Analysis
-
max time kernel
81s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 11:59
Static task
static1
Behavioral task
behavioral1
Sample
a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe
Resource
win10v2004-20241007-en
General
-
Target
a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe
-
Size
1.1MB
-
MD5
c2739294e9b92637af3080190fd352b0
-
SHA1
36ca507da1572a385b383f18759ecca431f67bd6
-
SHA256
a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8ab
-
SHA512
97a1bb6af08daf1224fed5ff83763f4badbdb1b73a7eb3fcd7b24241f6431070a953ee6901052e825561484bd6cc6dabb817979a5bf59ebd60e04b58a4cbc6d3
-
SSDEEP
12288:Yu/Ng1/Nmr/Ng1/Nblt01PBNkEoILCltC:YPlkcEpelk
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbconkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llepen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liipnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liipnb32.exe -
Berbew family
-
Executes dropped EXE 5 IoCs
pid Process 1636 Llbconkd.exe 2756 Lghgmg32.exe 2716 Llepen32.exe 2888 Liipnb32.exe 2660 Lepaccmo.exe -
Loads dropped DLL 14 IoCs
pid Process 3040 a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe 3040 a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe 1636 Llbconkd.exe 1636 Llbconkd.exe 2756 Lghgmg32.exe 2756 Lghgmg32.exe 2716 Llepen32.exe 2716 Llepen32.exe 2888 Liipnb32.exe 2888 Liipnb32.exe 2632 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe 2632 WerFault.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Llbconkd.exe a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe File opened for modification C:\Windows\SysWOW64\Llepen32.exe Lghgmg32.exe File opened for modification C:\Windows\SysWOW64\Liipnb32.exe Llepen32.exe File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe Liipnb32.exe File created C:\Windows\SysWOW64\Oldhgaef.dll Liipnb32.exe File created C:\Windows\SysWOW64\Llbconkd.exe a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe File opened for modification C:\Windows\SysWOW64\Lghgmg32.exe Llbconkd.exe File created C:\Windows\SysWOW64\Llepen32.exe Lghgmg32.exe File created C:\Windows\SysWOW64\Liipnb32.exe Llepen32.exe File created C:\Windows\SysWOW64\Lghgmg32.exe Llbconkd.exe File created C:\Windows\SysWOW64\Mcbniafn.dll Lghgmg32.exe File created C:\Windows\SysWOW64\Gcakqmpi.dll a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe File created C:\Windows\SysWOW64\Ogegmkqk.dll Llbconkd.exe File created C:\Windows\SysWOW64\Iaimld32.dll Llepen32.exe File created C:\Windows\SysWOW64\Lepaccmo.exe Liipnb32.exe -
Program crash 1 IoCs
pid pid_target Process 2632 2660 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llepen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liipnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepaccmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbconkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghgmg32.exe -
Modifies registry class 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll" a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll" Lghgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liipnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll" Liipnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liipnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaimld32.dll" Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll" Llbconkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llbconkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llepen32.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3040 wrote to memory of 1636 3040 a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe 30 PID 3040 wrote to memory of 1636 3040 a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe 30 PID 3040 wrote to memory of 1636 3040 a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe 30 PID 3040 wrote to memory of 1636 3040 a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe 30 PID 1636 wrote to memory of 2756 1636 Llbconkd.exe 31 PID 1636 wrote to memory of 2756 1636 Llbconkd.exe 31 PID 1636 wrote to memory of 2756 1636 Llbconkd.exe 31 PID 1636 wrote to memory of 2756 1636 Llbconkd.exe 31 PID 2756 wrote to memory of 2716 2756 Lghgmg32.exe 32 PID 2756 wrote to memory of 2716 2756 Lghgmg32.exe 32 PID 2756 wrote to memory of 2716 2756 Lghgmg32.exe 32 PID 2756 wrote to memory of 2716 2756 Lghgmg32.exe 32 PID 2716 wrote to memory of 2888 2716 Llepen32.exe 33 PID 2716 wrote to memory of 2888 2716 Llepen32.exe 33 PID 2716 wrote to memory of 2888 2716 Llepen32.exe 33 PID 2716 wrote to memory of 2888 2716 Llepen32.exe 33 PID 2888 wrote to memory of 2660 2888 Liipnb32.exe 34 PID 2888 wrote to memory of 2660 2888 Liipnb32.exe 34 PID 2888 wrote to memory of 2660 2888 Liipnb32.exe 34 PID 2888 wrote to memory of 2660 2888 Liipnb32.exe 34 PID 2660 wrote to memory of 2632 2660 Lepaccmo.exe 35 PID 2660 wrote to memory of 2632 2660 Lepaccmo.exe 35 PID 2660 wrote to memory of 2632 2660 Lepaccmo.exe 35 PID 2660 wrote to memory of 2632 2660 Lepaccmo.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe"C:\Users\Admin\AppData\Local\Temp\a1332a0636f37cef9dbc9df500138b5de351277f45195bee83743d9fd10ff8abN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Llbconkd.exeC:\Windows\system32\Llbconkd.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Lghgmg32.exeC:\Windows\system32\Lghgmg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Lepaccmo.exeC:\Windows\system32\Lepaccmo.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1407⤵
- Loads dropped DLL
- Program crash
PID:2632
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d6f832ff032154925fc7421b7fe37e03
SHA1b0200c3c3da13b1f8fd304bed000de7989970b8c
SHA25621ca72f43945988f4e1f8de33662ca9a80837106ea3a21003d8c52cb5e9312e4
SHA512036f71971f7045259ec81c89385ddd4a1cc410c62671ac1fc47591a0416949332b51d3dc12bbd6a36f98e713694835991a5ed37e3f65ddd127d1bf56e2cee498
-
Filesize
1.1MB
MD569e264453f8c38d6f34447e9531f18cf
SHA1ffa06d87d7da43562b3b9b4eca389cf2c83bb420
SHA2561aad5c7ab62920880b5ef7ec127bf70b0185847a41f1fbf323e025a9043845c2
SHA512b720d0343b618c3f87de42abccb62bf7eee14fa37615f5ecf969b15c697c075215d45b4d3988accfceef551452e9416794ea23f3e68b7114dc58230e841ed803
-
Filesize
1.1MB
MD5007dae0ab367d80ecc48f296144d28a4
SHA1f6a8f4995b28d5ab5d6680a2aa0f9b9ba5c405fd
SHA256282c13980fddbe3ffba32f2a36c216fb56db6f69ad1c30f9e6ddee580dee9f3a
SHA5122ad6e5be663db472d2d7f77f9b81098bc8cced8b01373562c7702b43563b3b977b7ccf3bdc0fc5abf12f6863b8ce9f0c1f2e336de3172694aafb8062459de840
-
Filesize
1.1MB
MD558a8db1392a8cdd512ab9c59d953cdba
SHA13595fc3f76e3c86d6ab30fc8f8637007bca2ff14
SHA256eed02f89489a719cf3cda33a51fc203db01fd24c9f326bd4a2f2c095a7666757
SHA512485e831f71d974e10b39386b9cbd3a256be95dff5e847ff2b0170330f1312fc773573f96d6141ad24518411531dff2531e09aa1ad365f97c20f4ecd3c3fc73e8
-
Filesize
1.1MB
MD543df2e7f4779d0aee4c75f97cbc03a9e
SHA17a1d69dab5c9f9ff71932c8afd49c82a00d0698d
SHA2565759c89778e21d0bc3bf5d746c68c9d6863c8ed1e9786d3f3bded23e95b0de19
SHA512ea49f34f46fc8966928bfe75eba7080b4bfa77cb1755f71100938d3a2792f1e49a18d5c2e2c0f61592daf00a834ed00c89203ead5a256377208fc904f8bc1e21