Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 15:35

General

  • Target

    5a4bac030ca5530722622657a9e0abb2aa1127f3aabb0855caf9324fa74c9783N.exe

  • Size

    71KB

  • MD5

    7614c91ea0b836b8291d9b6872604530

  • SHA1

    ec2912cdde5e086304ea32cf369586f2c19f2ae4

  • SHA256

    5a4bac030ca5530722622657a9e0abb2aa1127f3aabb0855caf9324fa74c9783

  • SHA512

    a244b0dce0b6b074895545facde6094c8970908a404b1752f60c3474f2b0fb66f94abfbfe0fbd07575d8993e5c558bdbf44e307b790ba72250d8c4ebf22144dd

  • SSDEEP

    1536:Qwfup/j+j4yEUZ8tGIkKxvFS1mrVKzYjkgUDDXrRQoDbEyRCRRRoR4Rk:QwWtjsElxvFlx4lXXre+Ey032ya

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Drops file in System32 directory 9 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a4bac030ca5530722622657a9e0abb2aa1127f3aabb0855caf9324fa74c9783N.exe
    "C:\Users\Admin\AppData\Local\Temp\5a4bac030ca5530722622657a9e0abb2aa1127f3aabb0855caf9324fa74c9783N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\SysWOW64\Cphndc32.exe
      C:\Windows\system32\Cphndc32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\Cbgjqo32.exe
        C:\Windows\system32\Cbgjqo32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\SysWOW64\Ceegmj32.exe
          C:\Windows\system32\Ceegmj32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 140
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:2860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Cphndc32.exe

    Filesize

    71KB

    MD5

    856c78c6198672edad4e6ade9cb37d1e

    SHA1

    0f7c908f954cdcf2228605b6fd059446e5f60d0c

    SHA256

    bdbf0e5ef2a6f712a10cfe3beedae424e6206bcd52efc2fc244834c961ed7576

    SHA512

    9573d4ff404a5256e08707e80e7940f931a27a9c82516db1a15a2ee8c79157ec5344b39b5ea091b0bbb42857cf76263c63b88e17aabb72bbbc26c9b3ad8f89de

  • \Windows\SysWOW64\Cbgjqo32.exe

    Filesize

    71KB

    MD5

    779d49e51b944d0a6c92f6f66846bda2

    SHA1

    45d520e98f384847de73820af556cf60eff6742b

    SHA256

    73e709b25a8c0372fa808a1625f563d3a68bef9440af5711f4b211d296ef791d

    SHA512

    1da79707e7d81ae31fcfcb48da543188ccc7884192a2ed57cd48f954071bb58a7b3f1bbd5f961997642ba7ceeb616738e790c4ab6c53402cd4a743934431c337

  • \Windows\SysWOW64\Ceegmj32.exe

    Filesize

    71KB

    MD5

    4ea70181f014c56befc9e4c9e691c243

    SHA1

    bb7cd2002e13429bf3426fe012d0f8b617902668

    SHA256

    a01af80595a2c17125d26bc91b0fc2167610bb7e575a5490c81e76fea85d0c90

    SHA512

    07746113eecf23e8d366b7c1836693799f4168e98a57c7571bc70f2036212c4945ed70f9e864564229f1634a1fdec08130ca547399dc7013f3cd476ef9e0cf13

  • memory/2160-47-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2288-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2288-48-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2288-18-0x0000000000250000-0x0000000000289000-memory.dmp

    Filesize

    228KB

  • memory/2288-17-0x0000000000250000-0x0000000000289000-memory.dmp

    Filesize

    228KB

  • memory/2844-40-0x0000000000250000-0x0000000000289000-memory.dmp

    Filesize

    228KB

  • memory/2844-34-0x0000000000250000-0x0000000000289000-memory.dmp

    Filesize

    228KB

  • memory/2844-27-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2844-46-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2908-19-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB