b29a70d74a275

          SHA512

          0d5c74fe64dcb8b47626d3cba4d893d4717035c8d8de98a0119f01d665fe9642b90b92b30e657880d5b3fee8f72c3940367f1fda6f321c7c463e3522c67ab176

        • \Windows\SysWOW64\Nodgel32.exe

          Filesize

          74KB

          MD5

          62c43d8685c239aa67361d53f1e871f6

          SHA1

          a706b5c3621b1d3039cd3409a74b270d4cb057c8

          SHA256

          4b9e4fc918dc1559592cef03312c6a976811a13a7189e0b37a742107266cde63

          SHA512

          92cfd0c0e09df97dbc65d663be70abad426ae55a2e6aa51eaf96011f37591a43a0550e5fc0d27fe83b38605aa23c94d73c0c845d7f2990303b61fb15834e587d

        • memory/292-134-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/292-75-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/292-82-0x0000000000290000-0x00000000002C7000-memory.dmp

          Filesize

          220KB

        • memory/528-135-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/528-98-0x0000000000250000-0x0000000000287000-memory.dmp

          Filesize

          220KB

        • memory/2000-73-0x0000000000300000-0x0000000000337000-memory.dmp

          Filesize

          220KB

        • memory/2000-138-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2000-61-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2328-32-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2560-140-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2560-109-0x0000000001FA0000-0x0000000001FD7000-memory.dmp

          Filesize

          220KB

        • memory/2668-34-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2668-45-0x0000000000320000-0x0000000000357000-memory.dmp

          Filesize

          220KB

        • memory/2668-137-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2684-55-0x0000000000250000-0x0000000000287000-memory.dmp

          Filesize

          220KB

        • memory/2684-47-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2684-136-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2772-30-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2852-29-0x0000000000440000-0x0000000000477000-memory.dmp

          Filesize

          220KB

        • memory/2852-139-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2852-27-0x0000000000440000-0x0000000000477000-memory.dmp

          Filesize

          220KB

        • memory/2852-0-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2860-133-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2864-132-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2864-127-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB