Analysis

  • max time kernel
    61s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10/11/2024, 14:09

General

  • Target

    009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe

  • Size

    76KB

  • MD5

    86b9999a4a235204fe8bd449b79ef370

  • SHA1

    bc900fbca24b9d61812254741bc3d5481b89bb7f

  • SHA256

    009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2c

  • SHA512

    7d49f9c965e9291e844337ea9d1f0fc241c519502ba3b6224d2342acfc7016755a5960665021d9956ee3dbdb1f879b30427a41459e5e043fcfafed338d20fc8d

  • SSDEEP

    1536:Q9Cjczvi/FZvqtHXof8xbs3/djS4dxeQqUHHioQV+/eCeyvCQ:JYvi/Ft43of8+3FjS4d0tUHHrk+

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 16 IoCs
  • Drops file in System32 directory 18 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 21 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe
    "C:\Users\Admin\AppData\Local\Temp\009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\SysWOW64\Egcfdn32.exe
      C:\Windows\system32\Egcfdn32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\SysWOW64\Eqkjmcmq.exe
        C:\Windows\system32\Eqkjmcmq.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\SysWOW64\Ebockkal.exe
          C:\Windows\system32\Ebockkal.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2172
          • C:\Windows\SysWOW64\Efmlqigc.exe
            C:\Windows\system32\Efmlqigc.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Windows\SysWOW64\Fllaopcg.exe
              C:\Windows\system32\Fllaopcg.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2532
              • C:\Windows\SysWOW64\Flnndp32.exe
                C:\Windows\system32\Flnndp32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1804
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 140
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Eqkjmcmq.exe

    Filesize

    76KB

    MD5

    1eba738b3754eeee962097ab53cc1456

    SHA1

    234e5a167b6a6e9294b0f04d9a330caa26af7bce

    SHA256

    5a80be804d5c4990785f620719575b45e9b1c606c8fb8d1133c8298f7159461a

    SHA512

    54a6d6cc987d114c3ff08b668e1077e77ef01d77108215010de75b0ecfe28c93dc30ff3af04c04141f5c8a85d3107328d7ac460fa812cd5a0bcbf7e6030f0901

  • \Windows\SysWOW64\Ebockkal.exe

    Filesize

    76KB

    MD5

    468a2ab967c08e7015f4f2a73a2a8063

    SHA1

    bb738d58cc66674c5da700f1ec708b185b565aef

    SHA256

    5254d479828a35227e8cd4eeb8706f7f3deae16d44574bc0b6a84951428c9fc3

    SHA512

    eab58cab9a7f015c329b5b903dcb21745c84cb76cf4871d8a7f57a6b19f5d625fd137f5e1bb7dfa35920a9d1436adc886b72a23e22628153dec004ee68b61c3a

  • \Windows\SysWOW64\Efmlqigc.exe

    Filesize

    76KB

    MD5

    9ee7121801aae0dd235774ec6723ce79

    SHA1

    1f7a5a81a5c295183808e58e5839d450c1a189cc

    SHA256

    c85e717b6a1d12092ae3beb58ddc9f94d78914a77dcb104609384dbac152218b

    SHA512

    bd873d22dc37092f330e97f4ae86760ce5f5ab6ccf300a6e97cd518ec54f3cc44191bf2298e3d99737554fb888f82fa1f8e55965fd599de230377d4c2022c128

  • \Windows\SysWOW64\Egcfdn32.exe

    Filesize

    76KB

    MD5

    b5b7908a515f3156401368f2d66083e3

    SHA1

    c2b1f11d4a4fa5110c774e81cdacd8795825d9a8

    SHA256

    e21ba9c2897b566155555abf61a1d69be92a177078aac2ca32779f930edeab3e

    SHA512

    043d0ee42b634f9afbf6cf2c399fd4c7b6ff7a7bb107590ffadf39c36c7efd9d89d2b6b9bef9261cd36213b8c6f840a9270556e3dbaa5839c998728443310276

  • \Windows\SysWOW64\Fllaopcg.exe

    Filesize

    76KB

    MD5

    40e9b17b52362402260fe70dda280199

    SHA1

    72402c15741dee7469848936c27759f7110b6fc3

    SHA256

    bb12983b7243010fc854ca1db81384c33a9718d11dc764055dc2c80e2a944964

    SHA512

    510088c8236fb19eb1ba80a1486e12eb20fb5c6dcacf560f9996d4488334064d3e6eecd44bd53c2902e6488a968d8e74f20d79f4839e5bfedf5f9d7aee683038

  • \Windows\SysWOW64\Flnndp32.exe

    Filesize

    76KB

    MD5

    d3288668b1fcf692cf5db836761771c5

    SHA1

    b13ade01ca118d5e4d8599f6f580ac874caa09c4

    SHA256

    736f491d968fa2f940184c7a5f0d461511a340dc370150ae6cc9f63891cd7066

    SHA512

    dae723babf0faec21e56df967277b2fb872ece435d2499407eea8b0182b6830461ce234cb0b07c9292affd5887ba4343100433af7d8f5b302bedbd272a761581

  • memory/1804-84-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/1804-79-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2112-89-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2112-27-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2112-35-0x00000000002A0000-0x00000000002E0000-memory.dmp

    Filesize

    256KB

  • memory/2172-53-0x0000000000220000-0x0000000000260000-memory.dmp

    Filesize

    256KB

  • memory/2172-86-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2532-85-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2680-61-0x0000000000220000-0x0000000000260000-memory.dmp

    Filesize

    256KB

  • memory/2680-88-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2820-19-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2880-0-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2880-12-0x0000000000220000-0x0000000000260000-memory.dmp

    Filesize

    256KB

  • memory/2880-87-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/2880-18-0x0000000000220000-0x0000000000260000-memory.dmp

    Filesize

    256KB