Analysis
-
max time kernel
61s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe
Resource
win10v2004-20241007-en
General
-
Target
009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe
-
Size
76KB
-
MD5
86b9999a4a235204fe8bd449b79ef370
-
SHA1
bc900fbca24b9d61812254741bc3d5481b89bb7f
-
SHA256
009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2c
-
SHA512
7d49f9c965e9291e844337ea9d1f0fc241c519502ba3b6224d2342acfc7016755a5960665021d9956ee3dbdb1f879b30427a41459e5e043fcfafed338d20fc8d
-
SSDEEP
1536:Q9Cjczvi/FZvqtHXof8xbs3/djS4dxeQqUHHioQV+/eCeyvCQ:JYvi/Ft43of8+3FjS4d0tUHHrk+
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egcfdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebockkal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efmlqigc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllaopcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egcfdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebockkal.exe -
Berbew family
-
Executes dropped EXE 6 IoCs
pid Process 2820 Egcfdn32.exe 2112 Eqkjmcmq.exe 2172 Ebockkal.exe 2680 Efmlqigc.exe 2532 Fllaopcg.exe 1804 Flnndp32.exe -
Loads dropped DLL 16 IoCs
pid Process 2880 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe 2880 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe 2820 Egcfdn32.exe 2820 Egcfdn32.exe 2112 Eqkjmcmq.exe 2112 Eqkjmcmq.exe 2172 Ebockkal.exe 2172 Ebockkal.exe 2680 Efmlqigc.exe 2680 Efmlqigc.exe 2532 Fllaopcg.exe 2532 Fllaopcg.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe -
Drops file in System32 directory 18 IoCs
description ioc Process File created C:\Windows\SysWOW64\Egcfdn32.exe 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe File opened for modification C:\Windows\SysWOW64\Eqkjmcmq.exe Egcfdn32.exe File created C:\Windows\SysWOW64\Nlaaie32.dll Ebockkal.exe File created C:\Windows\SysWOW64\Fllaopcg.exe Efmlqigc.exe File created C:\Windows\SysWOW64\Fpkljm32.dll Efmlqigc.exe File created C:\Windows\SysWOW64\Onndkg32.dll Fllaopcg.exe File opened for modification C:\Windows\SysWOW64\Egcfdn32.exe 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe File created C:\Windows\SysWOW64\Cpokpklp.dll 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe File created C:\Windows\SysWOW64\Jacgio32.dll Egcfdn32.exe File created C:\Windows\SysWOW64\Bdnnjcdh.dll Eqkjmcmq.exe File created C:\Windows\SysWOW64\Eqkjmcmq.exe Egcfdn32.exe File opened for modification C:\Windows\SysWOW64\Efmlqigc.exe Ebockkal.exe File opened for modification C:\Windows\SysWOW64\Fllaopcg.exe Efmlqigc.exe File opened for modification C:\Windows\SysWOW64\Flnndp32.exe Fllaopcg.exe File created C:\Windows\SysWOW64\Ebockkal.exe Eqkjmcmq.exe File opened for modification C:\Windows\SysWOW64\Ebockkal.exe Eqkjmcmq.exe File created C:\Windows\SysWOW64\Efmlqigc.exe Ebockkal.exe File created C:\Windows\SysWOW64\Flnndp32.exe Fllaopcg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2092 1804 WerFault.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcfdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkjmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebockkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmlqigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe -
Modifies registry class 21 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll" Fllaopcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpokpklp.dll" 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnnjcdh.dll" Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlaaie32.dll" Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egcfdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fllaopcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkljm32.dll" Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmlqigc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacgio32.dll" Egcfdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egcfdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqkjmcmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllaopcg.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2820 2880 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe 30 PID 2880 wrote to memory of 2820 2880 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe 30 PID 2880 wrote to memory of 2820 2880 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe 30 PID 2880 wrote to memory of 2820 2880 009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe 30 PID 2820 wrote to memory of 2112 2820 Egcfdn32.exe 31 PID 2820 wrote to memory of 2112 2820 Egcfdn32.exe 31 PID 2820 wrote to memory of 2112 2820 Egcfdn32.exe 31 PID 2820 wrote to memory of 2112 2820 Egcfdn32.exe 31 PID 2112 wrote to memory of 2172 2112 Eqkjmcmq.exe 32 PID 2112 wrote to memory of 2172 2112 Eqkjmcmq.exe 32 PID 2112 wrote to memory of 2172 2112 Eqkjmcmq.exe 32 PID 2112 wrote to memory of 2172 2112 Eqkjmcmq.exe 32 PID 2172 wrote to memory of 2680 2172 Ebockkal.exe 33 PID 2172 wrote to memory of 2680 2172 Ebockkal.exe 33 PID 2172 wrote to memory of 2680 2172 Ebockkal.exe 33 PID 2172 wrote to memory of 2680 2172 Ebockkal.exe 33 PID 2680 wrote to memory of 2532 2680 Efmlqigc.exe 34 PID 2680 wrote to memory of 2532 2680 Efmlqigc.exe 34 PID 2680 wrote to memory of 2532 2680 Efmlqigc.exe 34 PID 2680 wrote to memory of 2532 2680 Efmlqigc.exe 34 PID 2532 wrote to memory of 1804 2532 Fllaopcg.exe 35 PID 2532 wrote to memory of 1804 2532 Fllaopcg.exe 35 PID 2532 wrote to memory of 1804 2532 Fllaopcg.exe 35 PID 2532 wrote to memory of 1804 2532 Fllaopcg.exe 35 PID 1804 wrote to memory of 2092 1804 Flnndp32.exe 36 PID 1804 wrote to memory of 2092 1804 Flnndp32.exe 36 PID 1804 wrote to memory of 2092 1804 Flnndp32.exe 36 PID 1804 wrote to memory of 2092 1804 Flnndp32.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe"C:\Users\Admin\AppData\Local\Temp\009638bf580460ba88232d0d6e6dc301d2c1c41e5215894260e9930557a2aa2cN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Egcfdn32.exeC:\Windows\system32\Egcfdn32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Efmlqigc.exeC:\Windows\system32\Efmlqigc.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Flnndp32.exeC:\Windows\system32\Flnndp32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1408⤵
- Loads dropped DLL
- Program crash
PID:2092
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD51eba738b3754eeee962097ab53cc1456
SHA1234e5a167b6a6e9294b0f04d9a330caa26af7bce
SHA2565a80be804d5c4990785f620719575b45e9b1c606c8fb8d1133c8298f7159461a
SHA51254a6d6cc987d114c3ff08b668e1077e77ef01d77108215010de75b0ecfe28c93dc30ff3af04c04141f5c8a85d3107328d7ac460fa812cd5a0bcbf7e6030f0901
-
Filesize
76KB
MD5468a2ab967c08e7015f4f2a73a2a8063
SHA1bb738d58cc66674c5da700f1ec708b185b565aef
SHA2565254d479828a35227e8cd4eeb8706f7f3deae16d44574bc0b6a84951428c9fc3
SHA512eab58cab9a7f015c329b5b903dcb21745c84cb76cf4871d8a7f57a6b19f5d625fd137f5e1bb7dfa35920a9d1436adc886b72a23e22628153dec004ee68b61c3a
-
Filesize
76KB
MD59ee7121801aae0dd235774ec6723ce79
SHA11f7a5a81a5c295183808e58e5839d450c1a189cc
SHA256c85e717b6a1d12092ae3beb58ddc9f94d78914a77dcb104609384dbac152218b
SHA512bd873d22dc37092f330e97f4ae86760ce5f5ab6ccf300a6e97cd518ec54f3cc44191bf2298e3d99737554fb888f82fa1f8e55965fd599de230377d4c2022c128
-
Filesize
76KB
MD5b5b7908a515f3156401368f2d66083e3
SHA1c2b1f11d4a4fa5110c774e81cdacd8795825d9a8
SHA256e21ba9c2897b566155555abf61a1d69be92a177078aac2ca32779f930edeab3e
SHA512043d0ee42b634f9afbf6cf2c399fd4c7b6ff7a7bb107590ffadf39c36c7efd9d89d2b6b9bef9261cd36213b8c6f840a9270556e3dbaa5839c998728443310276
-
Filesize
76KB
MD540e9b17b52362402260fe70dda280199
SHA172402c15741dee7469848936c27759f7110b6fc3
SHA256bb12983b7243010fc854ca1db81384c33a9718d11dc764055dc2c80e2a944964
SHA512510088c8236fb19eb1ba80a1486e12eb20fb5c6dcacf560f9996d4488334064d3e6eecd44bd53c2902e6488a968d8e74f20d79f4839e5bfedf5f9d7aee683038
-
Filesize
76KB
MD5d3288668b1fcf692cf5db836761771c5
SHA1b13ade01ca118d5e4d8599f6f580ac874caa09c4
SHA256736f491d968fa2f940184c7a5f0d461511a340dc370150ae6cc9f63891cd7066
SHA512dae723babf0faec21e56df967277b2fb872ece435d2499407eea8b0182b6830461ce234cb0b07c9292affd5887ba4343100433af7d8f5b302bedbd272a761581