Analysis
-
max time kernel
23s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 15:50
Static task
static1
Behavioral task
behavioral1
Sample
4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe
Resource
win10v2004-20241007-en
General
-
Target
4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe
-
Size
74KB
-
MD5
6ad217e96c6a2b507d2700440901bc00
-
SHA1
265b0c93b1fe0e10765d77114f7868054c36655e
-
SHA256
4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4
-
SHA512
84db563f35629d1fe7ed9be709fa08a6e08012fcb2418cf793a7a116c73fb78a71faf49fb1cdcf30d9da5f0f85b0f8b0bd534d3d25d7b7ca8a118304e4664a2a
-
SSDEEP
768:6hIiXBRmxWYbkLOj4p+W3KDwZ1edC/xbFFdH2q50HmSmCJejPxaFHkztZzWO3C6i:uXBREdzQNxZ1dpzcme8jkizV/Be
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfnmfn32.exe -
Berbew family
-
Executes dropped EXE 2 IoCs
pid Process 2912 Cfnmfn32.exe 2420 Cacacg32.exe -
Loads dropped DLL 8 IoCs
pid Process 2932 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe 2932 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe 2912 Cfnmfn32.exe 2912 Cfnmfn32.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe 2540 WerFault.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fdlpjk32.dll Cfnmfn32.exe File created C:\Windows\SysWOW64\Cfnmfn32.exe 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe File opened for modification C:\Windows\SysWOW64\Cfnmfn32.exe 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe File created C:\Windows\SysWOW64\Mabanhgg.dll 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe File created C:\Windows\SysWOW64\Cacacg32.exe Cfnmfn32.exe File opened for modification C:\Windows\SysWOW64\Cacacg32.exe Cfnmfn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2540 2420 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll" Cfnmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll" 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfnmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfnmfn32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2912 2932 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe 30 PID 2932 wrote to memory of 2912 2932 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe 30 PID 2932 wrote to memory of 2912 2932 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe 30 PID 2932 wrote to memory of 2912 2932 4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe 30 PID 2912 wrote to memory of 2420 2912 Cfnmfn32.exe 31 PID 2912 wrote to memory of 2420 2912 Cfnmfn32.exe 31 PID 2912 wrote to memory of 2420 2912 Cfnmfn32.exe 31 PID 2912 wrote to memory of 2420 2912 Cfnmfn32.exe 31 PID 2420 wrote to memory of 2540 2420 Cacacg32.exe 32 PID 2420 wrote to memory of 2540 2420 Cacacg32.exe 32 PID 2420 wrote to memory of 2540 2420 Cacacg32.exe 32 PID 2420 wrote to memory of 2540 2420 Cacacg32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe"C:\Users\Admin\AppData\Local\Temp\4b919bf5bc905a2569c4c58587d8e5d4eaf857b350e8d45c085ec0befe7cd4a4N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Cacacg32.exeC:\Windows\system32\Cacacg32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1404⤵
- Loads dropped DLL
- Program crash
PID:2540
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD50aae5728a443385153f8daddd4ea3678
SHA160f43a74a3930a1a47bbeaae03dc7cef8d82769a
SHA256369b446778564eb662599ffbd108ce0767b443d4327e9e27f234a06c67d433b3
SHA5124ba753ebb4be3cc77916716184e211284ba9714f35828908d7762ba5a868fa58217dab6e56e611696ebe6a516e77168b9544b8ce4613f17dadf056112b0de8ab
-
Filesize
74KB
MD500d74323524430edd4d5ea95cc831afe
SHA10827749704f65f06cc199b2635088585e8192288
SHA25676131e84e1f2d5cb3862c0d908b2b65195fb407f9709433ef3a79f3418dd83cf
SHA512c4db7a82122ab1a303899f9636a680a29c13c4bf538b01a8f1e0cdc31a5c718f27c9d131bada9adfc159fc27b2a85bb6be4dcd2e1950b50a1acfa46c191a8446