Analysis

  • max time kernel
    24s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 09:08

General

  • Target

    6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe

  • Size

    85KB

  • MD5

    f84df5a646849c075fc3c1beea495800

  • SHA1

    42cdd5414c08f2c12b294c074a58f48338b4b194

  • SHA256

    6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5da

  • SHA512

    910d7ab8f844329c461728c755af7d54188a40ac89dafeaab058940946f70e126a0b9f9ff1e219513e67dabb96c327f6cc2d779b2c640dbec45686c43b2041ad

  • SSDEEP

    1536:yG8htpniMSxSDxDAk0zGCjQ6+EBsZje5dL2LHaMQ262AjCsQ2PCZZrqOlNfVSLUN:yGeiMSxSDxMzka2HaMQH2qC7ZQOlzSLA

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 20 IoCs
  • Drops file in System32 directory 24 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 27 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe
    "C:\Users\Admin\AppData\Local\Temp\6e2b1c22fe1e19943bfcba89df3a263fc68ce82f957512a1897274d026a7c5daN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SysWOW64\Blkioa32.exe
      C:\Windows\system32\Blkioa32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\Bnielm32.exe
        C:\Windows\system32\Bnielm32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\SysWOW64\Bnkbam32.exe
          C:\Windows\system32\Bnkbam32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2832
          • C:\Windows\SysWOW64\Bhdgjb32.exe
            C:\Windows\system32\Bhdgjb32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2700
            • C:\Windows\SysWOW64\Blaopqpo.exe
              C:\Windows\system32\Blaopqpo.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:320
              • C:\Windows\SysWOW64\Baohhgnf.exe
                C:\Windows\system32\Baohhgnf.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:584
                • C:\Windows\SysWOW64\Baadng32.exe
                  C:\Windows\system32\Baadng32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2864
                  • C:\Windows\SysWOW64\Cacacg32.exe
                    C:\Windows\system32\Cacacg32.exe
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2220
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 140
                      10⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:2020

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Baadng32.exe

          Filesize

          85KB

          MD5

          4e02ea3da6f8e14f33cdcbdc83d6072a

          SHA1

          fa3f52e56e13a0750d8ed8c0fe0dff69b69d9368

          SHA256

          88a8e10a34bcd1235d46995548475a28097891e06122550d1247840fa87c7ba7

          SHA512

          02b3723206dcf51978bcec1a98cd865f95d1a35374f131809ded1575734a66eec0578c1a0554479f4410280ac5ec39f7bde50ac731eda0adb7daa9b15ed2f8ca

        • C:\Windows\SysWOW64\Bhdgjb32.exe

          Filesize

          85KB

          MD5

          d2552f15e5fc8ca1ee204f8c2b875cc5

          SHA1

          882f67c66d2ff2adfdacfb2c0383fb4ad52761a3

          SHA256

          f5c8c7961601f1055c2b099535b0d10a3e0332fff54d978d3694eaf2ec597ea2

          SHA512

          cd2c9b44de234c9460aa801f41979ca6a82f8189354ade03c2f396c91aa38f0159fa7262001681ceefafd1d1ffb6cef186513fb270b28c3a0272367cf3ecbab8

        • C:\Windows\SysWOW64\Blkioa32.exe

          Filesize

          85KB

          MD5

          3a83dc929d2202a711d68cb9cfa0206e

          SHA1

          c58549e65813d89b442ccf860230ca910a7b2140

          SHA256

          fe839823ef27d583594ce444d61418003f422b8f71c289f41f729ff4ba12d653

          SHA512

          7c1937ca3c208bd68fa6b1788a6b382a68a6f43481415b753421759ea1caec6511011ab51b3cbc3a35b01f119e0008cabc75787c39aa9d768172efc12e1a0fc0

        • C:\Windows\SysWOW64\Bnielm32.exe

          Filesize

          85KB

          MD5

          76c4457859690be246bf845cebb9ac87

          SHA1

          1af2c4dc3c77cd607ab266e7b4cd629194971155

          SHA256

          fa323bd7e86eb2ae03bd951beb09c7bd8295716a86d6011e18c8d9ec8d3ec079

          SHA512

          67e6d97054522c2c7df924e5d540506518abfa76b7786fff405343eb51e174ed497a66285762376a25004c8091bf19aee62c8f4a7fb93473fe9ca72b8351fa6d

        • \Windows\SysWOW64\Baohhgnf.exe

          Filesize

          85KB

          MD5

          0369cb650ec79015579a213e9bd28787

          SHA1

          2d02157206a7dcdf3ce6aba49ec2201a97b60a5b

          SHA256

          28265d953fc2513265b8db47d4b32571c0d10c78092a768254d8f1cc8f3837ab

          SHA512

          0b14f74f4c21e02b7ee42d501c4ef60f92790a3cf02bd3ed328a0f17baf3f065e49cc8cab82b0ac29fa84481bb397c0ef5648275ec594777d62e5d5cc46720be

        • \Windows\SysWOW64\Blaopqpo.exe

          Filesize

          85KB

          MD5

          251dd1fcb5b2924893aee97290d2f6d0

          SHA1

          528f2e4eccd4a0423e0986ab1ef67915e5b8f2bb

          SHA256

          58694bb9a8b684fcd4d2b75eeaab997f706dac46434f13068bc0e3725eb193f4

          SHA512

          df101ac5d896347d1cf9d571bf9f41bd4b88619b30c3862c872d414cd695e9611e2f13fad3f4dca5467ce6f93827e5a20c5eb02cc284e952aabbb30a407dbfc6

        • \Windows\SysWOW64\Bnkbam32.exe

          Filesize

          85KB

          MD5

          87f5ae7f2970477ca17989799e537ac5

          SHA1

          4624c8403bc00890a7b5014f72f04b2c426c0310

          SHA256

          e74149614c5f0f552a9ac834b4e6c8ef697af7ea785e3bf07e965362725e9af7

          SHA512

          e4a30b859fdb43956a39e72139e87058cf7b40a473b9c703833e9aaca48061a3ba96530c1a2568e4f7b0722f36871947134eb931413ddecb3341e01d27186671

        • \Windows\SysWOW64\Cacacg32.exe

          Filesize

          85KB

          MD5

          63c86ab7fc508f72029ba2a302cdd461

          SHA1

          b94b08241a4b3b0ad109e16e1a8498c0d0adb9d0

          SHA256

          285486cd1ba6aad2510aef9ab5a2bfc7950b6e42a740fa0ec9350868dbf62f52

          SHA512

          65d056b60e45c36346e85d1a89f220e63d2fbb46639c95b6314207614d0a20e077cd829d6afd96d6a7ecf8ce719400099aa9bdfe127ef938d0d7fd462e60356b

        • memory/320-124-0x0000000000250000-0x0000000000291000-memory.dmp

          Filesize

          260KB

        • memory/320-123-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/320-83-0x0000000000250000-0x0000000000291000-memory.dmp

          Filesize

          260KB

        • memory/584-126-0x0000000000250000-0x0000000000291000-memory.dmp

          Filesize

          260KB

        • memory/584-125-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/584-101-0x0000000000250000-0x0000000000291000-memory.dmp

          Filesize

          260KB

        • memory/584-86-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/584-98-0x0000000000250000-0x0000000000291000-memory.dmp

          Filesize

          260KB

        • memory/2220-118-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2220-128-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2700-117-0x0000000000450000-0x0000000000491000-memory.dmp

          Filesize

          260KB

        • memory/2700-57-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2700-64-0x0000000000450000-0x0000000000491000-memory.dmp

          Filesize

          260KB

        • memory/2700-115-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2832-93-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2832-95-0x0000000000300000-0x0000000000341000-memory.dmp

          Filesize

          260KB

        • memory/2832-52-0x0000000000300000-0x0000000000341000-memory.dmp

          Filesize

          260KB

        • memory/2864-103-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2864-127-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2944-56-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2944-14-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2964-34-0x0000000000300000-0x0000000000341000-memory.dmp

          Filesize

          260KB

        • memory/2964-84-0x0000000000300000-0x0000000000341000-memory.dmp

          Filesize

          260KB

        • memory/2964-27-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/2964-82-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/3012-55-0x0000000000260000-0x00000000002A1000-memory.dmp

          Filesize

          260KB

        • memory/3012-53-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

        • memory/3012-12-0x0000000000260000-0x00000000002A1000-memory.dmp

          Filesize

          260KB

        • memory/3012-13-0x0000000000260000-0x00000000002A1000-memory.dmp

          Filesize

          260KB

        • memory/3012-0-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB