Analysis

  • max time kernel
    24s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 09:15

General

  • Target

    5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe

  • Size

    97KB

  • MD5

    ceb0c7f83ecc49b2bdfb6df1cb8c0650

  • SHA1

    fe9a95a2e8435171b783bd25d5de57e2fdd1080f

  • SHA256

    5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4

  • SHA512

    9ae89204edbd442968459947c0ddd6ceb505675a71654878af09a35d098dde93c24f5e28a0f8b7b297e125315be4901e3eb6518cb1bc12f2dafdda9a5461d774

  • SSDEEP

    1536:AInrUTbBc0XOVhOqXQiQtDdLLXUwXfzwE57pvJXeYZ6:tnrIBSVhciQNdLfPzwm7pJXeK6

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 30 IoCs
  • Drops file in System32 directory 39 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 42 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe
    "C:\Users\Admin\AppData\Local\Temp\5cf1b8907603d2ac776fbedf0aff22372aaa5480514d866aa0b469ba7982aaf4N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\SysWOW64\Amelne32.exe
      C:\Windows\system32\Amelne32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\Afnagk32.exe
        C:\Windows\system32\Afnagk32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\Bpfeppop.exe
          C:\Windows\system32\Bpfeppop.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2840
          • C:\Windows\SysWOW64\Biojif32.exe
            C:\Windows\system32\Biojif32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\SysWOW64\Bnkbam32.exe
              C:\Windows\system32\Bnkbam32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2164
              • C:\Windows\SysWOW64\Biafnecn.exe
                C:\Windows\system32\Biafnecn.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:644
                • C:\Windows\SysWOW64\Bbikgk32.exe
                  C:\Windows\system32\Bbikgk32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:836
                  • C:\Windows\SysWOW64\Bhfcpb32.exe
                    C:\Windows\system32\Bhfcpb32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2260
                    • C:\Windows\SysWOW64\Bmclhi32.exe
                      C:\Windows\system32\Bmclhi32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:760
                      • C:\Windows\SysWOW64\Bhhpeafc.exe
                        C:\Windows\system32\Bhhpeafc.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:848
                        • C:\Windows\SysWOW64\Bmeimhdj.exe
                          C:\Windows\system32\Bmeimhdj.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:2032
                          • C:\Windows\SysWOW64\Cdoajb32.exe
                            C:\Windows\system32\Cdoajb32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:2736
                            • C:\Windows\SysWOW64\Cacacg32.exe
                              C:\Windows\system32\Cacacg32.exe
                              14⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:1816
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 140
                                15⤵
                                • Loads dropped DLL
                                • Program crash
                                PID:1428

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Amelne32.exe

          Filesize

          97KB

          MD5

          52c55934a218a49ed38bf79e9666e7e5

          SHA1

          991ad1764d0c4446c904419ba05b7b77251b6895

          SHA256

          8fcf319423f8d79f10d6d856fbdfb10fbeecfcf28e5801037623e822cc3e5abc

          SHA512

          ed5eaa8ef6f99ea4e1ee2b9767ce7c1854ced2958ab0baaa16a5763590a9bb7bfb66bef4984cfcea79650d2bafced1cb3fcc55d6d195261da3f6537f5786e35a

        • C:\Windows\SysWOW64\Biojif32.exe

          Filesize

          97KB

          MD5

          571e3626ff91ada341a2c9ef45a39382

          SHA1

          7242f25086e47d7ed187e5cfd067889dcd72349d

          SHA256

          9bc82e4dc31a248c3b0a13543c562f79c2717b152f88e6e4fd14667a375ff984

          SHA512

          36ca9086d95a4142f70cccf44c0bc8bff95be2b98400c65be91a9ce479fcb30feb1f4e0aff09460ec3a44f58c5b8705c99c748d4f6fd64d0fd3bf1bac7584da6

        • \Windows\SysWOW64\Afnagk32.exe

          Filesize

          97KB

          MD5

          f8a07caa3bbb7774b55645dead15ab06

          SHA1

          ef8aa8d721f932243a639219fd37fda59baace4e

          SHA256

          a26a5967dc1a8dfdfe832ee215cb8aa6b4fbb0788e4a50f5435317854955f95b

          SHA512

          8b7e657d54b7cfafd21491da3fc2add662d43b42d34ced5f68e9599881c78cfa1befe79c20b505f0e2a6672711ed865c2d1571c9831e9565f24eafd0a356c84a

        • \Windows\SysWOW64\Bbikgk32.exe

          Filesize

          97KB

          MD5

          9ec6d8d5c2737f910d91c74abc13b931

          SHA1

          6a39d01d48af4eb1d1c4da5470a78fa75fe04396

          SHA256

          1a326ba0aaa1a1efc92a5c709b5f87c7133e0481658682bd0f56d6e9e2006f2b

          SHA512

          85a44c9ff55853f5d3aad80656c20084bb3a972f7a803d6114c6275222e77b9171207ee3f0761c8168f20df6831b47f88c7d296c27961b7081c3b432e4614cbb

        • \Windows\SysWOW64\Bhfcpb32.exe

          Filesize

          97KB

          MD5

          f40206903b4ee9baa9d273d370b88ba3

          SHA1

          c08247d14c102cd2cc89cba8d19c6654183921ba

          SHA256

          0111162a2a977cf8b260078884812117f134af497f73bf361dc5cdbd9827111a

          SHA512

          2759ce55d2ccf9572afda8d9e8dd9f5ef41ade738e46d76807f54cd94b24ec5b0477187903494b37b489011470071318fdfbab590344c83d94659060740aa868

        • \Windows\SysWOW64\Bhhpeafc.exe

          Filesize

          97KB

          MD5

          80cfcf195ba21e293a72d80ab7d4126c

          SHA1

          7d1e9113dc62fc66890c82d77391a5ab2239070c

          SHA256

          9b27502e7db4758d6ac784254351984dbb88021277d2b86442720c07774c090c

          SHA512

          b0332ea98649652252ae8efa7e27558af4ec7bf3c9fca662529e405803e3fecc71ce90c7594044c4a722786f9dc0adce2a55fa994b36ea1e0b3cb3dba636d572

        • \Windows\SysWOW64\Biafnecn.exe

          Filesize

          97KB

          MD5

          af13cc603cb3919543f9e732fa3df5d6

          SHA1

          f55622fbe243f6e30634f0ddef473a6b852e2c9d

          SHA256

          2ecad7346e922c3373ce116d18f384ea40a874cf9fa2e3f280846a847d6e132e

          SHA512

          5e0e44722989adbce8df1bcbe69d26b7b73d3b68ca3bba21040c704cabe8a0bd1a7a919a931aa93a639de0e5f892215a163e947395bbbfbace8e72e90da227a9

        • \Windows\SysWOW64\Bmclhi32.exe

          Filesize

          97KB

          MD5

          b7d1f3d574938f69640e8a0dea654610

          SHA1

          7718f529e6882e7bbaeb028e3da57008ac163f88

          SHA256

          6b5a3ec08fa464ed74b66215ad073d1b70fe734e357ea2d0ba99454443e1cfcf

          SHA512

          f12a31564ba11f2c21435ca083aa8b21ba858005d19c6455446d3041fe7098b91788ab260086c0d7ee18b3fb5734fc8b0f848fb5f5219e45b1bed3f8a8a4deaf

        • \Windows\SysWOW64\Bmeimhdj.exe

          Filesize

          97KB

          MD5

          06d9a3bce1098151d66878ed01657490

          SHA1

          2a8a514702fc6e25d15daa4837f82b6f89f434f2

          SHA256

          8af88469620a87081ca781c1091fef7838626a7805e261e0b8e250b0ea30b6da

          SHA512

          a04d53bbec2974ad4d31d92cabcf2e1cb84eabcf80152bf0ee463608bdac2cb96078751fae45f995258db1d213044c91406a420f29b40556b2ece3962471d78f

        • \Windows\SysWOW64\Bnkbam32.exe

          Filesize

          97KB

          MD5

          b03334750daf9a8169c0a9d6de5a919a

          SHA1

          4ec9c29134c909ab6c8a44bdbbc41445a7b880cd

          SHA256

          081dd152a43aee7c67e70e47b5322079a65be18e8b14a777b9a7fbbd6c6ffac0

          SHA512

          731efc1c4af293edd406b1dc464bef352bf3952de08cf0e3f84fe0cc323edbf9d1f59b92ebd2564d95e08b6f3d5901972301cb1daed94f29623e77cd82c93f8b

        • \Windows\SysWOW64\Bpfeppop.exe

          Filesize

          97KB

          MD5

          077af42d7f01bf32fbd6a21cd390b028

          SHA1

          3f745370b3c67b5730c8a25a1cf9e25633666e95

          SHA256

          eaaa9e9194098f07b85d57965cffc1605fea0a068ce589fa25c87c631b834474

          SHA512

          0c62a48d9fbdeb77e581979e94fec150132271dc8f1807680298076c889dbd547788ff454a36e89bc309c32167bf77c1c7b8c8d0bcf069f1dec328b28b153ca5

        • \Windows\SysWOW64\Cacacg32.exe

          Filesize

          97KB

          MD5

          5a2cba0a57ac84e5e2376059a50978b2

          SHA1

          af6401d8b36b43c047112744065a9ee0a6a09d84

          SHA256

          4f0f28d980897fede5110ec956c6850d0a3d5715db345c3ae0a7dac1987c82d6

          SHA512

          f24a9bdfd65518c24e43da3b647f6469f0c8b7b5072680b4cebf7806efecb947885936f4d9886636070d17f31a6107e758b412b97e60e894521d05945f58013d

        • \Windows\SysWOW64\Cdoajb32.exe

          Filesize

          97KB

          MD5

          2e52d029bb02456d5ec1368d7bb7cca7

          SHA1

          14eeb00131f46e5325e8a33656152faddb1dfaad

          SHA256

          3f71a2fcbe34f6c399896a717c7131f7d6bd59deca96ee2af119650f603c7e1f

          SHA512

          b64719e9261fc16d5aa6718473839e4d561e2f7d364aab1129b9d4530f6aeb4aee30b67fea0688ae8702adec576996d7561fa5ea453f9066d428804453c136b9

        • memory/644-87-0x0000000000260000-0x000000000028F000-memory.dmp

          Filesize

          188KB

        • memory/644-190-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/644-79-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/760-184-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/836-93-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/836-189-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/848-185-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/848-132-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/848-139-0x0000000000250000-0x000000000027F000-memory.dmp

          Filesize

          188KB

        • memory/1816-172-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/1816-177-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2032-181-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2164-193-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2260-192-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2260-114-0x0000000000250000-0x000000000027F000-memory.dmp

          Filesize

          188KB

        • memory/2260-106-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2732-60-0x00000000005C0000-0x00000000005EF000-memory.dmp

          Filesize

          188KB

        • memory/2732-196-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2732-53-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2736-158-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2736-179-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2736-166-0x0000000000250000-0x000000000027F000-memory.dmp

          Filesize

          188KB

        • memory/2816-203-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2816-13-0x0000000000250000-0x000000000027F000-memory.dmp

          Filesize

          188KB

        • memory/2816-12-0x0000000000250000-0x000000000027F000-memory.dmp

          Filesize

          188KB

        • memory/2816-0-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2840-197-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2948-201-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2948-14-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2956-200-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2956-27-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/2956-34-0x0000000000250000-0x000000000027F000-memory.dmp

          Filesize

          188KB