Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 07:30
Behavioral task
behavioral1
Sample
039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe
Resource
win10v2004-20241007-en
General
-
Target
039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe
-
Size
128KB
-
MD5
d3b7b99109240b51b04dac5aa9bc0390
-
SHA1
10ef2a63bcacfb9373d827974e0d1e18c149f651
-
SHA256
039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7
-
SHA512
c73725ee01b2b9edb5d09387c012eda12f811c4c5ae9c863085558ada7283eccb0c893817b22f95a37e7e4ea5a20437c88bee403c6a17f244edf8c415eb92729
-
SSDEEP
3072:poktOXL4eGBCVKLUBpeQlj9pui6yYPaI7DehizrVtN:pS2lAB8Upui6yYPaIGc
Malware Config
Extracted
berbew
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe -
Berbew family
-
Executes dropped EXE 1 IoCs
pid Process 1396 Dmllipeg.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dmllipeg.exe 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe File created C:\Windows\SysWOW64\Kngpec32.dll 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3668 1396 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3492 wrote to memory of 1396 3492 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe 83 PID 3492 wrote to memory of 1396 3492 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe 83 PID 3492 wrote to memory of 1396 3492 039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe"C:\Users\Admin\AppData\Local\Temp\039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 4083⤵
- Program crash
PID:3668
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1396 -ip 13961⤵PID:2448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5011b721fdbd697c7955bf1cac99fd8db
SHA18844831ad2d7bb4f293cafd84f92728df39857cd
SHA2569cf0650cc027ebd63c9df6fb732575c3fc90035aae6a5df84ecf4efc4d872229
SHA5125896ae274ef02894b2cc066c631089dcf60bfe7a0dcfc55791500264df19192b31da49e0dbb145f6bfd97b2614e09546a05857cb3f72289d02c6cf9958bfd3d7