Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:09

General

  • Target

    a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe

  • Size

    71KB

  • MD5

    6685c9fe331d440e05cccbd11367378d

  • SHA1

    8323ca8b66a5076e41e82a4425c7d209a446a408

  • SHA256

    a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845

  • SHA512

    29804f1267773d14036b5bc2697e6b19bb92c6c7e0a8cacadb7fda29d795494484e2c5d06d6a05f4e172b5de6588c2c739a0d8b248a76a8724e0172a29e15a79

  • SSDEEP

    1536:WArBT0b3AGgY5uUVJhWsaco9JRQEDbEyRCRRRoR4Rk:WArBTitrWsWJeCEy032ya

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 26 IoCs
  • Drops file in System32 directory 33 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 36 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe
    "C:\Users\Admin\AppData\Local\Temp\a12ae51cb38eb9c0c271d77c24d4c09b9fbded65df1513732286cd7b7128a845.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\SysWOW64\Blkioa32.exe
      C:\Windows\system32\Blkioa32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\Bnielm32.exe
        C:\Windows\system32\Bnielm32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\Bfpnmj32.exe
          C:\Windows\system32\Bfpnmj32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2940
          • C:\Windows\SysWOW64\Beejng32.exe
            C:\Windows\system32\Beejng32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2192
            • C:\Windows\SysWOW64\Bonoflae.exe
              C:\Windows\system32\Bonoflae.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:768
              • C:\Windows\SysWOW64\Behgcf32.exe
                C:\Windows\system32\Behgcf32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:808
                • C:\Windows\SysWOW64\Bmclhi32.exe
                  C:\Windows\system32\Bmclhi32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2880
                  • C:\Windows\SysWOW64\Bhhpeafc.exe
                    C:\Windows\system32\Bhhpeafc.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2116
                    • C:\Windows\SysWOW64\Baadng32.exe
                      C:\Windows\system32\Baadng32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2060
                      • C:\Windows\SysWOW64\Cdoajb32.exe
                        C:\Windows\system32\Cdoajb32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1936
                        • C:\Windows\SysWOW64\Cacacg32.exe
                          C:\Windows\system32\Cacacg32.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1800
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 140
                            13⤵
                            • Loads dropped DLL
                            • Program crash
                            PID:1304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Bnielm32.exe

    Filesize

    71KB

    MD5

    7edf56ca4ad461142e7c314df7ec699e

    SHA1

    bb57fff289b676a3eb0c8bc27be38ae92a1273a4

    SHA256

    f02809ac5b93439648693c79a6fbcb899d6bff8ec844842d98006dd9d2962e72

    SHA512

    bf344e31b8dd3b1daa437d1917a79a40eda41625327004934fc2b6e9384f39ba1c2765a2673d45ad72018141d90578fbf85040590755a6637c21c3428648d94c

  • C:\Windows\SysWOW64\Eignpade.dll

    Filesize

    7KB

    MD5

    ec70bedb1e94f252022fb2e87cafd6a7

    SHA1

    c67e199f433c70d6409251e4e260336dbd4d6e8f

    SHA256

    ca19ed02adc19186a4e99a21d3db08a8c43d174f00f4a6e55c116a8a15c0ec78

    SHA512

    51b7dc617e985185c4b52ddb90e1a09dc5a061b22332650e16eceffd31c2315ae64e346bb7273acb11a0a9d64f8c9ebcfbabb78b28732843e271a80d29b106fb

  • \Windows\SysWOW64\Baadng32.exe

    Filesize

    71KB

    MD5

    ac9a0ea0efe241e7da70050e84a832a8

    SHA1

    ab779ca3934ce0a9af8d829b9e40ba2157a582ca

    SHA256

    edb3127baef2b17e218c037842a1c2c877d09f71313c41776cea532a72daaaf6

    SHA512

    4648a65b4bad282995cc87cf49e35e4f4d319f52d1bc90b2abc3bd5c763b649071ebd2bf3e4ab93bf89dc0dfc5c892617ad7e4b3deeb76ce81babef524d8e487

  • \Windows\SysWOW64\Beejng32.exe

    Filesize

    71KB

    MD5

    78031ee231bfd04a715e540938ba622e

    SHA1

    eb368cf0cc5b4020205243ea6ee036e13897cf7c

    SHA256

    b8433317c677d8080dd8af5a20a18eca5eb78fd823cc9cf8e8653fd08799eeb5

    SHA512

    24cb1532df4c83676554655efad1a551413044fa4974134581a22d61341cb9438d5e755e228a3f512d84cd5298d3c38489bc6365b9aa89da7a3b6b3d8f3c4bff

  • \Windows\SysWOW64\Behgcf32.exe

    Filesize

    71KB

    MD5

    a5934df593fbcbb243b5faf79f8a1aa6

    SHA1

    01c4d371c6feee5783725b32568ed829a0df6474

    SHA256

    7e30b09781fd6ff504805cc85f4d42e6e5663d18ee40ffc6825e35278ade759f

    SHA512

    ee649c9aa2ad3142d6e206b5fbe8165c4fd441baeffbf03d7695098cf2c8426bb37aacad5eded27d93b032ecd4296846d67c4b805bee52246f8b6a6c8d30d2e8

