Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 04:18

General

  • Target

    c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe

  • Size

    79KB

  • MD5

    81cdbe40258a796ab8bd965115bb5361

  • SHA1

    13af7814b281c3f9d7e8c3a698a6c34f1504b5f9

  • SHA256

    c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95

  • SHA512

    61591462adb963aa411a58ce7d8f8de0bf61f0c7faa0ec6dbb9d9c8191b2709f947e93fe9cef3e57907902e905fa4fa76ae36ace07a5b0f4b8b6c4f73ab99a35

  • SSDEEP

    1536:DeKIaoOGVhf4QI2xUVrVfERPk9jjWb9tXY7zZrI1jHJZrR:KKIj3VhfB+VrVfyEjO9toPu1jHJ9R

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 18 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 21 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe
    "C:\Users\Admin\AppData\Local\Temp\c86206081cfe1674c740ec2850e2ce7a01147f0789862abb625ab5dd623d9d95.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4020
    • C:\Windows\SysWOW64\Dhmgki32.exe
      C:\Windows\system32\Dhmgki32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\SysWOW64\Dmjocp32.exe
        C:\Windows\system32\Dmjocp32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\SysWOW64\Daekdooc.exe
          C:\Windows\system32\Daekdooc.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2256
          • C:\Windows\SysWOW64\Dddhpjof.exe
            C:\Windows\system32\Dddhpjof.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Windows\SysWOW64\Dknpmdfc.exe
              C:\Windows\system32\Dknpmdfc.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4236
              • C:\Windows\SysWOW64\Dmllipeg.exe
                C:\Windows\system32\Dmllipeg.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4884
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 396
                  8⤵
                  • Program crash
                  PID:3980
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4884 -ip 4884
    1⤵
      PID:5064

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Daekdooc.exe

            Filesize

            79KB

            MD5

            ba5878c18e0690e225b4f809e3433980

            SHA1

            b1af78ef55b9af4542f3ea12ef584e6717638cd7

            SHA256

            5cd697f65bf7d77ddc9739c597c5aea34bc69caf07bd12bf9f8e6e8723acdac9

            SHA512

            b732c829d18648d9dd9dd0c7bac3eaf30abed26ffe8617edcd5be70934d3aac0240d0796086015fafd124a3646a92148af42b891ce31abb83775736d9b3042cd

          • C:\Windows\SysWOW64\Dddhpjof.exe

            Filesize

            79KB

            MD5

            ae26e0d4a7e147572fcb3ee4f9b200e8

            SHA1

            3c853f0d3bdb60fc82d82d800320dec54806bf66

            SHA256

            261dcb6f14dcc8c4e8930d55de86a630145f9f386d54e7804335813253180a6f

            SHA512

            0230ab9a44ddbeb501ca062dc5e1f641006598d566d58b334e68dfffe794b9ef3489c41b75a2be96f9e3b295b35671bcd12b0d4a41211ae2aacd88c843d50546

          • C:\Windows\SysWOW64\Dhmgki32.exe

            Filesize

            79KB

            MD5

            6f26b7a23f728bfbfb5b1c99d5a8782d

            SHA1

            f4804273797491e99bc655e2a8558f216a62ac8e

            SHA256

            281ca71532700ca59cb47ee4f30a43e475937bec15d007419161dde80a269586

            SHA512

            1b4e1f5a36bd955db0ad34f2178ae8c638b65b780d2817ba4004f17bcba0c73b9aa5d6603f106bd409528a26ba8e50e70156c2399b1b7cd866379a366f78eebf

          • C:\Windows\SysWOW64\Dknpmdfc.exe

            Filesize

            79KB

            MD5

            ab52df398c5ca19f7e01ceaaedfa4dcd

            SHA1

            4c724f30b48733c7e47eb7bb784904dd4de3e689

            SHA256

            c057e35d20288b64c59b25752c13dcdd2dd539c9cd565fb8d8c795d20116d560

            SHA512

            6b8303896f787a39ba2c84bcbf961329c44b110ddc4edbae309a2fc06ebe8dee791d7f258982b51228231d9514659bcc986b22aabeded2df068b212562bff134

          • C:\Windows\SysWOW64\Dmjocp32.exe

            Filesize

            79KB

            MD5

            06c26d7f65e859c25051f119e135e310

            SHA1

            b9a4a2415592476b06acf052189971234068aa94

            SHA256

            3e3c9e68a95e0517ac18ce2c81417b8771b0fb136873b5b5e0f2f4bfb4fafba7

            SHA512

            65861fbf058681fd82305c78aeb3b0dbd149ee5805a9f5389423a3f6bbc6c4fcf0192fe2412306d1762be05ca1cd0df54cf4191f91faee08b5b21429595f9f0e

          • C:\Windows\SysWOW64\Dmllipeg.exe

            Filesize

            79KB

            MD5

            ed6f186927303c8096bbe8a14a9e5632

            SHA1

            be41e5e5f3df57fb778647b37e9267a04c1d92d0

            SHA256

            c5ddcc99924d390537194184dd74724675c3b071af4e35d7602371bb463dcfdd

            SHA512

            2b7e8171a60a852a950e2a1e8270634e1562833611ce491291d28fc8be53fda5954a1a965fc5d88c922bb6596e617965c26f4e5767644bcd4815922ba2197f70

          • memory/2256-53-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/2256-29-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/2592-32-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/2592-52-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/2656-16-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/2656-54-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/4020-1-0x0000000000431000-0x0000000000432000-memory.dmp

            Filesize

            4KB

          • memory/4020-0-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/4020-56-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/4236-51-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/4236-40-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/4884-48-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/4884-50-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/4960-8-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB

          • memory/4960-55-0x0000000000400000-0x0000000000441000-memory.dmp

            Filesize

            260KB