Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 07:10
Static task
static1
Behavioral task
behavioral1
Sample
1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe
Resource
win10v2004-20241007-en
General
-
Target
1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe
-
Size
75KB
-
MD5
2a310f9426320785edf8f6a37bf69ab0
-
SHA1
be9f737563c7204250bd5bd3b9c163fbce7c2c6b
-
SHA256
1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2
-
SHA512
147556f624bb4ab101e4871112469cfee7b5df1a04de296081c7bc49b6d3911e509807f9338940ad0d35c15e33affce2107d1ccd8cd8b0c477decbb1fe47b383
-
SSDEEP
1536:n9gDbcyvQDnToFSfUruHouyb8hg+OZZjm1cgCe8uvQGYQzlV:9gDb1vQDn1HouyQhg9njmugCe8uvQa
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchbgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchbgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfhkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnimiblo.exe -
Berbew family
-
Executes dropped EXE 5 IoCs
pid Process 2556 Cileqlmg.exe 524 Cnimiblo.exe 2780 Cchbgi32.exe 2380 Cfhkhd32.exe 2828 Dpapaj32.exe -
Loads dropped DLL 13 IoCs
pid Process 1832 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe 1832 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe 2556 Cileqlmg.exe 2556 Cileqlmg.exe 524 Cnimiblo.exe 524 Cnimiblo.exe 2780 Cchbgi32.exe 2780 Cchbgi32.exe 2380 Cfhkhd32.exe 2380 Cfhkhd32.exe 2796 WerFault.exe 2796 WerFault.exe 2796 WerFault.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe Cchbgi32.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Cfhkhd32.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Cfhkhd32.exe File created C:\Windows\SysWOW64\Cmbfdl32.dll 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe File created C:\Windows\SysWOW64\Cchbgi32.exe Cnimiblo.exe File created C:\Windows\SysWOW64\Fkdqjn32.dll Cchbgi32.exe File created C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File created C:\Windows\SysWOW64\Cileqlmg.exe 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe File created C:\Windows\SysWOW64\Pobghn32.dll Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Cnimiblo.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Cfhkhd32.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File opened for modification C:\Windows\SysWOW64\Cileqlmg.exe 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe File created C:\Windows\SysWOW64\Cnimiblo.exe Cileqlmg.exe File created C:\Windows\SysWOW64\Acnenl32.dll Cnimiblo.exe File created C:\Windows\SysWOW64\Cfhkhd32.exe Cchbgi32.exe -
Program crash 1 IoCs
pid pid_target Process 2796 2828 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnimiblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchbgi32.exe -
Modifies registry class 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Cchbgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cchbgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll" Cnimiblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cchbgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnimiblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhkhd32.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1832 wrote to memory of 2556 1832 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe 31 PID 1832 wrote to memory of 2556 1832 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe 31 PID 1832 wrote to memory of 2556 1832 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe 31 PID 1832 wrote to memory of 2556 1832 1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe 31 PID 2556 wrote to memory of 524 2556 Cileqlmg.exe 32 PID 2556 wrote to memory of 524 2556 Cileqlmg.exe 32 PID 2556 wrote to memory of 524 2556 Cileqlmg.exe 32 PID 2556 wrote to memory of 524 2556 Cileqlmg.exe 32 PID 524 wrote to memory of 2780 524 Cnimiblo.exe 33 PID 524 wrote to memory of 2780 524 Cnimiblo.exe 33 PID 524 wrote to memory of 2780 524 Cnimiblo.exe 33 PID 524 wrote to memory of 2780 524 Cnimiblo.exe 33 PID 2780 wrote to memory of 2380 2780 Cchbgi32.exe 34 PID 2780 wrote to memory of 2380 2780 Cchbgi32.exe 34 PID 2780 wrote to memory of 2380 2780 Cchbgi32.exe 34 PID 2780 wrote to memory of 2380 2780 Cchbgi32.exe 34 PID 2380 wrote to memory of 2828 2380 Cfhkhd32.exe 35 PID 2380 wrote to memory of 2828 2380 Cfhkhd32.exe 35 PID 2380 wrote to memory of 2828 2380 Cfhkhd32.exe 35 PID 2380 wrote to memory of 2828 2380 Cfhkhd32.exe 35 PID 2828 wrote to memory of 2796 2828 Dpapaj32.exe 36 PID 2828 wrote to memory of 2796 2828 Dpapaj32.exe 36 PID 2828 wrote to memory of 2796 2828 Dpapaj32.exe 36 PID 2828 wrote to memory of 2796 2828 Dpapaj32.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe"C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 1447⤵
- Loads dropped DLL
- Program crash
PID:2796
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD56acef5715cd83bc6f2c85c339e968b6a
SHA1cbfa06333ae21e4c4035b6829d16f40f22f328c7
SHA256efb9429d9c5bcc52d53972fa38bd598347e9cca5c0b60723a7c3d2d2548e95fa
SHA512b6e4fbd2e2668e1abd77d6d5ab89b9cc6bec04d9b24ad67299447da6c1d9a100ae1d0936095b7980de8519d2d155ecb88cd0e0cf7e235ef5294ea8ab96307124
-
Filesize
75KB
MD5466f826c69c047f01870c4f6133a98fc
SHA1b52c55ca4f7dac1f70fa2539084629ef4fe0562e
SHA256f90d1120fa84744029d30224e278d26cc68baf3665f3ce5ba5828ae193439d8c
SHA5123d2444d6ab71a45afd7cccffbe87e68f29624523ae0381dd8e91b92642a6979e43afe6db67a17d7adf8c3833a338ce205659e70ecb27def00f92ee2a6adbc82a
-
Filesize
75KB
MD56a56979a9e4284ce9f4118c00a8e5306
SHA18aeb25fdda0ac065243c3ec374a03bd04d42ba26
SHA256deddffeca64caec623d0f134cac0418b27787c17c01b350bc906de33560b586e
SHA512b77685948c71c9287560832e2d350df9e8dcfee6d9c19dade4bb94d3a11e5089ad809db882291f5807f5cae166a4f61553e170372ca65a07bed91c51744d1ac2
-
Filesize
75KB
MD5c8f1c8d30f7aa9715f7ba172836d9e3a
SHA1b077d13a498aea94a81fe600e7abd7ca17435b59
SHA2560c7d5ad3d9e133dfe60b4f99e612d497977ee1b01b2fdd0cc7768d2976359f91
SHA512f09a843f70d1d55f210c7d4aec59ad5327d340ea8a7e1bf8199fdcb2d40258bf05257587738e5e6552191c1c18c829bb389ef6696a89163b1e7a8870bf0fff9f
-
Filesize
75KB
MD539f0173cc8efa4c07889f42587015b21
SHA16037ec6eb207e75705ecd056bb90fd54a4635176
SHA256f8a4522e4032b2c706fed5a29535078706555fc066422d4d9209c9770e2ea15e
SHA5129e9baa3a91cffa4c8853be511395722f97348e539e1953e41968f456a1c8e185d6c2dc497b24c6f7411fe5a0ff58adf38f3b12b404f1fcc8f26cfa10bbd0340a