Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 08:06

General

  • Target

    ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe

  • Size

    347KB

  • MD5

    b6cb419d72a573297ec3810c011bc1a0

  • SHA1

    51fa6be53a9bd15652423f6e764aa9fb0c735891

  • SHA256

    ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8

  • SHA512

    0c88b77194bd2477f4254466066ffc2a5743a42f8ea4c65c16a31d1f9c84d4d3c655680ee90dd8ac7bf35d0fe7ca1813251091a090ed146378070e4ebbf4e65b

  • SSDEEP

    6144:Dp87yuVz45Rx4brq2Ah1FM6234lKm3mo8Yvi4KsLTFM6234lKm3qk9:DuXex4brRGFB24lwR45FB24lEk

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 30 IoCs
  • Drops file in System32 directory 45 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 53 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe
    "C:\Users\Admin\AppData\Local\Temp\ce85e5c2e193af4c2dd9a09771adfa916680d6ebd02c4263e9cd9f3ab5f9aae8N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\Aqbdkk32.exe
      C:\Windows\system32\Aqbdkk32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Windows\SysWOW64\Bkhhhd32.exe
        C:\Windows\system32\Bkhhhd32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Windows\SysWOW64\Bbbpenco.exe
          C:\Windows\system32\Bbbpenco.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2504
          • C:\Windows\SysWOW64\Bmnnkl32.exe
            C:\Windows\system32\Bmnnkl32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3056
            • C:\Windows\SysWOW64\Ccmpce32.exe
              C:\Windows\system32\Ccmpce32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2220
              • C:\Windows\SysWOW64\Cbblda32.exe
                C:\Windows\system32\Cbblda32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2924
                • C:\Windows\SysWOW64\Cebeem32.exe
                  C:\Windows\system32\Cebeem32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2664
                  • C:\Windows\SysWOW64\Cjonncab.exe
                    C:\Windows\system32\Cjonncab.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:536
                    • C:\Windows\SysWOW64\Ceebklai.exe
                      C:\Windows\system32\Ceebklai.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1340
                      • C:\Windows\SysWOW64\Cgcnghpl.exe
                        C:\Windows\system32\Cgcnghpl.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:236
                        • C:\Windows\SysWOW64\Cjakccop.exe
                          C:\Windows\system32\Cjakccop.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1048
                          • C:\Windows\SysWOW64\Cegoqlof.exe
                            C:\Windows\system32\Cegoqlof.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1516
                            • C:\Windows\SysWOW64\Cgfkmgnj.exe
                              C:\Windows\system32\Cgfkmgnj.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2952
                              • C:\Windows\SysWOW64\Dnpciaef.exe
                                C:\Windows\system32\Dnpciaef.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:2188
                                • C:\Windows\SysWOW64\Dpapaj32.exe
                                  C:\Windows\system32\Dpapaj32.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  PID:3024

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Bkhhhd32.exe

          Filesize

          347KB

          MD5

          c51a8fd27c689c08d6722266a238ff72

          SHA1

          03996a9085a01cf3619f6d39fc10f28065f090d9

          SHA256

          85209cebaaaad4618d2ddbe6e34ff04c93ecc8b028274a6d30cb536e00f47525

          SHA512

          2799e2e775eb6c8d603d5d0d23821c7416f47dd0eafc70adcd0573fbd972539696910ad700ce1d74850b10d9bcda2d24f6ab0f805884a78328a039bb43ae01cc

        • C:\Windows\SysWOW64\Ceebklai.exe

          Filesize

          347KB

          MD5

          8a721c3e8bbc4ebc69622a11772a3d15

          SHA1

          8a9466e082bbc02da642218d9c2e1ca5f673dc9f

          SHA256

          5e554ee1636f4892ea5a4bd61cdc05e9e95b4e0e9a574954409735e315f13f23

          SHA512

          25ed9f55c07d7a5d306e5a108a789736636747aa362df0ff0676242d04eadcdac67005e9b1fd83a67ebbce922c275378b8a809fb87f11d4ee801532038444b2a

        • C:\Windows\SysWOW64\Cegoqlof.exe

          Filesize

          347KB

          MD5

          8083c8e76530d8352924bdcdb08d85d6

          SHA1

          fd40d2a07daff3eb4e7ebbc9fa648d57e06da6ef

          SHA256

          a88ae4f886f4693843034db58b7fc3de3432c7d85e9f267a2540d9863a2796c3

          SHA512

          5f73d815bbcd531e1da70cb9da712b20593f6088c7491e8c54c8e04d204708216b222107159a3c4304f81618c6872d66843c2c1f6684857855c0bf115ac4add1

        • C:\Windows\SysWOW64\Cgcnghpl.exe

          Filesize

          347KB

          MD5

          4bc63afbf7c6640f5caf111f40b4d56e

          SHA1

          74eaec433a353f3f9fa09bf3f138dad2c4a7659d

          SHA256

          2ff2fa6dedb14eb956e11491aa8645588a33714484845a963b79fc7f1007e6d8

          SHA512

          4d1d2679b6def596c30867b3c44404b0d274850127728d584dd8bc5df49920d4f1afec774a69cb083741049f22e518e996b853b142e5a85f0f4395662413a164

        • C:\Windows\SysWOW64\Cjakccop.exe

          Filesize

          347KB

          MD5

          afa46531d4d3057fb541716c01b188a0

          SHA1

          610b4569bc8f05f1c7fff2e11ee368a5f4671f4f

          SHA256

          4fb7fafb192414f069dd8c7027ddf3442c7a9cee0d11636ad94c7812afc6cb36

          SHA512

          7787c6f58f94219f791194693b461ee403bdb4662c2a6cebe0fb9131698ae610e1173eb3da3bcf346f2a6505fda6c605d1227c2cb3c12c43d7627506fac70bce

        • C:\Windows\SysWOW64\Cjonncab.exe

          Filesize

          347KB

          MD5

          206774f849e6138eea46b98571db69ac

          SHA1

          83bff5f100af6386a60db87380c67e07bd7239f4

          SHA256

          c2fd6a30404dcf8736b0e7abc5171e0334d46203d542a59f6212ae60bd998a31

          SHA512

          1a37864e3c0ece5921ba0c31c2cbeb9de1dd24f249d272026bfd31a24fe7bc4dfe41535d2fa06c89a9a7cb6e1fe2949bd0357675def2793573225140d5fabfcc

        • C:\Windows\SysWOW64\Dnpciaef.exe

          Filesize

          347KB

          MD5

          d866dff0de660d66c6776e17aac293c0

          SHA1

          db2d88cad5fcb7aac2f05e15c2d244ec334aa9e2

          SHA256

          dbffc1048a2361fb3a70d260ae74e348eb899f1e80b14038e3ae7032de1a294d

          SHA512

          ae90b8d17dbb5b7f02728592ae8d7594a221a24a04d37e3ce3468c89f17fcb4a12479cf47286cc9fa36ac89a1d63bf04e31269c2a94141157790feb1ea7a9413

        • C:\Windows\SysWOW64\Dpapaj32.exe

          Filesize

          347KB

          MD5

          2865ae698c63cedf5340ac1833ff906e

          SHA1

          fea6352c6467f170a1e70b4e21e508327cf51935

          SHA256

          32d0377ad5429e8306163a38392eb837fbf2c1d44625361625b6f8afa50098b6

          SHA512

          ed5f569a85d355ed5f83837c81832ffa66e16e9aa571c58cd1f0acd15fd9953484bb12f4d9e4b0000233a35c8a2e1b4fe116d6794e8569bc244b7d5b1f49da5c

        • C:\Windows\SysWOW64\Fchook32.dll

          Filesize

          7KB

          MD5

          f3fb6b72acc3562d89c1ecf91f0dec68

          SHA1

          13b44816e5d29f94a86d24429a84cb0a27bd1eed

          SHA256

          bc7f1446c343f43eee5f01e660cf9a578f65312fed020bef724db613ee173968

          SHA512

          5c1f89ccd2f25c72dec373c21b5726a64a17c997ce5f85b7e18b9a2d5c3cac42d39f4e22e864e1a096cfbab83ff8ebec0299d5424686dea143fce235245688cc

        • \Windows\SysWOW64\Aqbdkk32.exe

          Filesize

          347KB

          MD5

          18792cab3bb4984e51c8af99c59dabb6

          SHA1

          1ca7bcf5e36c6b1f95e6fa71aea3b8423a0b5dbf

          SHA256

          67af4e21b6aa5db5462068970a51822420c7bf3ddd39b7def45f29f6a68c6261

          SHA512

          59e7d4a4d2de8816eee7e2df87537f0c6233255aa20697945f614a4b12c14e875f373000a29b2518a2b7c3a19487eef57dd5d4bfa35e8d2a29a867fbfe406d80

        • \Windows\SysWOW64\Bbbpenco.exe

          Filesize

          347KB

          MD5

          a616e9c2c3bd2576e2dc77f5867f5c29

          SHA1

          4fc095a4c88e22d17579032c7b3bf710902b9093

          SHA256

          a745bcf781f933183dd138aa38efbce4aa1b643ad540019449d35327da532787

          SHA512

          c4c566d93edb2229d720d89a74fb291443dec22ac40a8952ab6988fc3e2b01c28bede58d470b844c766d75dd95e0660a5dcb652b8192ddc69c43232c0b5705fc

        • \Windows\SysWOW64\Bmnnkl32.exe

          Filesize

          347KB

          MD5

          1ad8c9c95dc754c0b94344662949e3bc

          SHA1

          74feba75827fcdeba93ecd52668598b842aaa21c

          SHA256

          fbd3414dda72a5d5434a787149260d53939a69071e0a5f5c987841b5354a0105

          SHA512

          b94057b444ef898c9b5ee3e8adf7c0b09fb4d7d808414dab8e35aab44310f3dc024520cb0d9b6912ce2838aecef4e7d4799f8c7725a81a70d2b610c3029a09f2

        • \Windows\SysWOW64\Cbblda32.exe

          Filesize

          347KB

          MD5

          eff2ce11c26f8065a825c60ed1b10261

          SHA1

          2771e5e45f0dbd7e88256159e808f9b8cc99a1db

          SHA256

          7933da39df60e4ddddb40aef03b0c216264bcba211d3f0f28fe96144bb954cba

          SHA512

          b6a0899eaeecbf36085122156de3eb8bf0edb5e7c14f554a1f545c3ad079942227afb45e003e713def31bdf582ebf9da6e51a4a6943c914bb632dbfd8abce238

        • \Windows\SysWOW64\Ccmpce32.exe

          Filesize

          347KB

          MD5

          f2933585dc754ff60d7af1666356c6c8

          SHA1

          e36cb858e524d613f53ce8684989c0ef355c9adb

          SHA256

          bc4d53d635666d1c66ad5d14adf813b77db759ae3f81c7773c2896848ed14ce9

          SHA512

          03546f29c70a98f5a29e7237dd16eb6dddc0c353a6088785d813b5bc46ba4270bbf40589626a422672cdcb706cd1f94b671f77423318b467c72c1215dff1ba4e

        • \Windows\SysWOW64\Cebeem32.exe

          Filesize

          347KB

          MD5

          13b6229e464613d609579bd089ed5cab

          SHA1

          112a5132088fb803b3e9dd4f9900ee446aff5dd1

          SHA256

          011226a2932c58b87d65f4990e2b4945d59bc44f347383ffafea88144d0e5ee1

          SHA512

          6df5b849f106e090b089fd6994d2d6a01cdd20338d017c91b6f68d7e0a786d7b0e63e8104f63c1f47538035e1bb5d4ba184b5a2641958a9d4c7ef2d225e19ee8

        • \Windows\SysWOW64\Cgfkmgnj.exe

          Filesize

          347KB

          MD5

          cba20d46faff4a29dd242d180bba18e9

          SHA1

          b61490e712d7829451416c59fc1b9af508cf974c

          SHA256

          1c68b1517ed30f5cf53d2a81c3b4a27d43c529a99d0f885de07590ccad1aeb2e

          SHA512

          ae7f784f1f114df73f0ac063c0ec51dcc9e67cf23a4fd923509feaa6345aff3b49d35407ac556aa6ba76ce8aa8b2b84ff8204e686d17fc87fee5074d7481f662

        • memory/236-138-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/236-213-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/536-112-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/536-215-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/624-19-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/956-0-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/956-17-0x0000000000250000-0x0000000000293000-memory.dmp

          Filesize

          268KB

        • memory/956-18-0x0000000000250000-0x0000000000293000-memory.dmp

          Filesize

          268KB

        • memory/956-222-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/1028-27-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/1028-37-0x0000000000260000-0x00000000002A3000-memory.dmp

          Filesize

          268KB

        • memory/1028-221-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/1048-212-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/1048-152-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/1340-125-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/1340-214-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/1516-164-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/1516-211-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2188-209-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2188-190-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2188-198-0x00000000002F0000-0x0000000000333000-memory.dmp

          Filesize

          268KB

        • memory/2188-203-0x00000000002F0000-0x0000000000333000-memory.dmp

          Filesize

          268KB

        • memory/2220-68-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2220-80-0x0000000000300000-0x0000000000343000-memory.dmp

          Filesize

          268KB

        • memory/2220-218-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2504-220-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2504-49-0x0000000000280000-0x00000000002C3000-memory.dmp

          Filesize

          268KB

        • memory/2504-41-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2664-98-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2664-105-0x0000000000260000-0x00000000002A3000-memory.dmp

          Filesize

          268KB

        • memory/2664-110-0x0000000000260000-0x00000000002A3000-memory.dmp

          Filesize

          268KB

        • memory/2664-216-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2924-95-0x00000000002D0000-0x0000000000313000-memory.dmp

          Filesize

          268KB

        • memory/2924-82-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2924-90-0x00000000002D0000-0x0000000000313000-memory.dmp

          Filesize

          268KB

        • memory/2924-217-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2952-177-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/2952-210-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/3024-205-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/3024-208-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB

        • memory/3056-62-0x0000000000250000-0x0000000000293000-memory.dmp

          Filesize

          268KB

        • memory/3056-219-0x0000000000400000-0x0000000000443000-memory.dmp

          Filesize

          268KB