Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:41

General

  • Target

    adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe

  • Size

    1.9MB

  • MD5

    84c24d3d3092fb84662660790271af94

  • SHA1

    b6b9945c52e2d927cff1c88fa3105a79d35f182c

  • SHA256

    adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0

  • SHA512

    e37c528a8621228526c5df22bbe72d8ae45d16907ddb63843df93be497f3e6299c02981ca0df681e271e1e27418bfbe8ebcacba77bbc0da16fa160b583ec675b

  • SSDEEP

    24576:wotNIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUO:w/yj1yj3uOpyj1yjH

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 21 IoCs
  • Drops file in System32 directory 24 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 27 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe
    "C:\Users\Admin\AppData\Local\Temp\adfd91c8248d10542dbd6d036ea2b2984e1ee7550bab2be40d6f0867eda8f4b0.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWOW64\Ieibdnnp.exe
      C:\Windows\system32\Ieibdnnp.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\Jllqplnp.exe
        C:\Windows\system32\Jllqplnp.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\SysWOW64\Jmkmjoec.exe
          C:\Windows\system32\Jmkmjoec.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\SysWOW64\Kpgionie.exe
            C:\Windows\system32\Kpgionie.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2620
            • C:\Windows\SysWOW64\Kfaalh32.exe
              C:\Windows\system32\Kfaalh32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3048
              • C:\Windows\SysWOW64\Libjncnc.exe
                C:\Windows\system32\Libjncnc.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2336
                • C:\Windows\SysWOW64\Llpfjomf.exe
                  C:\Windows\system32\Llpfjomf.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2140
                  • C:\Windows\SysWOW64\Lbjofi32.exe
                    C:\Windows\system32\Lbjofi32.exe
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:668
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 140
                      10⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Ieibdnnp.exe

    Filesize

    1.9MB

    MD5

    5e01beffe79a41e6f09b61ff5a457c5e

    SHA1

    35e12d29b3d45724fc28e2328d5381014fa418ca

    SHA256

    72eeaba3d740d55ac0e8757f1f8148fb5fb4d5f232a8cb76d9045bea4151eff0

    SHA512

    76d4d5c24913d22c2db04ace1b0ed2ec61a40a7b9fdf318861356193c21a40773f3c2f1a3089cc319e2d9267daa2894063abd4b071a75d2c27da671bdc56b609

  • C:\Windows\SysWOW64\Jmkmjoec.exe

    Filesize

    1.9MB

    MD5

    1ed78d9918ca66573fc2ccf1f7e5ae55

    SHA1

    215dda545a91ae543987357b35a3712e30fcbbd4

    SHA256

    9b6bf432f06d57afa0ecd0fa20ae85d68a4e70331402e52c896724d734b889e0

    SHA512

    94c21014444c67e5aeba275b08a79650d8b48db8305031ec49c2040890ae580d45cf25383b1957672109008810ce97621cc6abea2f79dd1f882e9b6f39d36865

  • C:\Windows\SysWOW64\Kfaalh32.exe

    Filesize

    1.9MB

    MD5

    3cba1a9c4d3477d040f9be21ffd34d87

    SHA1

    fd0b0f9b1106be0ebf7b73d312d3a94b6f92d591

    SHA256

    4dfe9c7653f4152fe35b413064263982256bdbeff2c35e9611dc7b91b4530699

    SHA512

    f7ebd9072414854a0c31a2375ab608bd159d29486b36186fc4667f8236606f67c5f1671802eaf200c15ea2a496f2c6eda4afc0b55857814d721cb6dd7d482d27

  • C:\Windows\SysWOW64\Kpgionie.exe

    Filesize

    1.9MB

    MD5

    c5a0708afd52606de17819712cb226be

    SHA1

    a7745e68806a4029bb5af4a3afd2cf76fbc0680e

    SHA256

    23835044709fcdc8a5d11f33f09f346ff313486210b050db58a6d65b45960d9c

    SHA512

    28ac90e966c43a6a9e4ab0b269313fadbcf82580cfb75f059b9e205818c4ab91841b52525883295268413b6eab4b9fb99941864aa945f7f8244d27c0fb5bdde9

  • C:\Windows\SysWOW64\Lbjofi32.exe

    Filesize

    1.9MB

    MD5

    fb1e3f845273bfff7d42b73796001e00

    SHA1

    ab03ced1617615a7430961026cf86202db5f0c17

    SHA256

    969b7772a9c3fd934fd5e8a5b979aadf24c799dbfa654bbaabb18ebefc9ae1d5

    SHA512

    78612b90c950ecf27dde63cb67bf4a67cccb51738ec020a3a8f2d32a64b9cce5d278f4447205dcd27e806a90669c83f0aacc804da737e8cdd213bd2056b07039

  • C:\Windows\SysWOW64\Libjncnc.exe

    Filesize

    1.9MB

    MD5

    d95702d1e517f1c8de798fd1ffd22cbf

    SHA1

    036fbd334f1e458c8acb0ca19d56ff9059141558

    SHA256

    0459ce6434a731c0e572bc9aab8278bb9598104da24b0e2fbda9c100edfda72a

    SHA512

    c5266108ff47336c84607dcab8b3c9f630800b1856283616dd4107b291a00c80d8b3d1176e8884807cafb243c2d8b9fabd77c179cc0b921e5b1fad327a456582

  • C:\Windows\SysWOW64\Llpfjomf.exe

    Filesize

    1.9MB

    MD5

    f0d0d0e7a8cc777177460d3a00dfb6e7

    SHA1

    de30f649bf07cb844e8b17f7e455feb041b31a40

    SHA256

    742deae66bc10ce8ad4e87435a6832f33a92d0a9e8bbd63dff57fe5ce60e630c

    SHA512

    02104cf60857cd7a37d729bf776af5dd4f5734642a26ce51ed752507f15dd285abe6975edf1bf4d1a493375fcd816c9aea2322a6f2483f5dcf7e34621eab0144

  • \Windows\SysWOW64\Jllqplnp.exe

    Filesize

    1.9MB

    MD5

    a5a588c34a831e241ad5ec3e5715a712

    SHA1

    999c3849929b1fc7b31d326b6479b59e98fd4250

    SHA256

    a9d50af0bfe54f623aad4e58d349a46705e59c06cffe3d88066c74c1c57d631b

    SHA512

    594af61ccc05414e24902934ba16918fd8235448c4f37250af9a329e74b7661187955c7d72cff72d22f9b4535162530462be4fe63168046ac8e023dd124958b9

  • memory/668-110-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2140-118-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2140-98-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2336-88-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2336-119-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2620-70-0x00000000002F0000-0x0000000000323000-memory.dmp

    Filesize

    204KB

  • memory/2620-127-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2620-61-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2620-69-0x00000000002F0000-0x0000000000323000-memory.dmp

    Filesize

    204KB

  • memory/2636-43-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2636-126-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2656-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2656-12-0x00000000005D0000-0x0000000000603000-memory.dmp

    Filesize

    204KB

  • memory/2656-13-0x00000000005D0000-0x0000000000603000-memory.dmp

    Filesize

    204KB

  • memory/2656-131-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2680-125-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2680-41-0x0000000000270000-0x00000000002A3000-memory.dmp

    Filesize

    204KB

  • memory/2680-42-0x0000000000270000-0x00000000002A3000-memory.dmp

    Filesize

    204KB

  • memory/2784-22-0x0000000000440000-0x0000000000473000-memory.dmp

    Filesize

    204KB

  • memory/2784-130-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2784-28-0x0000000000440000-0x0000000000473000-memory.dmp

    Filesize

    204KB

  • memory/2784-14-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/3048-71-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/3048-124-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB