Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 11:46

General

  • Target

    d78ba548f0257562b3467e1319f40abc609b3d737c47868c5e669a8c8774eca8.exe

  • Size

    800KB

  • MD5

    1120ff8f1cf710453b191461704ca588

  • SHA1

    5b8c7b4f10d369e040dc143e83eedcca21451d63

  • SHA256

    d78ba548f0257562b3467e1319f40abc609b3d737c47868c5e669a8c8774eca8

  • SHA512

    26588bd2b3064f55ea37a2a00275957e35f7e640bda1eb4158b46bcdfd54cddc4da2a0606422a7682e8e16c096144d006303a09ed578de3be62d2ce73cda0426

  • SSDEEP

    12288:lTh/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KFHTP7rXFr/+zrWAI5KFum/+zrWAY:3m0BmmvFimm0MTP7hm0Bmmvy

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 18 IoCs
  • Drops file in System32 directory 21 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 24 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d78ba548f0257562b3467e1319f40abc609b3d737c47868c5e669a8c8774eca8.exe
    "C:\Users\Admin\AppData\Local\Temp\d78ba548f0257562b3467e1319f40abc609b3d737c47868c5e669a8c8774eca8.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\Cnkicn32.exe
      C:\Windows\system32\Cnkicn32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\SysWOW64\Ckoilb32.exe
        C:\Windows\system32\Ckoilb32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Windows\SysWOW64\Cjfccn32.exe
          C:\Windows\system32\Cjfccn32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Windows\SysWOW64\Dfdjhndl.exe
            C:\Windows\system32\Dfdjhndl.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2640
            • C:\Windows\SysWOW64\Edkcojga.exe
              C:\Windows\system32\Edkcojga.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2780
              • C:\Windows\SysWOW64\Efaibbij.exe
                C:\Windows\system32\Efaibbij.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2208
                • C:\Windows\SysWOW64\Fkckeh32.exe
                  C:\Windows\system32\Fkckeh32.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1692
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 140
                    9⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:2988

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Cjfccn32.exe

          Filesize

          800KB

          MD5

          9da85a3de9f09fe2af98fab9a74e48da

          SHA1

          231add6e42448efe5825ca3140ed2ab315c556be

          SHA256

          198b665cd0f96a26a8e89382f83ec8e846fdc68a82f91d4b0d004d180869d608

          SHA512

          4d3b085fd2ecdb89d6ff01782a8a8ca4e7142b9608686f6907723bc6c4ef39080d8c3fae1701e10596634f399a1197e5ea139ce0f187c14c94e21ff5c5499f78

        • C:\Windows\SysWOW64\Efaibbij.exe

          Filesize

          800KB

          MD5

          cbcea476aed52cc991bce70edf4da6d7

          SHA1

          fceb5d43ab4ab0168dece980ac51527c69447d4d

          SHA256

          ddc7de03824a6b49c0027b97e83aa8f9a5977e6c74e6f1e0e18423d6bc112d33

          SHA512

          2ce476d16fa5a706b978dba97e9a5fd2a4fe85ae4d2222003d68be82ff1cf19cc6625e074ee4d84949a8b924dfb787305d24a15706ef9c70b9d9877e9959852b

        • C:\Windows\SysWOW64\Gogcek32.dll

          Filesize

          7KB

          MD5

          00c6385db5befb9ca3104ac92293d8c1

          SHA1

          1315a00006d7ff8d61aa2ebe5513278854b68ef3

          SHA256

          aefe36dac950ef4f500b04e4f1bfb3caa954523bedbed92ff0a8d43a3a7b14db

          SHA512

          b3d09170920b34725e44e0a1ef60df889bd3305503760e9f5d909aed47e77eefdfe0573959da78f702adf4ccb53305fa96074508d70abc500235a5d2afb777f6

        • \Windows\SysWOW64\Ckoilb32.exe

          Filesize

          800KB

          MD5

          4774ed5757e22059713c292eadccd36d

          SHA1

          4653ae1c872c4a77dbac7dcec976b63f8ee276b3

          SHA256

          a304d603c43ad207ef79d7f98207a5e9a024bc3f744e3860d540276c7f4c4d21

          SHA512

          6e8a2d24ea8e7f9f83a86e6bae95752d2a45befb9ab07059b1ef3a1433ca9094cfd7281773eabd9cca1272372792ae510bd364c567c7cf9b5970e4ab7917834a

        • \Windows\SysWOW64\Cnkicn32.exe

          Filesize

          800KB

          MD5

          0fc837d901ce258147efd452cc09a421

          SHA1

          01910b713994031d237692edfbb57cf806de8008

          SHA256

          acd6be3a117b04ac04f2c521c8bc49ada88477a678fdf01e76a4392c5782f597

          SHA512

          9a2b555657dc24f8146a1a6d222fd22ef90174bc945abaea47690c29da70068c22a7502ee1adb877ba1586c9c60e71ce1709b818f724fc71e53619bc1dcb73c7

        • \Windows\SysWOW64\Dfdjhndl.exe

          Filesize

          800KB

          MD5

          d545d385753f060df8c87d84c6ab5f75

          SHA1

          df8019fd8ec7bf47a50778b6af6f0d0e1269a57e

          SHA256

          a3dce41303efefd1f02254b855d89dd932accd2251730ad2dc56f88bc37d43f8

          SHA512

          e7146b14975362a7659e673653f9a3f8d4e279e309bae2affde38b463cfc6406a856b102633a0b055ea3b12c2e2bccb0b84a12a8c286de09fe11e760b25f6248

        • \Windows\SysWOW64\Edkcojga.exe

          Filesize

          800KB

          MD5

          b3aa023ee7388e8da48fe40ebe6e13b3

          SHA1

          298d8704247ef68c7f51cf1a25796df1da4700b4

          SHA256

          474452dc0a899332114c0bb457895064099bdb0140a9e28347fa3d6dbafb66f4

          SHA512

          c3b3417762501eb580c2e8c20b98a08a28a7ac017b9a46e58dd031a615f3a60a075865984578b1d06929ef84ac8e1afb8b36f79dcd397d993a87d602775d15c1

        • \Windows\SysWOW64\Fkckeh32.exe

          Filesize

          800KB

          MD5

          c4264084c7fbb493c1d0c64103ea3929

          SHA1

          8dab0ef74c40cb9b17365846311471e77b3f486f

          SHA256

          572f4e3ef1e1ee44fe216663c70a5ca28bea104339e12de2b5e936d9f1e7b912

          SHA512

          f4df406a26616c86a8ce386bce10c760df38b8ca71045435e2fd3a0c5877fb653151d412d80597d1f84233a7e3b375794fe64396a50a0032cde35a9632f5efb4

        • memory/1692-109-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/1692-98-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2208-108-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2208-97-0x0000000000260000-0x0000000000296000-memory.dmp

          Filesize

          216KB

        • memory/2372-0-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2372-107-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2372-12-0x0000000000270000-0x00000000002A6000-memory.dmp

          Filesize

          216KB

        • memory/2444-104-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2444-50-0x0000000000250000-0x0000000000286000-memory.dmp

          Filesize

          216KB

        • memory/2444-42-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2640-56-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2640-68-0x0000000000440000-0x0000000000476000-memory.dmp

          Filesize

          216KB

        • memory/2640-103-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2780-83-0x0000000000250000-0x0000000000286000-memory.dmp

          Filesize

          216KB

        • memory/2780-82-0x0000000000250000-0x0000000000286000-memory.dmp

          Filesize

          216KB

        • memory/2780-70-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2780-105-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2836-13-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2836-21-0x0000000000440000-0x0000000000476000-memory.dmp

          Filesize

          216KB

        • memory/2836-106-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3012-40-0x0000000000250000-0x0000000000286000-memory.dmp

          Filesize

          216KB

        • memory/3012-32-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/3012-41-0x0000000000250000-0x0000000000286000-memory.dmp

          Filesize

          216KB