Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 07:30

General

  • Target

    039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe

  • Size

    128KB

  • MD5

    d3b7b99109240b51b04dac5aa9bc0390

  • SHA1

    10ef2a63bcacfb9373d827974e0d1e18c149f651

  • SHA256

    039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7

  • SHA512

    c73725ee01b2b9edb5d09387c012eda12f811c4c5ae9c863085558ada7283eccb0c893817b22f95a37e7e4ea5a20437c88bee403c6a17f244edf8c415eb92729

  • SSDEEP

    3072:poktOXL4eGBCVKLUBpeQlj9pui6yYPaI7DehizrVtN:pS2lAB8Upui6yYPaIGc

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe
    "C:\Users\Admin\AppData\Local\Temp\039b488c19e819addc0eb9cf453a0b985d37cc18a0d1785a21fe0326612518b7N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\SysWOW64\Dmllipeg.exe
      C:\Windows\system32\Dmllipeg.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1396
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 408
        3⤵
        • Program crash
        PID:3668
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1396 -ip 1396
    1⤵
      PID:2448

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Dmllipeg.exe

            Filesize

            128KB

            MD5

            011b721fdbd697c7955bf1cac99fd8db

            SHA1

            8844831ad2d7bb4f293cafd84f92728df39857cd

            SHA256

            9cf0650cc027ebd63c9df6fb732575c3fc90035aae6a5df84ecf4efc4d872229

            SHA512

            5896ae274ef02894b2cc066c631089dcf60bfe7a0dcfc55791500264df19192b31da49e0dbb145f6bfd97b2614e09546a05857cb3f72289d02c6cf9958bfd3d7

          • memory/1396-7-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1396-9-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3492-0-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3492-10-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB