Analysis

  • max time kernel
    92s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 08:01

General

  • Target

    dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe

  • Size

    92KB

  • MD5

    3ef54d9e28dcf7ed93875d7230f1cd70

  • SHA1

    4ce6574d4c945e8ed3af05e50235f85c31b855f5

  • SHA256

    dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327

  • SHA512

    a6bef67082c6c69c8b4d80af53bc71bbc51d46d5b10eb256887e49229809fd94b639c12d304d90efafbbc4eb4394d214b3cb0f0a3659903bc5d15d5515e29a6c

  • SSDEEP

    1536:Gy4MaquZMnClx5000cLR8mr982LKcJ9VqDlzVxyh+CbxMQgn:GOaqSlx5000cL2m7hJ9IDlRxyhTbhgn

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 14 IoCs
  • Drops file in System32 directory 42 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 45 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe
    "C:\Users\Admin\AppData\Local\Temp\dc4cf104c8973b4183028d7cb6de5caeffa904635f187a2763d282e89648c327N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\Dhfajjoj.exe
      C:\Windows\system32\Dhfajjoj.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\SysWOW64\Dopigd32.exe
        C:\Windows\system32\Dopigd32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4148
        • C:\Windows\SysWOW64\Danecp32.exe
          C:\Windows\system32\Danecp32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3204
          • C:\Windows\SysWOW64\Dhhnpjmh.exe
            C:\Windows\system32\Dhhnpjmh.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3412
            • C:\Windows\SysWOW64\Dobfld32.exe
              C:\Windows\system32\Dobfld32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4500
              • C:\Windows\SysWOW64\Delnin32.exe
                C:\Windows\system32\Delnin32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2468
                • C:\Windows\SysWOW64\Dfnjafap.exe
                  C:\Windows\system32\Dfnjafap.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3416
                  • C:\Windows\SysWOW64\Dkifae32.exe
                    C:\Windows\system32\Dkifae32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:3140
                    • C:\Windows\SysWOW64\Daconoae.exe
                      C:\Windows\system32\Daconoae.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:976
                      • C:\Windows\SysWOW64\Dhmgki32.exe
                        C:\Windows\system32\Dhmgki32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:3116
                        • C:\Windows\SysWOW64\Dogogcpo.exe
                          C:\Windows\system32\Dogogcpo.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1576
                          • C:\Windows\SysWOW64\Deagdn32.exe
                            C:\Windows\system32\Deagdn32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:4044
                            • C:\Windows\SysWOW64\Dgbdlf32.exe
                              C:\Windows\system32\Dgbdlf32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:4396
                              • C:\Windows\SysWOW64\Dmllipeg.exe
                                C:\Windows\system32\Dmllipeg.exe
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:1852
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 404
                                  16⤵
                                  • Program crash
                                  PID:1748
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1852 -ip 1852
    1⤵
      PID:4256

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Daconoae.exe

            Filesize

            92KB

            MD5

            deea790b067555ab96169caed39e7a49

            SHA1

            356400540ad19a8e1755f86ad16540f4548de778

            SHA256

            ec8b3005416d3295152098e08bf8175692d8c136f3115e65dab777e36cbb1a64

            SHA512

            b3509b0926416872bc3689ae016a438c671c71db8bba8167842c666d858bcd8154a2c4df111c393258a54d616fc19f3b51ee6b9a9179d0ce6049dc86807f5d11

          • C:\Windows\SysWOW64\Danecp32.exe

            Filesize

            92KB

            MD5

            1d509f0e563836cd63d88d119dc738a8

            SHA1

            ee09d1ef7faf8a1855d63ea821c817f574dae478

            SHA256

            f198c2061bae08f433245935be14e02ef046837a868b0be360f975312da27ccc

            SHA512

            a27c30f92870996f096d33e1b3c0cecbe59c1d1bbdde516fd9f14fcb3b0562b3f24d45ed6dd64e237dd905bc1f8611c3019f5c03a2aaa0b378d37b32fc9c0a1c

          • C:\Windows\SysWOW64\Deagdn32.exe

            Filesize

            92KB

            MD5

            2be42037b34325da3e3e8be54b62dea4

            SHA1

            bdbce7c82863472cf4b9eb90e069c25946ed227b

            SHA256

            0f39ab61bf512174a41d0d393d11386938e37da276ae1844d54214bab9f9a279

            SHA512

            719caa0fe3bdce1c86ac18b7634fd5a4c11f4280154caade7bc207bfa6bfa499adc0f720613665c9cc01a943341207a9bafd2d4770a948801688d8854993435e

          • C:\Windows\SysWOW64\Delnin32.exe

            Filesize

            92KB

            MD5

            a7c8c33a805c425e5f7ccde251dd64f4

            SHA1

            ac97ff01a0fc9100a3d2eb8087f1c039364bcea8

            SHA256

            393b5e8fd4404895ef46099f091a714809314c463a25f470c30b89cfd86d226f

            SHA512

            6293cfdfad8a348d8cedafb862221df5d41969c0b8c210290eb28c3b0d48e7418de7f48f7b0353b2f156f6a4958760864d9842a471e4eb724c755482fe5141f7

          • C:\Windows\SysWOW64\Dfnjafap.exe

            Filesize

            92KB

            MD5

            dc7827c1dec0480f0624099cf37da927

            SHA1

            687f371c199cc1163d79b2b868968b6fb3d0f255

            SHA256

            2a064621a1fde850db882c403bf61f20b48ace52b0be5be66f74c9568eb86a24

            SHA512

            99b45e77e4216136b87322633e051e5f15f6c28bb9cd5b839a53c351df63625d5e15abf0b98177f547a7832d6ff54ab5722e02331087f7cd9991c91becc358a5

          • C:\Windows\SysWOW64\Dgbdlf32.exe

            Filesize

            92KB

            MD5

            e08d48794e26021f30a79a943b62b8f9

            SHA1

            73942a2356f4ebe72f4e0a693bb0f2f022160b20

            SHA256

            67839a72c20d2e1b3715f5ae74ef9d985526dbc7e80e99073ce2da40e97c5775

            SHA512

            13c464f66c61c34efca9bbd612e7d8f32c4a6c4345bea9accb5b6d279144c26b8df7457df030f95a113486c7dbc79fdeb68f17af1623129bb84bfc4cfe4a8770

          • C:\Windows\SysWOW64\Dhfajjoj.exe

            Filesize

            92KB

            MD5

            f342d924e8cbf830c9be0e71ab58590e

            SHA1

            ff052b9c1900cbe3f268a5f81a6e365aed451620

            SHA256

            604b18928564738b0f3fafef826f63ca24d5c45472412fe52f2298f514c141b8

            SHA512

            f5082a87f626add0cbe1f625f6f31e863811831eb5cf24590852cee342acb918e52634c70cfa5bb6a472e7461d143999228e1dea233afb4db15ed5a1d739f2ad

          • C:\Windows\SysWOW64\Dhhnpjmh.exe

            Filesize

            92KB

            MD5

            a270c814782febb20273f0f7e68d44ad

            SHA1

            a7763dab6f250c810c162be3b3cf0d51eca5d199

            SHA256

            bafeee9d404cc1c7929b380017371f8df241969572515237135c9971946c6fb5

            SHA512

            06cff0e5d211d2d8b78d856b20914abd4e3bb8a56ebb1a98d5653396ddf3a0e64520e4a31d6df096fe4a7c38e37999eda49beabe754726d16ee4b23dca526653

          • C:\Windows\SysWOW64\Dhmgki32.exe

            Filesize

            92KB

            MD5

            573677e2230c06d6e2911041e3482a88

            SHA1

            ed3f3ebd673cb6289876e49a29def3ebbed85e78

            SHA256

            a39252a3d1c3e02ad24bdbc3cb46e82c8642f8f9ef2ab7309bd0a36480c030c7

            SHA512

            46f0b6a719a02a3f0a7a933b97e497a9c7dc9ba3e226196198e0efb633da8fcee88d35a5c31a67be5ce4fa780ff9f487a1123331cfc9f737d7d25e8935970dc8

          • C:\Windows\SysWOW64\Dkifae32.exe

            Filesize

            92KB

            MD5

            9d933419bb2a3f2f25a06eee2db6e8cb

            SHA1

            1ff1303b6fc9ae298cb4f79134ef5179d303b792

            SHA256

            74bfddd0544c5b2c7d15e4737a2d45d432bfb1dc2050547ece1f20d8762407a6

            SHA512

            fd34547515587ddf2bce976da958343ec88638bffeeacf24637223d3b2d0451ee601dcf5e46ec8cd143896d00af5c8a19c4ff7ddd371073baeeb6f8322035c2f

          • C:\Windows\SysWOW64\Dmllipeg.exe

            Filesize

            92KB

            MD5

            90e1366cb198a89a531bfd76b82b3f5e

            SHA1

            c849aede0b7adf260840364acab26291651f2412

            SHA256

            328524688e78364665cd1d7b8287ddb1aa9cbe7c93852f939c7529c41067f704

            SHA512

            151f3c0302aaff1a230c61f7a69e64dbc8334d3bf9d82a72a36c92efb802ec1d966f2b5eba85a55614a05f389f509557d841f105dbadd75b7e274993187c439e

          • C:\Windows\SysWOW64\Dobfld32.exe

            Filesize

            92KB

            MD5

            cc070b7f1c460ad4595d3e96216d6a2e

            SHA1

            aae16491211e8564c28c9106521e8c20f5ae5afd

            SHA256

            b40548b7fa9e9311c96c410d228bbc84684f936ebfd3f04bc2e59e2e4e2f25c5

            SHA512

            d7f1fd2edf961d3b627916f3bab6dc5eaa50d5e61171675b2760e16e79862124d698f816feb2fea066bb3ed8eb074d00030b408dfe406091822f23de1bbb488c

          • C:\Windows\SysWOW64\Dogogcpo.exe

            Filesize

            92KB

            MD5

            a9b4a1e8338d991d88776454df78f82a

            SHA1

            24d07b746fd2620fa18f2c1dd146ca9c14a0fb8b

            SHA256

            ea183a58767e5074e535b737ed2510eee5e591d9ac0f69033b29856f5e0e5d68

            SHA512

            4ba636e0730352b1936134f1947c6b74cf374b07a91cdd898977deb0d28645e5726fac59b7297c45568f0de15a835cbcb0c878dd877c8f7b124e49ee7396b542

          • C:\Windows\SysWOW64\Dopigd32.exe

            Filesize

            92KB

            MD5

            ba213b8716d7b8e1f9904083ef2f6c79

            SHA1

            159a77c0ce34995685e3b5cfb408174511537d24

            SHA256

            dda1f3b89c7062cbebb9fbf2eb84f3d05fd66e0ebdebc7b3ddf2b17f57b88be8

            SHA512

            330b9c52f56313e17eabb35e4e8b75275dc1fce3534792473680628095426052e54bcde2c2b7cda31c9430b8f4f84bcb7beba2a80b925ce66e9ad5cc2759ac0f

          • memory/976-118-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/976-73-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/1576-117-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/1576-88-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/1724-0-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/1724-1-0x0000000000431000-0x0000000000432000-memory.dmp

            Filesize

            4KB

          • memory/1724-128-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/1852-114-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/1852-113-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2328-127-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2328-8-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2468-125-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/2468-48-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3116-80-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3116-120-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3140-119-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3140-64-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3204-124-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3204-25-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3412-32-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3412-123-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3416-121-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3416-57-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/4044-97-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/4044-115-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/4148-126-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/4148-17-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/4396-116-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/4396-104-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/4500-40-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/4500-122-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB