Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09/11/2024, 15:23

General

  • Target

    2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe

  • Size

    340KB

  • MD5

    f548f840a90729b28eaf6ff633ce35d0

  • SHA1

    15156eb856505532d1f8bca315a62b6827211b0e

  • SHA256

    2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585a

  • SHA512

    a9ddd5a6fe61b05dcc80a8a6b3d7bf48c1f90f7911a467324e3c7470c0d4db98d386304c8a7f59000e4ce53fdd81f4338cc8f8f8a6eac2207e83a2c45830b535

  • SSDEEP

    6144:U/A8IyedZwlNPjLs+H8rtMsQBJyJyymeH:UUyGZwlNPjLYRMsXJvmeH

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 22 IoCs
  • Drops file in System32 directory 27 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 30 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe
    "C:\Users\Admin\AppData\Local\Temp\2835d1fd6e0da9fd97ec418220d7cfa9daa005cec203590b6973b22ab4c9585aN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\SysWOW64\Kfaalh32.exe
      C:\Windows\system32\Kfaalh32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\Kmkihbho.exe
        C:\Windows\system32\Kmkihbho.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\SysWOW64\Kdeaelok.exe
          C:\Windows\system32\Kdeaelok.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\SysWOW64\Leikbd32.exe
            C:\Windows\system32\Leikbd32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2660
            • C:\Windows\SysWOW64\Loaokjjg.exe
              C:\Windows\system32\Loaokjjg.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2620
              • C:\Windows\SysWOW64\Lhiddoph.exe
                C:\Windows\system32\Lhiddoph.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3064
                • C:\Windows\SysWOW64\Laahme32.exe
                  C:\Windows\system32\Laahme32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2984
                  • C:\Windows\SysWOW64\Lofifi32.exe
                    C:\Windows\system32\Lofifi32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:1860
                    • C:\Windows\SysWOW64\Lepaccmo.exe
                      C:\Windows\system32\Lepaccmo.exe
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:584
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 140
                        11⤵
                        • Loads dropped DLL
                        • Program crash
                        PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Kdeaelok.exe

    Filesize

    340KB

    MD5

    4f56dee09dbee7a0d9b9ffd88851c499

    SHA1

    463c44e261f3a41667f78358263dfc44721748d5

    SHA256

    a114669cfbdff06de517ed5788b8e4fd724e4d7c6a24235f099d197a875c029e

    SHA512

    c878400f474459176cd481864f30f474aedd5368a49359395b53b0bedefed0ba94fe9fa6f7e855820bdb0a2dba57954dd29f4c59e05587172c0f5e98518a6a1d

  • C:\Windows\SysWOW64\Kfaalh32.exe

    Filesize

    340KB

    MD5

    591b87b74fcb50d6525510c9e5c61479

    SHA1

    e7e02392a0a8d2f74ac2889f7394182b3edeb73e

    SHA256

    0362c21ceeee1d7864e6eec9475a5a95c80b898c69d5011e8e5748b0dcd68349

    SHA512

    e07a85da0b1cf8ca49ce4f2a871102fc13945d816d4478d9d878784a97d9599adc1f8f74a6ff79950e6d14304fa1f0a0f6eddd7afc67a4f5e68c07983cf215ac

  • C:\Windows\SysWOW64\Kmkihbho.exe

    Filesize

    340KB

    MD5

    7ecc874651a30fc4ae2b8a92221dfc49

    SHA1

    8cb07df52394b28897a4b944097abd727f73d3a3

    SHA256

    67490ca5defc33725ddf6a755e097ae01ccb5ae3f354e4421ada75abd401c200

    SHA512

    db68de84765fb924269a868bebc9ff50c1e357fdc48f270a4fb4f43808215fd1bf80b35ac429a21c0f8fdd3e9ecbf22c09b2fd64ca151889a69476161e7f33d9

  • C:\Windows\SysWOW64\Leikbd32.exe

    Filesize

    340KB

    MD5

    6e3dfcd4a00635a5101daecea191cb59

    SHA1

    7661d897ec708e176991c2f9bdc7c5e04a856586

    SHA256

    de404a813136e799eadd3be9f5e3552f4b93a3ff94db7cfb55b43ecca90067ed

    SHA512

    98e576b769a7ce10e91a06bbca2693463f7916d314f7389e2e85d754c10e45d767ebba949d43eb11f4e4d16f6df6c4ca94a7bdc89dfb4ca843d8ddc0cb2e9b51

  • C:\Windows\SysWOW64\Lepaccmo.exe

    Filesize

    340KB

    MD5

    43ecc1aa8c51ec93ef41ac924672a780

    SHA1

    88bebc335b5dffb6c83f1f5d3e9acd4d3bba22dc

    SHA256

    c2abf9c8e04805f84d38fca5e1231c28b1366d495e7b6bdb59fbcca4e9c6c431

    SHA512

    3c73b936976c8a54d7a449912e05e3673463723f39fb36ebe24a0cb244557e359cd40216615506e385e0cabf201263631999c38c379be072893a9d7df5e64743

  • \Windows\SysWOW64\Laahme32.exe

    Filesize

    340KB

    MD5

    8d3c390ece0b78b127e3705a0eada0e0

    SHA1

    d07b76a6b83f71f7d7b59fae5a087cff6fda3e9c

    SHA256

    6ca3c28cf66a0693331cca97614ade30dfb3ad9244f85a8d04650448b8d817f5

    SHA512

    db01023f01728be691cbc6253a34bddf0b9ef0ebaecdff5007f896b067ba83c4159499c4da6888dc9acd203e9452650cb846b6270f4fa82559d05fa9c29931cc

  • \Windows\SysWOW64\Lhiddoph.exe

    Filesize

    340KB

    MD5

    32ca0389da16ff674f38b5f249659691

    SHA1

    8aab84bf0a98f7e6832d0bc6b7c74be68bda88b7

    SHA256

    d1bc55e7f95133717c253eae4bd747f4525476e36c1031cb6a4c8e953be067de

    SHA512

    7ee96b352e595d24320442abe37474e181430f91b856aa5d58204b46660b20bcd32532c50a99be7984feea78151da50d22a1d0793148c76f2283ad78540aa6ec

  • \Windows\SysWOW64\Loaokjjg.exe

    Filesize

    340KB

    MD5

    8651a70932fe288b5750e409cedf1bc5

    SHA1

    f9949d53e9b6f48b255e4d7b5a3e87e0300bb728

    SHA256

    e37be07c1c423bff03a273e084df2b92d21aa9f3d8de7ed6635d311f45430c99

    SHA512

    20911b6b8ff3c132d2d07b89717ae48be0ef1759e0919e8ef7d8d476fb367a36ae8a34755a777d112830b6c25d43ea1759bec4c4ba377dae0cdc7b195c91bf57

  • \Windows\SysWOW64\Lofifi32.exe

    Filesize

    340KB

    MD5

    f6f38f870f06c66649d6fb7856eb8aa7

    SHA1

    cc23316ae4fe7d65c7a942150baafda0756ef18a

    SHA256

    65153e238bc285b3c30c2f2afc08d76ef97c9959d77c47a0f331a89f3d6d89e7

    SHA512

    770bbaa99290ac3c34c0de4eff3eecc8ab956c38d2a0001436cfcbb52752b398e885d70f85c3ba3a508176e5b20b302585b4a0016dc40272d5c4e934c2dd5efe

  • memory/584-122-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/1860-121-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2620-81-0x0000000000280000-0x00000000002C4000-memory.dmp

    Filesize

    272KB

  • memory/2620-127-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2620-68-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2620-79-0x0000000000280000-0x00000000002C4000-memory.dmp

    Filesize

    272KB

  • memory/2640-12-0x0000000000250000-0x0000000000294000-memory.dmp

    Filesize

    272KB

  • memory/2640-0-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2640-133-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2640-11-0x0000000000250000-0x0000000000294000-memory.dmp

    Filesize

    272KB

  • memory/2652-41-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2660-129-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2688-14-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2688-32-0x0000000000260000-0x00000000002A4000-memory.dmp

    Filesize

    272KB

  • memory/2688-132-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2688-40-0x0000000000260000-0x00000000002A4000-memory.dmp

    Filesize

    272KB

  • memory/2808-55-0x0000000000310000-0x0000000000354000-memory.dmp

    Filesize

    272KB

  • memory/2808-131-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2808-42-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/2984-107-0x0000000000250000-0x0000000000294000-memory.dmp

    Filesize

    272KB

  • memory/2984-128-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/3064-95-0x0000000000280000-0x00000000002C4000-memory.dmp

    Filesize

    272KB

  • memory/3064-130-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB