Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 04:18
Static task
static1
Behavioral task
behavioral1
Sample
c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe
Resource
win10v2004-20241007-en
General
-
Target
c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe
-
Size
79KB
-
MD5
81cdbe40258a796ab8bd965115bb5361
-
SHA1
13af7814b281c3f9d7e8c3a698a6c34f1504b5f9
-
SHA256
c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95
-
SHA512
61591462adb963aa411a58ce7d8f8de0bf61f0c7faa0ec6dbb9d9c8191b2709f947e93fe9cef3e57907902e905fa4fa76ae36ace07a5b0f4b8b6c4f73ab99a35
-
SSDEEP
1536:DeKIaoOGVhf4QI2xUVrVfERPk9jjWb9tXY7zZrI1jHJZrR:KKIj3VhfB+VrVfyEjO9toPu1jHJ9R
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmgki32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjocp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daekdooc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddhpjof.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe -
Berbew family
-
Executes dropped EXE 6 IoCs
pid Process 4960 Dhmgki32.exe 2656 Dmjocp32.exe 2256 Daekdooc.exe 2592 Dddhpjof.exe 4236 Dknpmdfc.exe 4884 Dmllipeg.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File created C:\Windows\SysWOW64\Dhmgki32.exe c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe File created C:\Windows\SysWOW64\Dddhpjof.exe Daekdooc.exe File created C:\Windows\SysWOW64\Amjknl32.dll Daekdooc.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Dmjocp32.exe Dhmgki32.exe File opened for modification C:\Windows\SysWOW64\Dmjocp32.exe Dhmgki32.exe File opened for modification C:\Windows\SysWOW64\Daekdooc.exe Dmjocp32.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Dddhpjof.exe Daekdooc.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe Dddhpjof.exe File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File created C:\Windows\SysWOW64\Ohmoom32.dll Dmjocp32.exe File created C:\Windows\SysWOW64\Nokpao32.dll Dddhpjof.exe File opened for modification C:\Windows\SysWOW64\Dhmgki32.exe c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe File created C:\Windows\SysWOW64\Fpdaoioe.dll c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe File created C:\Windows\SysWOW64\Bobiobnp.dll Dhmgki32.exe File created C:\Windows\SysWOW64\Daekdooc.exe Dmjocp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3980 4884 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddhpjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmgki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daekdooc.exe -
Modifies registry class 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daekdooc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll" Daekdooc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll" c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmgki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll" Dmjocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmgki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjocp32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4020 wrote to memory of 4960 4020 c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe 83 PID 4020 wrote to memory of 4960 4020 c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe 83 PID 4020 wrote to memory of 4960 4020 c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe 83 PID 4960 wrote to memory of 2656 4960 Dhmgki32.exe 84 PID 4960 wrote to memory of 2656 4960 Dhmgki32.exe 84 PID 4960 wrote to memory of 2656 4960 Dhmgki32.exe 84 PID 2656 wrote to memory of 2256 2656 Dmjocp32.exe 85 PID 2656 wrote to memory of 2256 2656 Dmjocp32.exe 85 PID 2656 wrote to memory of 2256 2656 Dmjocp32.exe 85 PID 2256 wrote to memory of 2592 2256 Daekdooc.exe 86 PID 2256 wrote to memory of 2592 2256 Daekdooc.exe 86 PID 2256 wrote to memory of 2592 2256 Daekdooc.exe 86 PID 2592 wrote to memory of 4236 2592 Dddhpjof.exe 87 PID 2592 wrote to memory of 4236 2592 Dddhpjof.exe 87 PID 2592 wrote to memory of 4236 2592 Dddhpjof.exe 87 PID 4236 wrote to memory of 4884 4236 Dknpmdfc.exe 88 PID 4236 wrote to memory of 4884 4236 Dknpmdfc.exe 88 PID 4236 wrote to memory of 4884 4236 Dknpmdfc.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe"C:\Users\Admin\AppData\Local\Temp\c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 3968⤵
- Program crash
PID:3980
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4884 -ip 48841⤵PID:5064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5ba5878c18e0690e225b4f809e3433980
SHA1b1af78ef55b9af4542f3ea12ef584e6717638cd7
SHA2565cd697f65bf7d77ddc9739c597c5aea34bc69caf07bd12bf9f8e6e8723acdac9
SHA512b732c829d18648d9dd9dd0c7bac3eaf30abed26ffe8617edcd5be70934d3aac0240d0796086015fafd124a3646a92148af42b891ce31abb83775736d9b3042cd
-
Filesize
79KB
MD5ae26e0d4a7e147572fcb3ee4f9b200e8
SHA13c853f0d3bdb60fc82d82d800320dec54806bf66
SHA256261dcb6f14dcc8c4e8930d55de86a630145f9f386d54e7804335813253180a6f
SHA5120230ab9a44ddbeb501ca062dc5e1f641006598d566d58b334e68dfffe794b9ef3489c41b75a2be96f9e3b295b35671bcd12b0d4a41211ae2aacd88c843d50546
-
Filesize
79KB
MD56f26b7a23f728bfbfb5b1c99d5a8782d
SHA1f4804273797491e99bc655e2a8558f216a62ac8e
SHA256281ca71532700ca59cb47ee4f30a43e475937bec15d007419161dde80a269586
SHA5121b4e1f5a36bd955db0ad34f2178ae8c638b65b780d2817ba4004f17bcba0c73b9aa5d6603f106bd409528a26ba8e50e70156c2399b1b7cd866379a366f78eebf
-
Filesize
79KB
MD5ab52df398c5ca19f7e01ceaaedfa4dcd
SHA14c724f30b48733c7e47eb7bb784904dd4de3e689
SHA256c057e35d20288b64c59b25752c13dcdd2dd539c9cd565fb8d8c795d20116d560
SHA5126b8303896f787a39ba2c84bcbf961329c44b110ddc4edbae309a2fc06ebe8dee791d7f258982b51228231d9514659bcc986b22aabeded2df068b212562bff134
-
Filesize
79KB
MD506c26d7f65e859c25051f119e135e310
SHA1b9a4a2415592476b06acf052189971234068aa94
SHA2563e3c9e68a95e0517ac18ce2c81417b8771b0fb136873b5b5e0f2f4bfb4fafba7
SHA51265861fbf058681fd82305c78aeb3b0dbd149ee5805a9f5389423a3f6bbc6c4fcf0192fe2412306d1762be05ca1cd0df54cf4191f91faee08b5b21429595f9f0e
-
Filesize
79KB
MD5ed6f186927303c8096bbe8a14a9e5632
SHA1be41e5e5f3df57fb778647b37e9267a04c1d92d0
SHA256c5ddcc99924d390537194184dd74724675c3b071af4e35d7602371bb463dcfdd
SHA5122b7e8171a60a852a950e2a1e8270634e1562833611ce491291d28fc8be53fda5954a1a965fc5d88c922bb6596e617965c26f4e5767644bcd4815922ba2197f70