Analysis

  • max time kernel
    14s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 07:34

General

  • Target

    321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe

  • Size

    112KB

  • MD5

    2d20707d0a0b48ea004047a9595b5f20

  • SHA1

    150d19d69e840ec87a50675edc18905c109e9151

  • SHA256

    321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1d

  • SHA512

    89687349ff899d64702222e8ef46377d295e8a80b7f450be0f089e4921d71cfd3717960aa89dd845d9b13574c311e5fe9a2751f420e00feb07701dcd6e4215aa

  • SSDEEP

    3072:ji2remjbqU6pZ2IyZ3QNSLthr1RhAo+ie0TZ:jNr6DkLthr1R6xie8Z

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 28 IoCs
  • Drops file in System32 directory 36 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 39 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe
    "C:\Users\Admin\AppData\Local\Temp\321400ee022c4aae85adaad9973f9013867334988f0b158b529ad58039758c1dN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Windows\SysWOW64\Paekijkb.exe
      C:\Windows\system32\Paekijkb.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\Pkplgoop.exe
        C:\Windows\system32\Pkplgoop.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2972
        • C:\Windows\SysWOW64\Qjeihl32.exe
          C:\Windows\system32\Qjeihl32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\SysWOW64\Qgiibp32.exe
            C:\Windows\system32\Qgiibp32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3020
            • C:\Windows\SysWOW64\Aodnfbpm.exe
              C:\Windows\system32\Aodnfbpm.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2924
              • C:\Windows\SysWOW64\Amhopfof.exe
                C:\Windows\system32\Amhopfof.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:640
                • C:\Windows\SysWOW64\Aeccdila.exe
                  C:\Windows\system32\Aeccdila.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2724
                  • C:\Windows\SysWOW64\Ankhmncb.exe
                    C:\Windows\system32\Ankhmncb.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2412
                    • C:\Windows\SysWOW64\Agdlfd32.exe
                      C:\Windows\system32\Agdlfd32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3016
                      • C:\Windows\SysWOW64\Aehmoh32.exe
                        C:\Windows\system32\Aehmoh32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2800
                        • C:\Windows\SysWOW64\Ablmilgf.exe
                          C:\Windows\system32\Ablmilgf.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2568
                          • C:\Windows\SysWOW64\Bmenijcd.exe
                            C:\Windows\system32\Bmenijcd.exe
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:1248
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 140
                              14⤵
                              • Loads dropped DLL
                              • Program crash
                              PID:2472

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Aeccdila.exe

          Filesize

          112KB

          MD5

          85ed82b88c06a1545eb13b787352029c

          SHA1

          729271d1b81ebbba9dd8e400efbe94d72d142800

          SHA256

          5357d743efae8a50990639f0a5942e22eaf415ef336958cc4c2b80b63f03321d

          SHA512

          85d748d504e5b46cb3f261bc38a29a1d881bc04971a17eebc2d50d9196be5951529ce24e57e615ff12373530dea9e0638c359983bfd3c2edb78272106310dda2

        • C:\Windows\SysWOW64\Aehmoh32.exe

          Filesize

          112KB

          MD5

          93e9ff773b5773388d4d289dfdcb2a59

          SHA1

          52ba888be80e77ffdce456854a831a96bd6dccc9

          SHA256

          9e39c77f16c5cd79eac2f53a0c1ab368d345b941dc85500fc4ad4c420fac49ff

          SHA512

          8266bb50e8155ec84c05392d54fb1e09564cdfaea7d38e9a574d891ea4e5f1be406b452cb4d1818db53ffaacb4ec326e5ac01eb734f4e5b800c192687d0ecf82

        • C:\Windows\SysWOW64\Agdlfd32.exe

          Filesize

          112KB

          MD5

          71dff91c09f364fb8ccf55178277833f

          SHA1

          20420b073dadcd6d7d2edd30b099eab7d1ef7ba1

          SHA256

          d8a04b7a0fc818a55cf41baa94150ea6358d2d7c9c185e9304e386f90ff08fd6

          SHA512

          000aa4f36c5b9fbcb346026aa53837089db4eeec95b2f89ad9cb62f90fc18e35dbb3f5b18974b047c2917b9d70b87927bda8f189efd067699076b21feb81bc49

        • C:\Windows\SysWOW64\Amhopfof.exe

          Filesize

          112KB

          MD5

          b3d8e953c1047c3eaf30dcf628698898

          SHA1

          8197a6240ab1c86fa12c31789607240c7d264768

          SHA256

          022d119009c67643e9813dc4622d34586a519e903c18958030134d271f6b65f0

          SHA512

          e46759baf15664204938959fd2932427108e87a809328c168c9e340e42de62c7df9a2c92d2f62ab9369ae1fb4c55aad37633e05cc703352aaf11766c78856596

        • C:\Windows\SysWOW64\Ankhmncb.exe

          Filesize

          112KB

          MD5

          dd13d2f359b133b57a07668bfee34555

          SHA1

          30366e169fbac4a62b931fb51dedca0fcc5f0741

          SHA256

          189239ae4d4d98a4a15008c098ea628e262e7b930bef2b3aace8b5838b0dbd23

          SHA512

          49bbfcf04605e37adb755e2b718f78c4d8d16c35e66c3c0a8e8e9c4a79e8d75845c4357f9d7e6420568e9baa818486466829ac9c593fa820d062c53f73a4ba03