  • \Windows\SysWOW64\Bfpnmj32.exe

    Filesize

    71KB

    MD5

    2d7d8569670f1bf22396f683c8e365c5

    SHA1

    aa8099a08bb948b978020c47bf73e0908ecf34c7

    SHA256

    4f9358be755798eb7ae9936f9cdc51b9a6497a2f45b3b8a3c439866a541b6379

    SHA512

    cea2389260e1f9a291f3869009126a86be4602f5792182f1dc70f80822d235438bb227fe556fb657fea8c8f22ad0fc02f158ce91c4633578b0b4570fffd4ee0b

  • \Windows\SysWOW64\Bhhpeafc.exe

    Filesize

    71KB

    MD5

    0dda337dca3d491f325957272407f32f

    SHA1

    1de01e9d4483d5ed0cf23c4f9df3cfecf27c332b

    SHA256

    ed24b2950d59b0b30663449aa71caf45c0c28cf9c56a8cb9f6cba37260313fdd

    SHA512

    0e3e24b272f56bb3a57ef6611ce93acf3bc2666a256d47dabb9384db758997598216df64e6159c58a046f7268fa7e9ed4bc6a18e70ad18c84557d9784fb38078

  • \Windows\SysWOW64\Blkioa32.exe

    Filesize

    71KB

    MD5

    0874aba12045d5f828b3aee3992661b2

    SHA1

    7e1ad4022efb337d8e29e0931c158507193c88d1

    SHA256

    2d0c5e0129d5d1831f83f3eab943b575e012ef862d8dee2ed3d1769a59e6638f

    SHA512

    e64c9bfe22f571104dbf87281b0157208adb34af3012630771cf30c00e55080241f6660eb9a637748e7036e84bd0d7d63b9b9f31dd8796ff5befe541c9cab244

  • \Windows\SysWOW64\Bmclhi32.exe

    Filesize

    71KB

    MD5

    9e9a8ce5f8f64eccc2c5746a96245094

    SHA1

    a45beaf750b7d8d1a964bd297e45e7e346787cac

    SHA256

    0853dad48ae48c4814a36cde09b5664b1cc340bed99f53f0fb32ae361b63c9df

    SHA512

    bf38ff0fefbcbaac18b245738c06c0602549edfa6addef5723b6169bf2eab4760b188629727a5dbfa9ceec7f3952ed7e68040b1dfc64c47065cf4d86ac6a3435

  • \Windows\SysWOW64\Bonoflae.exe

    Filesize

    71KB

    MD5

    83d78211142e5a3bf5f0eb8516959b35

    SHA1

    451f5fb13013d3e84643bf6913ba6b60a480dd39

    SHA256

    ea7aebdf47cb2eca909eae4b438727ee5c1e763472028f5056dfd254f1a97d15

    SHA512

    f0bae2330c5ee579fbb7da10e82609fada5528e739c8b7ecd6a068f8360341f26d1ab288aea1fc56a16cc4efc294639e9052a20bf3ff2186975fecb413fa0bdb

  • \Windows\SysWOW64\Cacacg32.exe

    Filesize

    71KB

    MD5

    e40e0d10e287c5dcb58e3b7c3b8488fc

    SHA1

    a73e597ccfdbae10d6b12d47f1e8d97f4b745dde

    SHA256

    2b2a281bd4d0e0ded73803e95fa7b7ba4ed2258d03f347823e589d27e730124a

    SHA512

    74812da74296b33af8a878fedbca1a30ff93c47621e5afe7f757208e16c7405815f72df623364cf3492f7b204ba31c5109389ed46aa8e5b6ea7cfcf6f6e5e849

  • \Windows\SysWOW64\Cdoajb32.exe

    Filesize

    71KB

    MD5

    5b908f7f62e84d96250c40b30e84a7fd

    SHA1

    f160547f85dd6b66bdb31d7f462c872583daeac0

    SHA256

    58969d3134d2f366a9452dc761935bbb09180adae4acb60f5d00a29a730ae436

    SHA512

    14849322f69d220c1977a2e9baf8fb3c1625577e6e63dd67fa8d311f89a748f8761ec7660b6fce7dd3f27b1230198d2a97fda68aa15d03fbbf76e2989891452f

  • memory/768-158-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/768-68-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/768-75-0x0000000000440000-0x0000000000479000-memory.dmp

    Filesize

    228KB

  • memory/808-94-0x0000000000310000-0x0000000000349000-memory.dmp

    Filesize

    228KB

  • memory/808-157-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/808-81-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/808-89-0x0000000000310000-0x0000000000349000-memory.dmp

    Filesize

    228KB

  • memory/1800-149-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1800-164-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1936-143-0x0000000000440000-0x0000000000479000-memory.dmp

    Filesize

    228KB

  • memory/1936-154-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/1936-135-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2060-155-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2060-122-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2116-108-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2116-116-0x0000000000300000-0x0000000000339000-memory.dmp

    Filesize

    228KB

  • memory/2116-160-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2192-159-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2192-61-0x0000000000440000-0x0000000000479000-memory.dmp

    Filesize

    228KB

  • memory/2756-28-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2756-34-0x0000000000440000-0x0000000000479000-memory.dmp

    Filesize

    228KB

  • memory/2756-162-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2796-163-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2796-15-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2880-156-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2924-165-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2924-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2924-12-0x0000000000250000-0x0000000000289000-memory.dmp

    Filesize

    228KB

  • memory/2924-13-0x0000000000250000-0x0000000000289000-memory.dmp

    Filesize

    228KB

  • memory/2940-161-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2940-48-0x0000000000250000-0x0000000000289000-memory.dmp

    Filesize

    228KB