Analysis

  • max time kernel
    73s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 08:04

General

  • Target

    8a706b022890bc76a1c72cf563851c8306ab45c76a643767c061e69309b7535eN.exe

  • Size

    74KB

  • MD5

    7266318d2dac655f66c9db0cfdfa9740

  • SHA1

    1bb92e876037af47df92c29890d6b8b6bfe67ecc

  • SHA256

    8a706b022890bc76a1c72cf563851c8306ab45c76a643767c061e69309b7535e

  • SHA512

    86ed7e9ea2b24d376b3d491b93be8d430d77b0515bb2a6286d4336653687629b1a127736af2a837643d21d21766922bc2f3183b465d041f37b5cb050ef5b01a1

  • SSDEEP

    1536:dm16ZnoU07hVDfJ5mhVQe4tOAaDrKLXBUT198jy:KjfJoX4tOj64HV

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 17 IoCs
  • Drops file in System32 directory 23 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 24 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a706b022890bc76a1c72cf563851c8306ab45c76a643767c061e69309b7535eN.exe
    "C:\Users\Admin\AppData\Local\Temp\8a706b022890bc76a1c72cf563851c8306ab45c76a643767c061e69309b7535eN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\SysWOW64\Cjakccop.exe
      C:\Windows\system32\Cjakccop.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\Calcpm32.exe
        C:\Windows\system32\Calcpm32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1040
        • C:\Windows\SysWOW64\Cegoqlof.exe
          C:\Windows\system32\Cegoqlof.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Windows\SysWOW64\Cgfkmgnj.exe
            C:\Windows\system32\Cgfkmgnj.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\Djdgic32.exe
              C:\Windows\system32\Djdgic32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2728
              • C:\Windows\SysWOW64\Dmbcen32.exe
                C:\Windows\system32\Dmbcen32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1808
                • C:\Windows\SysWOW64\Dpapaj32.exe
                  C:\Windows\system32\Dpapaj32.exe
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2376
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 144
                    9⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:2196

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Ccofjipn.dll

          Filesize

          7KB

          MD5

          a159f1d998dc814de5ac9bc58a9056dd

          SHA1

          bc73078d3810f340bb6f5c26928cbea8abd9e8ad

          SHA256

          344ee70ce922eeb166bde4c6f5ec13c0ff7f6de9133049b2873860124b14a6c8

          SHA512

          f8bc60c6d28890aef0b215f7a2ca99b57d2563a661d455ac603c13c9830a46d0546a0cdfd651d13bc671344e4933ab9f08535c500acb0f44474414a94592d8be

        • C:\Windows\SysWOW64\Cegoqlof.exe

          Filesize

          74KB

          MD5

          0d6d428ad445bf81d647bb9c9f52fbc6

          SHA1

          716c7fad8fdfb0c65dfadd5e3818398bbe55addc

          SHA256

          77816600589f3fb7d31617d465debc42b4b5446e6bcf05bc53a54dfc5e5356ec

          SHA512

          74e6589eafb9e66b2352449640698a49db60aacda0bb53c444dee3822d3fc5ff9117e7ff7333bf96e0a1bc49ca5fc3f640d1f5b6b56e2f8405464127a53b2b65

        • \Windows\SysWOW64\Calcpm32.exe

          Filesize

          74KB

          MD5

          d3e820f8b91387a6f5e3c3ad190048a7

          SHA1

          a954dfc98a272e110f8eb091a9432e88f2d8b724

          SHA256

          0924a966ab2254b35a87c171ce32b591e8c4db7746f4e01737d160a8d9362536

          SHA512

          2088bff4f939e5bb6b23c3956baadbf508fcc9ce33036e307da597fac6415c0fba0d154cd85ca430dd13f5b94d3b33e829141bfd9fc75ba218571f0aaf311c84

        • \Windows\SysWOW64\Cgfkmgnj.exe

          Filesize

          74KB

          MD5

          cef18793778c23a8d35bd1998947425f

          SHA1

          dde43e45fb8dfff9523ebe71d35a20279c0b2c66

          SHA256

          9f50daf5dec348f330cb908b67aaa6146c668d7033f1f655aaf360d4133c6e0c

          SHA512

          55fe7817dd8a5878b1bb45151c7c4754eaee4658c5df5de00543f41696066f3f6bea555ee76297556acad752122c9531a609f0e9593bbbcc1a0bb2608f86de58

        • \Windows\SysWOW64\Cjakccop.exe

          Filesize

          74KB

          MD5

          1519a5175985935c3e9cc0ba238230f4

          SHA1

          a4a0e6b35ec46d8133220eb784088bd2fd3e2020

          SHA256

          65321db9619e0ae6a286b2c6405bd7eabe1669a543823560335d4d1a4bdf3dda

          SHA512

          b9920d9b0b84bcf1ef94f9f76b4b69c20181057892822b93b598566867eb930bd76682ead9a395d96178e22221fe2bcc9ef6a1ad8baf1bf69fcd3e7c8e985f73

        • \Windows\SysWOW64\Djdgic32.exe

          Filesize

          74KB

          MD5

          9ba7b20ce3f8c5a488cbf8265a6f6ff5

          SHA1

          991cc5bc0c257b1aeba9b6c0e885443242f3b950

          SHA256

          f07d3c598754a20cf59266823bbafbfe493265ebe8ce6c63375a60d2baecb844

          SHA512

          fa4735b73618f6d5557353a891026c0e686bd85cce73e5863e0700dcee52005bdd8a762e2cf47df2b106bcb58534457a63a4d7417a17dc2862b3088cfe1d6cb2

        • \Windows\SysWOW64\Dmbcen32.exe

          Filesize

          74KB

          MD5

          178e54ea444fef0b1461d2421abcb9eb

          SHA1

          dea0c39b0ee39a32caf67b89cef67831564fc9bb

          SHA256

          e98adf74eb121741c8b03b1a2903e3cd41b67c30bf87d54e2a08946143569588

          SHA512

          460cce44027006e51f9ab59cb62d58ff1138a21f0d7e126fefb130da0bcad431d298d69f58e7b118bcc97e09f66bb8874bec8969a0861ad860f353ea1fdbc4e8

        • \Windows\SysWOW64\Dpapaj32.exe

          Filesize

          74KB

          MD5

          503cfedf8bb3c915f1cfb799af49918b

          SHA1

          29ff4312580f2d9cc800cfcc5c87858a40d0daf4

          SHA256

          5cfae96670537e66a5608cc6d57c2fe8ede4a4cd79746c747fd3ed317792d47d

          SHA512

          821a93cda2fe40cdf1800ae027ebf43903768fe8aaae63b5afb72db7ccbbf34f233d47ddbddab68a684b5c5452097f79c4791d1a789573e6d4ef6ef288f8800b

        • memory/1040-102-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/1040-26-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/1040-34-0x0000000000250000-0x0000000000287000-memory.dmp

          Filesize

          220KB

        • memory/1808-107-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/1808-80-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2376-93-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2376-106-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2616-53-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2616-101-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2688-0-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2688-12-0x0000000000250000-0x0000000000287000-memory.dmp

          Filesize

          220KB

        • memory/2688-105-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2728-66-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2728-78-0x00000000002D0000-0x0000000000307000-memory.dmp

          Filesize

          220KB

        • memory/2728-100-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2848-103-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/2848-13-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB

        • memory/3060-51-0x0000000000440000-0x0000000000477000-memory.dmp

          Filesize

          220KB

        • memory/3060-104-0x0000000000400000-0x0000000000437000-memory.dmp

          Filesize

          220KB