        • C:\Windows\SysWOW64\Bmenijcd.exe

          Filesize

          112KB

          MD5

          6e248107c53cd75aecd211d545afc9bc

          SHA1

          ae86bc53194540631889061fecfa6ef9937292bb

          SHA256

          27d574ddacc104c9166d4d6cbc9d12e37ac98f96c691845c28d4ea8e02cb5a96

          SHA512

          a37fa09658b76ce1562aa378ef4d7ce1a031c65a71ac6fe8f20cd00721b973347b33e382fab6ab97092cac79fcc3f7aca556452894a154a8bda4cab4072c694a

        • C:\Windows\SysWOW64\Mlfibh32.dll

          Filesize

          7KB

          MD5

          b8cb151acedfdfad1caca3f5c330f0e0

          SHA1

          1d80ae1f32e8052ac58e02cafef4d470cabf7548

          SHA256

          372823a88ca89cf1415b71aa0b5337edf01978855b86041eaa031dd8acf54610

          SHA512

          3ebfb87c70cb587f46585cd296a72f5a086b20c4932a0f929b11ff38c25bf8f3ae097ae2362ce253076354908b161a36bcf6862dace8748336c0fae87152865c

        • C:\Windows\SysWOW64\Qgiibp32.exe

          Filesize

          112KB

          MD5

          08e4d8fdd6f262ffaedb7848d1125733

          SHA1

          6c64765bc06dc999a37171402578bf063841409c

          SHA256

          df24a0b7038a34f0d5c91c16281174cf1ec4b2c885f996a9ca79ed22fa78a955

          SHA512

          46b6468001a955c9c8f3dffd90268e83fcd31c5f24818c802f8fe03e90c691c0ffd6d1d3ab85ad2b59ecc9fa597147c37484b14ed5978b7f00acc6fc974708e9

        • C:\Windows\SysWOW64\Qjeihl32.exe

          Filesize

          112KB

          MD5

          d89f3311a00dc3fbccc3abe3953d182a

          SHA1

          8f5798ea413ad4605d4507842942f747e6d8cc18

          SHA256

          289cddc03574726ab36e4ecd1a4337bfbb14f30a554a7f1ade887e788e413a61

          SHA512

          b6163f8bdf441635d85b51a02fe47f9e982fc9809c59532810e3fd202d5b0cf6b7095f8487059bde2ee31a96a1a283d6b77879a6b835eb17b0e4296bbb5e7f60

        • \Windows\SysWOW64\Ablmilgf.exe

          Filesize

          112KB

          MD5

          52c7bfc27d9b77176980dbd1262b06b1

          SHA1

          104b6d747254128d86805decf82132871a5716b7

          SHA256

          3424ba3b399e2ec1455ca06cb287f6d719a2a831d4859fbabad46dd253c547e7

          SHA512

          c45a3ab244bf06208accd5ae87fc7b1ad6275277b59aa1c3b983eb0e804c2a36bc80d40313519507dfe17f83efeb58dbc9609ee3167f0389806167d1c528977f

        • \Windows\SysWOW64\Aodnfbpm.exe

          Filesize

          112KB

          MD5

          ca825b6259f51b62b6321053e686892d

          SHA1

          facba291745c562eceb0b953ccb06e279b88f029

          SHA256

          c4c2e1990547aed2ff6073eee2b08c9f8dfbb320e108fb254dc26e4ee403947d

          SHA512

          1cba7eefc940a8071ea55a2a34f42eacbf83534e04892a3df4f98c011c2b1961db42eb996838870f236bc66c8d3a4606374db9514b5a141e0ee736ff9f7b3a08

        • \Windows\SysWOW64\Paekijkb.exe

          Filesize

          112KB

          MD5

          d10c0b3a2101719f91df96ab55ce42aa

          SHA1

          8d68567d2dd4bac928528472ade5de0634248b6b

          SHA256

          fbbb68b698479c54eb6eaaf18981b0c8a3eee5c7d2cb110da0dc7354349812e6

          SHA512

          4cc889d9dec127bb2016773b69b464f9f9e11a99646b63f65050d3127e0c15136d0cc0a3c6363c959595e47e6eb812fcf3405e04c9a10b077fe499816a1a84d9

        • \Windows\SysWOW64\Pkplgoop.exe

          Filesize

          112KB

          MD5

          775708c1e8e9b5a6cec149515a5386f1

          SHA1

          fceadf6ea77dcfb1375445f6f1e3297e6ea65544

          SHA256

          c72dc85409d27746a0a86262b65f292133e08f193a04fd5b0e9b73d1a303b8b0

          SHA512

          5ab3bb62edffa4e8d3c2ed50f17208901e4d2729770e1df5bc12f537d23b68a077115bafb9616f0ce4538efba5fad90ba180006ca1b3a74e21943a842c3cf73f

        • memory/576-0-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/576-178-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/576-13-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/576-12-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/640-90-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/640-176-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1248-164-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1248-174-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2412-111-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2412-171-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2412-118-0x0000000000320000-0x0000000000355000-memory.dmp

          Filesize

          212KB

        • memory/2480-175-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2480-22-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2480-33-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2480-14-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2568-169-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2568-163-0x0000000000440000-0x0000000000475000-memory.dmp

          Filesize

          212KB

        • memory/2724-104-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2724-172-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2724-96-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2800-137-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2800-149-0x00000000001B0000-0x00000000001E5000-memory.dmp

          Filesize

          212KB

        • memory/2800-173-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2924-77-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/2924-179-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2948-180-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2948-42-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/2948-50-0x0000000000230000-0x0000000000265000-memory.dmp

          Filesize

          212KB

        • memory/2972-34-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3016-170-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3016-135-0x0000000000220000-0x0000000000255000-memory.dmp

          Filesize

          212KB

        • memory/3020-64-0x00000000002B0000-0x00000000002E5000-memory.dmp

          Filesize

          212KB

        • memory/3020-177-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/3020-56-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB