Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 00:53

General

  • Target

    4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe

  • Size

    64KB

  • MD5

    5432fff48502202a48998795abaa2610

  • SHA1

    cad313062688d57a9d94396771ca109a75e74eb7

  • SHA256

    4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620

  • SHA512

    c49a48595968375c113ba2bc8f1573c038294b3c3bb0cbbe7ac1dbe43f92aebad7847e0e073ac5e76af3ac7d2cb7d5eb19c67ac2da4d4cf22b72051e025c512f

  • SSDEEP

    768:qri02mD9Bjxv0yvbArCbY5N5wEpXBKUGhKF7DTMPr42H/1H5O6XJ1IwEGp9Thfz6:Q9jTbAmbM7rxOnRXUwXfzwv

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 15 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 18 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe
    "C:\Users\Admin\AppData\Local\Temp\4d6eef302a970362c46c4a0dcbc1c1a33631c8528f2a99ee5e4302b683f45620N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Windows\SysWOW64\Dkkcge32.exe
      C:\Windows\system32\Dkkcge32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Windows\SysWOW64\Daekdooc.exe
        C:\Windows\system32\Daekdooc.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3508
        • C:\Windows\SysWOW64\Deagdn32.exe
          C:\Windows\system32\Deagdn32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3324
          • C:\Windows\SysWOW64\Dknpmdfc.exe
            C:\Windows\system32\Dknpmdfc.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Windows\SysWOW64\Dmllipeg.exe
              C:\Windows\system32\Dmllipeg.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1840
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 396
                7⤵
                • Program crash
                PID:2476
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1840 -ip 1840
    1⤵
      PID:2396

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Daekdooc.exe

      Filesize

      64KB

      MD5

      c899af707b47f1e53405f590d58fda87

      SHA1

      267b51c8c7a693f20b7f50da8dd832508f72e641

      SHA256

      292cf6ad95f2cc7efa14e2249b32b829c1b35e0dd96dc9f5e5ba1f433368ec45

      SHA512

      136d0f8418f98dd484b9605718f25431e2187bbe3efba215052be42ffebfeb3532b0ccd2ec4f9197831af13390c8aa08f917343347a5ca97d2b148558fe0c180

    • C:\Windows\SysWOW64\Deagdn32.exe

      Filesize

      64KB

      MD5

      1ca0e70bf4660634db0aa866d452b230

      SHA1

      573271c9868db248026ea9239e3779a26e002a3e

      SHA256

      42364db15da3e3bf28e8086d5441391cd9bb07e4517bcd9b68b725a4b7c19fad

      SHA512

      84001ea8e045c9fe69aaf24b4627775f52eb80f4698efb013b4ba1565acc78c20c940ce9b2cd2c2ee904763ff4f5e6e5fc7e37f58b173158fc7fa1da87d779c1

    • C:\Windows\SysWOW64\Dkkcge32.exe

      Filesize

      64KB

      MD5

      b05e1cce592d17875bb28acdc58291ac

      SHA1

      196246ce5230a59ac9bbd3314a379ab10fd9be0e

      SHA256

      57aeeebef77a473e4aef947665795c6faee408de6ac18a3790f4d2012fc5c363

      SHA512

      038701390b6034240ba9d463efc846f46008fe72d07f8fdd549c1d8b9ace19aa21e35e2e4b19c2d210ee36378abe1a896dccd313515944ad15935512cc6db3f6

    • C:\Windows\SysWOW64\Dknpmdfc.exe

      Filesize

      64KB

      MD5

      5b455e68c00ce8d98e7debdb19f5bd61

      SHA1

      279b741f48c261be607aeb87a533b065c00312c5

      SHA256

      1ec80f6a800bfa96ddd216f1266761b45f14e23c006ac58dd2c902885b6b0bdb

      SHA512

      a9aeaac3e01b0a7965ff43b10fc80568a53c5021ade8139d34c39b08fbfe74885167b3c42400439c178886cdf87d24db74e2db3a113bf75bbef569ee113d6269

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      64KB

      MD5

      31c937bb28daab660b8351636b54d737

      SHA1

      9a33fa5e210cfafc5a960b23f4c568428b3b191e

      SHA256

      f58d4ba9d8e0466eb092ba63c0c4d103497d98e3ea98688e6332b97d3ae31d78

      SHA512

      07e8c5f29e55f3c1f4932d18522918000f0385faabfd2de17e702aa97b4de8189f00534367d37fe501011153f10d97d76e3f3f1093cc95f9448b0231edb54f78

    • memory/1840-43-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1840-39-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1984-44-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1984-32-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3324-46-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3324-24-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3508-18-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3508-48-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4344-50-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4344-7-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4928-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4928-52-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB