Analysis

  • max time kernel
    96s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:04

General

  • Target

    9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe

  • Size

    872KB

  • MD5

    e0edae4a46dd4ea2c3a68ad6f31a303c

  • SHA1

    0c276ff55ba2851e08c62e5b6c902178acc423d8

  • SHA256

    9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60

  • SHA512

    0be68fafa3ffb85bc978a1fca666e852efb55a3680489d35d64950d7c8990fce129f5935f97ec84de95f5149c51b0eab36a54c32732ddcff50ac96868589db8f

  • SSDEEP

    24576:GDHFh2kkkkK4kXkkkkkkkkhLX3a20R0v50+Y:4xbazR0v

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 10 IoCs
  • Drops file in System32 directory 30 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 33 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe
    "C:\Users\Admin\AppData\Local\Temp\9eb4a149321b5ea49a7d8707175697fbc9b37e498cdafa357140c4bb7f444e60.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Windows\SysWOW64\Cjpckf32.exe
      C:\Windows\system32\Cjpckf32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\SysWOW64\Cmnpgb32.exe
        C:\Windows\system32\Cmnpgb32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Windows\SysWOW64\Cjbpaf32.exe
          C:\Windows\system32\Cjbpaf32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4964
          • C:\Windows\SysWOW64\Dhfajjoj.exe
            C:\Windows\system32\Dhfajjoj.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4928
            • C:\Windows\SysWOW64\Dejacond.exe
              C:\Windows\system32\Dejacond.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4580
              • C:\Windows\SysWOW64\Ddonekbl.exe
                C:\Windows\system32\Ddonekbl.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2060
                • C:\Windows\SysWOW64\Dfnjafap.exe
                  C:\Windows\system32\Dfnjafap.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3836
                  • C:\Windows\SysWOW64\Dhmgki32.exe
                    C:\Windows\system32\Dhmgki32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:804
                    • C:\Windows\SysWOW64\Dknpmdfc.exe
                      C:\Windows\system32\Dknpmdfc.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3676
                      • C:\Windows\SysWOW64\Dmllipeg.exe
                        C:\Windows\system32\Dmllipeg.exe
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:3116
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 396
                          12⤵
                          • Program crash
                          PID:4440
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3116 -ip 3116
    1⤵
      PID:4680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Cjbpaf32.exe

      Filesize

      872KB

      MD5

      0fd65424693ee89a0575074802983033

      SHA1

      e23c50c4fb41f08f94450c79663e4a3d645b346d

      SHA256

      86f4648e3ad7367875b070618f99c5796f4c7aed3187b5ae479aced1eaa8e1a8

      SHA512

      bf967b9b12d2445ee65d7e435ae278f1ccb59cfa486fb47f51ce4d5974262653e552db3ee0c5e90a16d437bd8864501c77fa187926e816fcce498eb0a2d7989c

    • C:\Windows\SysWOW64\Cjpckf32.exe

      Filesize

      872KB

      MD5

      dd05e32fc15d7f926df8e652f8f603fe

      SHA1

      a0f834b14cebde502f49e809df756ae699bd40fd

      SHA256

      db628b54a00fe778912e20b782533d36b7b5bcb36c9356f4ce0296990c8cfd1f

      SHA512

      0026809a06c5ff8c02473b30eb7313f60bcddd5b44c51d82b514cca436753c9d11212a22ca1492c20f492f480562c019129c83d12890c8e69b9343ffa3f4d994

    • C:\Windows\SysWOW64\Cmnpgb32.exe

      Filesize

      872KB

      MD5

      14739f26ce659f15b463a303e7802490

      SHA1

      8be1e29adc041d36126c716801fe36359328694b

      SHA256

      5be20caa50de0b82aeebd25c5482b0192bcdc6db55ea0b0c4a23c5ef054cb5c9

      SHA512

      12b9a39bb189e060f4ab8cc8c87be8702d43aa5fa44a6371c2dd7081e42907fb273ce5290dd2f9e804d76c38ebec0dbb67f93a2d677ee1789738c8c01a6fb663

    • C:\Windows\SysWOW64\Ddonekbl.exe

      Filesize

      872KB

      MD5

      adbd4eecab755b30eadeae58958c9c53

      SHA1

      9d7e035d2443b2a714d4dbcb2d8096982433c69a

      SHA256

      5f0845d62c47e447837ccdcfb971e4ea3664f0fd56ae5db31de86815e64cc597

      SHA512

      f4cb2e194659a852507648687b4ef2fa3aeb1344e153d5d73eb639fcecf3a48f3410219c17fe13921ad2c70f7508776c509926fc0587fc3177191ec17f9e0c8b

    • C:\Windows\SysWOW64\Dejacond.exe

      Filesize

      872KB

      MD5

      eb12302d512caab91f8e68f4a5b1e729

      SHA1

      0f8660ba2ba288f5049b882b0250853022e2bb45

      SHA256

      645f10af7a6412f9c2b7db8cedcaf102e61e903bf8837347c067b124e7d7cb10

      SHA512

      35d9660303d123a99db1dc10efd9ab4778cfe96430cecaba32e67a5ad16e0883905fda4f7369570391669d5f9a5296cf9b634965105f2a493ec1a82398681a7e

    • C:\Windows\SysWOW64\Dfnjafap.exe

      Filesize

      872KB

      MD5

      c0f38a7a05bb99495647d46a13406869

      SHA1

      01169263fd43a81fd85ea345470f88ebc8468349

      SHA256

      96ea1ad0a345ea40f686e9c73e45e7f5d01d6a511f2f65a868b0e319b8be2c4d

      SHA512

      80214ed320875987eccd6c12cd562883697252d5891570634b2f8cafc25820496d6fc4f9b2ac531128384b8a26ec6314ed4ad46bf66c6a7f648618253e568aa0

    • C:\Windows\SysWOW64\Dhfajjoj.exe

      Filesize

      872KB

      MD5

      b55cfc59ea752dca727da5e972afaea3

      SHA1

      b32f6c3817ef07e87fb6779aa8900a1a78b4f533

      SHA256

      1ba49d67128b0877c60ce3ab4948f578ea35f9727208dcc2c80b3f0e97ed9ae3

      SHA512

      dc31ec8d4296e767a8322a66de3b7fbe6d75118fc6893928befcd29d9c8cfd4f2d9efc68758fc59900715fcd101a91797c36bc7c8257b27f945dc8648287322d

    • C:\Windows\SysWOW64\Dhmgki32.exe

      Filesize

      872KB

      MD5

      6ff6fde0109989034a552cf271846bb0

      SHA1

      45360b4e7651c52b77bb706ad71da0d68133972e

      SHA256

      fd77e6f0c4dda1102e8d2530e709dd4f480695df07f5e7288a7b99ccd42ba190

      SHA512

      656de7896cb3c26c9dfb1d26b480d7f4ac7b96ebc2c8e4815d9bae46de0e8a36137ed352a8a7f2d40780deed3176e609f87f8de50f5303a07c5c3f79099c5982

    • C:\Windows\SysWOW64\Dknpmdfc.exe

      Filesize

      872KB

      MD5

      5a4cd14951e30219eaa39a9ba4659e40

      SHA1

      2a3393c355f3dce72ea2de8b656759178d9926ea

      SHA256

      19f9cbd5ca440147aa464debfba7c97b55eca24b6d7887165d0866309b6b8f77

      SHA512

      c1fdb70bba0b0f52dbaa8a09cf7a4f0af1074c5f5d1cd9715b3dc412fd6782d6ffcaf0ce92621fa4f7464ae0bb241e7702374b9c51bb255143931bc3c3a0d2b3

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      872KB

      MD5

      b1fdf715cf14af037acac051e4f89c17

      SHA1

      031c9f2478713078c709b864fae23d5a1868a06f

      SHA256

      d86625df6c92abd1def9fef79f2fca39c8d6d5a11ce1c40cb24c3a84773b263e

      SHA512

      f90a40d8ea383c4cf148df121a21ffcd53d3a79c4cab9ac5e253f46e5959a8e14fce20c758483e81befe5eae4877883331afac0868f8fc8856dc0e6fb2312284

    • memory/804-64-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/804-86-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/1428-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

    • memory/1428-0-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/1428-101-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/1828-9-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/1828-100-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/2060-49-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/2060-90-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/2484-98-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/2484-16-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/3116-81-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/3676-84-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/3676-72-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/3836-88-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/3836-56-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/4580-92-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/4580-41-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/4928-32-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/4928-94-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/4964-96-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

    • memory/4964-24-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB