Analysis

  • max time kernel
    93s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 11:10

General

  • Target

    ad287ba3adeb7828895e522ec4221c5a051ade9eb2da1f509a72655147d154aeN.exe

  • Size

    669KB

  • MD5

    9c1b02fd6a0120ae3ddb2f4b760cfad0

  • SHA1

    43ab9cd43d0cfec3bb68ca429c02201e25eb85f9

  • SHA256

    ad287ba3adeb7828895e522ec4221c5a051ade9eb2da1f509a72655147d154ae

  • SHA512

    3796057c85fbbd0115eac36ac314a6c8537fb67c78c67f286afcecf62f0306f23de46f500d97643d2043b02feef09f8151e9a667289c3e10f886ed30911e7043

  • SSDEEP

    12288:kHd2eVKhMpQnqr+cI3a72LXrY6x46UbR/qYglMi:kHXchMpQnqrdX72LbY6x46uR/qYglMi

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 17 IoCs
  • Drops file in System32 directory 51 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 54 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad287ba3adeb7828895e522ec4221c5a051ade9eb2da1f509a72655147d154aeN.exe
    "C:\Users\Admin\AppData\Local\Temp\ad287ba3adeb7828895e522ec4221c5a051ade9eb2da1f509a72655147d154aeN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Windows\SysWOW64\Bjokdipf.exe
      C:\Windows\system32\Bjokdipf.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\SysWOW64\Bffkij32.exe
        C:\Windows\system32\Bffkij32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4512
        • C:\Windows\SysWOW64\Bnmcjg32.exe
          C:\Windows\system32\Bnmcjg32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3804
          • C:\Windows\SysWOW64\Banllbdn.exe
            C:\Windows\system32\Banllbdn.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4848
            • C:\Windows\SysWOW64\Bjfaeh32.exe
              C:\Windows\system32\Bjfaeh32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:5032
              • C:\Windows\SysWOW64\Bmemac32.exe
                C:\Windows\system32\Bmemac32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3872
                • C:\Windows\SysWOW64\Bcoenmao.exe
                  C:\Windows\system32\Bcoenmao.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1604
                  • C:\Windows\SysWOW64\Cfmajipb.exe
                    C:\Windows\system32\Cfmajipb.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4604
                    • C:\Windows\SysWOW64\Cfbkeh32.exe
                      C:\Windows\system32\Cfbkeh32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3236
                      • C:\Windows\SysWOW64\Cdfkolkf.exe
                        C:\Windows\system32\Cdfkolkf.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:3376
                        • C:\Windows\SysWOW64\Cjbpaf32.exe
                          C:\Windows\system32\Cjbpaf32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:3008
                          • C:\Windows\SysWOW64\Dhfajjoj.exe
                            C:\Windows\system32\Dhfajjoj.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:1164
                            • C:\Windows\SysWOW64\Dopigd32.exe
                              C:\Windows\system32\Dopigd32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:2336
                              • C:\Windows\SysWOW64\Ddonekbl.exe
                                C:\Windows\system32\Ddonekbl.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:1448
                                • C:\Windows\SysWOW64\Dmgbnq32.exe
                                  C:\Windows\system32\Dmgbnq32.exe
                                  16⤵
                                  • Adds autorun key to be loaded by Explorer.exe on startup
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • System Location Discovery: System Language Discovery
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:1744
                                  • C:\Windows\SysWOW64\Dmjocp32.exe
                                    C:\Windows\system32\Dmjocp32.exe
                                    17⤵
                                    • Adds autorun key to be loaded by Explorer.exe on startup
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:1760
                                    • C:\Windows\SysWOW64\Dmllipeg.exe
                                      C:\Windows\system32\Dmllipeg.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • System Location Discovery: System Language Discovery
                                      PID:964
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 408
                                        19⤵
                                        • Program crash
                                        PID:776
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 964 -ip 964
    1⤵
      PID:3672

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Banllbdn.exe

      Filesize

      669KB

      MD5

      27efcde6964be3fe9d4811a2d2818649

      SHA1

      befdcfad292d9fd7805401ca879e01b1a9078b52

      SHA256

      12a6f310307d9ce73f07ea784068136cb296aee4624672ba04481d26d98c5da7

      SHA512

      120529fb75ce8cc4f5c4dec73a4c28afa6f1e990104c6ea3976bf5b1ae0a8a28049a588d348f5ef67976441823d3f8224032dc3d608bc1a6f15e07ad11fdd59d

    • C:\Windows\SysWOW64\Bcoenmao.exe

      Filesize

      669KB

      MD5

      b882cb4f5b04bbea1f97c8f72cf4cc6e

      SHA1

      7539eb8ce3975349ddd40e72acdaa2a496f5ed75

      SHA256

      2311bd468c5723e2d435a45510cc89f2658fc2f5afeb18aa2813b9749215ae2f

      SHA512

      2861c5047fa4a9055ff1e82f7f3f2e2a1c988772dccd0a0d89c3f355a30557465a05b90c4aa6aedd49f353f75507a783314a736267d415fb2bcd8d4b290b5d1e

    • C:\Windows\SysWOW64\Bffkij32.exe

      Filesize

      669KB

      MD5

      ed200679f416948d1213d59292289641

      SHA1

      88bb7d252661b9010cbf17b454754a49aa8450d8

      SHA256

      3b8e95b1fc3512329a3a130d8e67207609827037c2362cfc18d31dd4cadef57f

      SHA512

      e53626dcc03a7ff80fed5cc9c906ee7bdbca7cf717875315b837cfdac307493a7e08631d452fef30133f74162199d953c1551ca6f5813d1322f8c13c477c8d43

    • C:\Windows\SysWOW64\Bjfaeh32.exe

      Filesize

      669KB

      MD5

      512e29b6f27be55ff7bfe5c64e28a6f3

      SHA1

      1709c00e427bf8979609df7993725254e9cbccf6

      SHA256

      5463920abf69e326b8f75b1ca7e50dde51d19387f957bf43df2d25f7d9e04793

      SHA512

      b4491fb8b6092384adcc81393151fddce10c2c041f67a6ba2393ed52ab7664fc601c8f85b9e366161535a6b64e1a3b4962c1d5e9745340236f7cf636a5906f8a

    • C:\Windows\SysWOW64\Bjokdipf.exe

      Filesize

      669KB

      MD5

      53397c0136f6f0038a4f8348fd157bb6

      SHA1

      940510ea042ee2e00afa0531e077d8c3543d861c

      SHA256

      21dc85502d431cb641e8c3cb20d1e0ace817dbcb0504bde0e18fe574ee888ad3

      SHA512

      047fbcfa0dd7f1238bf6af8f999b761dfea425fa9918099ffec4c7474421e7b449aa98e04f5023aee11f2808ddfe78317cf4aee2ac0f89b5f1593682ead54570

    • C:\Windows\SysWOW64\Bmemac32.exe

      Filesize

      669KB

      MD5

      1894b54ba0d5ccfab26d53cfc17380fb

      SHA1

      dc55583c971a3d4e931a0430275441384567dbee

      SHA256

      1dcf1daea2c15143df82b696c8a378708ccc16767e17e4c21532db535f96015e

      SHA512

      868993c07284f1b1396fd5076a79939f71f96ca481e45151502220c67767b585d91185979708536fb95aeee1f9d7fe1a71196cee88b53734eaaa15c547b15abc

    • C:\Windows\SysWOW64\Bnmcjg32.exe

      Filesize

      669KB

      MD5

      985aab996493180e7e30a824a17ad5b4

      SHA1

      fe36e0ce74c89b6a815936dc8e57180cd5d7b995

      SHA256

      920ea9b0895f5ac7514d56c3772948fc7bcfe0625dfc22a00ec86e6f297dc685

      SHA512

      799e6783d6e0cfb4a890b2aa46220da1b30482031196fb4dcccf840ab3393b31f6aaac7fa6a3e1a7a1d15770c237ee03594a4f8007e76991664561d542d0bb89

    • C:\Windows\SysWOW64\Cdfkolkf.exe

      Filesize

      669KB

      MD5

      f7c7188dcfa3c52ea1a998ec3f1f284d

      SHA1

      f92b87bd85f60f2d0c8af38d76b5f84bf705b983

      SHA256

      f82d8193a868361fd4b68e51836061ec562743d275445f82facf7d230244883c

      SHA512

      fb28d99decab8f4c8398765d4b64850912bf12f493b310c425443260a96d5186852a1fe630fb04c59b64553fd0e2243ba7502f1e692c2f38f841213f2f5d1fcd

    • C:\Windows\SysWOW64\Cfbkeh32.exe

      Filesize

      669KB

      MD5

      2b0ccd453aee648adeca5a1c1daf6cb8

      SHA1

      7aeba21c97fd22d5f06d7b6a9fa9b1f37ad421c5

      SHA256

      b6764e92052ffecac0af8772675067398a17caf49f0b7bc4ccca683bc7861705

      SHA512

      c91587e5daf08d447030248e44616c2790c3dbbabdd2bbc7bcb1e51107a4258aa398b567263f0e047731ccc05b9d3d53d47b41818444db271530e405b392d0a3

    • C:\Windows\SysWOW64\Cfmajipb.exe

      Filesize

      669KB

      MD5

      5dd395304a8c73bf7a47a4b827d0e742

      SHA1

      055c630cc789294acfef1479a8061b9db83ee60d

      SHA256

      87af57a997522530b186506a794dff3b7b6c4806e42fa3c049245da9af5673b8

      SHA512

      59faf31816492126055210e72781f901768aeb72ccfe49330cff8721a1c0c9518d2746a8a2bd3623450871466670dd274468dfd02a939daed3c71f5a4a297013

    • C:\Windows\SysWOW64\Cjbpaf32.exe

      Filesize

      669KB

      MD5

      2d8d5c13f3e10cfd8c1bc1482ea6a912

      SHA1

      70b84463eb20999f2ae95867f8c29dfcfb9fa59a

      SHA256

      b5408e7c3c659a2cc31e954c887c3d717eca2f68ded341979c7868204829097c

      SHA512

      8bbcc926f75663abfaf65ccfb6057ab337d3dedf9102e4adb8c8b5260763a093b3584f0ce9281b6895f7003621bd66d1ab3c5330260ff0caa5e9b65ca7fa3ec0

    • C:\Windows\SysWOW64\Ddonekbl.exe

      Filesize

      669KB

      MD5

      e61835ad1181b914cc422775e4f6bb36

      SHA1

      0ef3b24f7ae1ca81f402c19d2f99d5abdb4b5dc1

      SHA256

      65fc4c70ebc87bffa709baa2e237a25682cd93d8230c7d413a92f4ba5aac81fb

      SHA512

      f88a2289e8dcebc92b08468ed94e59db0611826b6302e62e77a355c29cffc4b595eced98a9987a74570f6fca87ef1adb1662bab645d62ca83048b09947951487

    • C:\Windows\SysWOW64\Dhfajjoj.exe

      Filesize

      669KB

      MD5

      51dc10bada0cdc167e89bcb46b772b4d

      SHA1

      b440e75ac9ae5e7542ec74d47993e3314d72d086

      SHA256

      91ab5a8f2946150b9c5ed3b0d38eab21b9ab137c5b219b1b2be2323aaf925a00

      SHA512

      28cecac8bd8a23f985cb3249226759ac27986b1d798f02313302b0d8fd36cacecbb86ac8a3f953759f01c5cc1512192a89ee32327ef737129f685cc576b6950a

    • C:\Windows\SysWOW64\Dmgbnq32.exe

      Filesize

      669KB

      MD5

      7e941b8dd773a9fb35a1c1c6b4dd9689

      SHA1

      51edf262c86aa6e2468c0019fdc7bde8663b5146

      SHA256

      61e2779e883a03bfaa872d947966608784f8ef62a3f075b48044f7e1e45e3561

      SHA512

      b6c1fdbaa544aa0b25e19d8b28b0c22f932cde4991433d6f670e4085c508fb308b31e82d5e7c767e902fe8fa8f86c2195a538acae0e43426e03a790797205b18

    • C:\Windows\SysWOW64\Dmjocp32.exe

      Filesize

      669KB

      MD5

      f9cadc6499c8dc23b4a8905188ee8efa

      SHA1

      518286a4778dc864b7960b75d2b73561f1b0e6c5

      SHA256

      637015bd147dcf1ceb4c1311654d6df45e93939d2b7f03c0a18d6bee22784aea

      SHA512

      86759e48b7f30d25d2bf996c747bb54672a95508d0865c71eb970e77523989bccb45378409e6aa173ed5caf369c02b0acb04eef084f3c30a28b121e39bbf8514

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      669KB

      MD5

      55725d2bfe377079c8426bada0aead3e

      SHA1

      9fcd5a3fba9be94626f21745e2b168d7c96b2c2c

      SHA256

      fe35931ca803e43d21cf966363e8956cc196b9ba97b25946e1bafa9b65702c26

      SHA512

      34d24073cf232672c6853cac79bbd5f3e7c2aca71127eb748c717f56ae45b0a04f8838e63107c93c6d8aac7fbe439f7c8118c033a4448c7297f19d5c64c731ce

    • C:\Windows\SysWOW64\Dopigd32.exe

      Filesize

      669KB

      MD5

      8c244c1f272b138d30dfa6d00b1b98e1

      SHA1

      c735d5eb06fceb15c09c7ad231f013aea9fb7ffd

      SHA256

      b92a2ccfacd579bc3144ee605ce2df941ece76744e23616fe1a9e4a1e35b4444

      SHA512

      1cba9ddf837f064cc769087e5cb6ae4a632e1f0de5161604562d34873c9a810b1135dd1903406bc324486063d6fc1f286d88fd8566714699dd1897822d1bb194

    • C:\Windows\SysWOW64\Ndhkdnkh.dll

      Filesize

      7KB

      MD5

      fdc8b78b3ba4a22dcb58d18c587b9994

      SHA1

      e06a20dba481840bf4ace5d3d1273bf699132940

      SHA256

      48c6543b84fbe915d1282faed7db97f7dd2e919d270d9f0286397797d74201d7

      SHA512

      88b8906b886f09bdbec0c753a3b318b7f92261513008fe454386ab2682bff9063744983dc502273df870728d9d47cd6fd0dabd0c88e9fc44a51e00032340fb78

    • memory/964-136-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/964-139-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1164-95-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1164-147-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1448-143-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1448-112-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1604-60-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1744-124-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1760-140-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/1760-127-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2336-146-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2336-103-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3008-149-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3008-87-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3236-153-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3236-72-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3376-152-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3376-80-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3552-7-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3552-166-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3804-23-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3804-162-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3872-157-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/3872-48-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4512-15-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4512-164-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4604-64-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4604-155-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4848-32-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/4848-160-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/5032-47-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/5060-168-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/5060-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB