Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 07:10

General

  • Target

    1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe

  • Size

    75KB

  • MD5

    2a310f9426320785edf8f6a37bf69ab0

  • SHA1

    be9f737563c7204250bd5bd3b9c163fbce7c2c6b

  • SHA256

    1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2

  • SHA512

    147556f624bb4ab101e4871112469cfee7b5df1a04de296081c7bc49b6d3911e509807f9338940ad0d35c15e33affce2107d1ccd8cd8b0c477decbb1fe47b383

  • SSDEEP

    1536:n9gDbcyvQDnToFSfUruHouyb8hg+OZZjm1cgCe8uvQGYQzlV:9gDb1vQDn1HouyQhg9njmugCe8uvQa

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 13 IoCs
  • Drops file in System32 directory 17 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 18 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe
    "C:\Users\Admin\AppData\Local\Temp\1b145dd518b7fd782a2a1c408bd191244e8f136fd6ad442545f4c2d9fb7d59f2N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Windows\SysWOW64\Cileqlmg.exe
      C:\Windows\system32\Cileqlmg.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\Cnimiblo.exe
        C:\Windows\system32\Cnimiblo.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Windows\SysWOW64\Cchbgi32.exe
          C:\Windows\system32\Cchbgi32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\SysWOW64\Cfhkhd32.exe
            C:\Windows\system32\Cfhkhd32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2380
            • C:\Windows\SysWOW64\Dpapaj32.exe
              C:\Windows\system32\Dpapaj32.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 144
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2796

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Cchbgi32.exe

          Filesize

          75KB

          MD5

          6acef5715cd83bc6f2c85c339e968b6a

          SHA1

          cbfa06333ae21e4c4035b6829d16f40f22f328c7

          SHA256

          efb9429d9c5bcc52d53972fa38bd598347e9cca5c0b60723a7c3d2d2548e95fa

          SHA512

          b6e4fbd2e2668e1abd77d6d5ab89b9cc6bec04d9b24ad67299447da6c1d9a100ae1d0936095b7980de8519d2d155ecb88cd0e0cf7e235ef5294ea8ab96307124

        • C:\Windows\SysWOW64\Cfhkhd32.exe

          Filesize

          75KB

          MD5

          466f826c69c047f01870c4f6133a98fc

          SHA1

          b52c55ca4f7dac1f70fa2539084629ef4fe0562e

          SHA256

          f90d1120fa84744029d30224e278d26cc68baf3665f3ce5ba5828ae193439d8c

          SHA512

          3d2444d6ab71a45afd7cccffbe87e68f29624523ae0381dd8e91b92642a6979e43afe6db67a17d7adf8c3833a338ce205659e70ecb27def00f92ee2a6adbc82a

        • C:\Windows\SysWOW64\Cileqlmg.exe

          Filesize

          75KB

          MD5

          6a56979a9e4284ce9f4118c00a8e5306

          SHA1

          8aeb25fdda0ac065243c3ec374a03bd04d42ba26

          SHA256

          deddffeca64caec623d0f134cac0418b27787c17c01b350bc906de33560b586e

          SHA512

          b77685948c71c9287560832e2d350df9e8dcfee6d9c19dade4bb94d3a11e5089ad809db882291f5807f5cae166a4f61553e170372ca65a07bed91c51744d1ac2

        • C:\Windows\SysWOW64\Cnimiblo.exe

          Filesize

          75KB

          MD5

          c8f1c8d30f7aa9715f7ba172836d9e3a

          SHA1

          b077d13a498aea94a81fe600e7abd7ca17435b59

          SHA256

          0c7d5ad3d9e133dfe60b4f99e612d497977ee1b01b2fdd0cc7768d2976359f91

          SHA512

          f09a843f70d1d55f210c7d4aec59ad5327d340ea8a7e1bf8199fdcb2d40258bf05257587738e5e6552191c1c18c829bb389ef6696a89163b1e7a8870bf0fff9f

        • \Windows\SysWOW64\Dpapaj32.exe

          Filesize

          75KB

          MD5

          39f0173cc8efa4c07889f42587015b21

          SHA1

          6037ec6eb207e75705ecd056bb90fd54a4635176

          SHA256

          f8a4522e4032b2c706fed5a29535078706555fc066422d4d9209c9770e2ea15e

          SHA512

          9e9baa3a91cffa4c8853be511395722f97348e539e1953e41968f456a1c8e185d6c2dc497b24c6f7411fe5a0ff58adf38f3b12b404f1fcc8f26cfa10bbd0340a

        • memory/524-40-0x00000000002B0000-0x00000000002EC000-memory.dmp

          Filesize

          240KB

        • memory/524-82-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/524-39-0x00000000002B0000-0x00000000002EC000-memory.dmp

          Filesize

          240KB

        • memory/1832-12-0x0000000000220000-0x000000000025C000-memory.dmp

          Filesize

          240KB

        • memory/1832-80-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/1832-13-0x0000000000220000-0x000000000025C000-memory.dmp

          Filesize

          240KB

        • memory/1832-0-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2380-69-0x0000000000220000-0x000000000025C000-memory.dmp

          Filesize

          240KB

        • memory/2380-78-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2380-56-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2556-14-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2556-22-0x00000000003C0000-0x00000000003FC000-memory.dmp

          Filesize

          240KB

        • memory/2556-79-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2780-81-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2780-42-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2780-49-0x00000000003C0000-0x00000000003FC000-memory.dmp

          Filesize

          240KB

        • memory/2828-70-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

        • memory/2828-77-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB