Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe
Resource
win10v2004-20241007-en
General
-
Target
544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe
-
Size
144KB
-
MD5
2ba51d4765d738b5c59c21b41dfd325d
-
SHA1
df484001e8c903ea8b8f71a3e81af48291bbd19b
-
SHA256
514d7b3867e25671e7a712c8001ed5f2bad3af24aedf25cbfa025d339e2d8ba0
-
SHA512
1f40c9656c646172162bafce736b726c2a9b40ef8d1fed3ecb0413038f1723d7a0e9e920680d69b439268b9ec3f27d4bc63f5008ec54a552dbb0deb95c7d3f91
-
SSDEEP
3072:t6aXuhpHfpvM4hhqBRzWwdlWLhR1zdH13+EE+RaZ6r+GDZnBcVx:cfxvMdH2b1zd5IF6rfBBcVx
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgcnghpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmfdb32.exe -
Berbew family
-
Executes dropped EXE 4 IoCs
pid Process 1964 Cgcnghpl.exe 2196 Cnmfdb32.exe 2136 Cmpgpond.exe 2592 Dpapaj32.exe -
Loads dropped DLL 11 IoCs
pid Process 2856 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe 2856 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe 1964 Cgcnghpl.exe 1964 Cgcnghpl.exe 2196 Cnmfdb32.exe 2196 Cnmfdb32.exe 2136 Cmpgpond.exe 2136 Cmpgpond.exe 2636 WerFault.exe 2636 WerFault.exe 2636 WerFault.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdkefp32.dll Cmpgpond.exe File opened for modification C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File created C:\Windows\SysWOW64\Omakjj32.dll 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe File created C:\Windows\SysWOW64\Cnmfdb32.exe Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Cmpgpond.exe File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\ÿs.e¢e Dpapaj32.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Dpapaj32.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Pcaibd32.dll Cnmfdb32.exe File created C:\Windows\SysWOW64\Cgcnghpl.exe 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe File opened for modification C:\Windows\SysWOW64\Cgcnghpl.exe 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe File created C:\Windows\SysWOW64\Niebgj32.dll Cgcnghpl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2636 2592 WerFault.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll" Cmpgpond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmpgpond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgcnghpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Cgcnghpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cmpgpond.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2856 wrote to memory of 1964 2856 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe 31 PID 2856 wrote to memory of 1964 2856 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe 31 PID 2856 wrote to memory of 1964 2856 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe 31 PID 2856 wrote to memory of 1964 2856 544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe 31 PID 1964 wrote to memory of 2196 1964 Cgcnghpl.exe 32 PID 1964 wrote to memory of 2196 1964 Cgcnghpl.exe 32 PID 1964 wrote to memory of 2196 1964 Cgcnghpl.exe 32 PID 1964 wrote to memory of 2196 1964 Cgcnghpl.exe 32 PID 2196 wrote to memory of 2136 2196 Cnmfdb32.exe 33 PID 2196 wrote to memory of 2136 2196 Cnmfdb32.exe 33 PID 2196 wrote to memory of 2136 2196 Cnmfdb32.exe 33 PID 2196 wrote to memory of 2136 2196 Cnmfdb32.exe 33 PID 2136 wrote to memory of 2592 2136 Cmpgpond.exe 34 PID 2136 wrote to memory of 2592 2136 Cmpgpond.exe 34 PID 2136 wrote to memory of 2592 2136 Cmpgpond.exe 34 PID 2136 wrote to memory of 2592 2136 Cmpgpond.exe 34 PID 2592 wrote to memory of 2636 2592 Dpapaj32.exe 35 PID 2592 wrote to memory of 2636 2592 Dpapaj32.exe 35 PID 2592 wrote to memory of 2636 2592 Dpapaj32.exe 35 PID 2592 wrote to memory of 2636 2592 Dpapaj32.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe"C:\Users\Admin\AppData\Local\Temp\544f880f272b96be85cbeb060473a950f4ffc97382cf202f7066faf55c1aa09eN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Dpapaj32.exeC:\Windows\system32\Dpapaj32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1446⤵
- Loads dropped DLL
- Program crash
PID:2636
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD5a5ba68452eb6a00922bc4ce00babc68a
SHA1d6471eb50081cdeaa91cae66074b49a252bbbc9d
SHA2568bcf78ffd91ea1d0dd85452346e1a450113c7e06184133b47477ac46786dcdd9
SHA512dab490f3b4aeb023e03b46577761d8f6aa0ed679c52ae8e8dfa4066f8f1d1e18a38e6e43d1198b3aae1364e477881dd90316f6bbcd47e028688f4b7a942be608
-
Filesize
144KB
MD5d748f13f6a43c6a7432e40258a3ce24e
SHA18a9f64fcdd82b3ad4fdfe9a1c6f2aa8b787d40f8
SHA25602640835030b65774bffb0ebdb41c35a0112dc257a89d261adc609f214aa4776
SHA5125531fe6e230174609d0aa16f0d39e6e68085d563eb1a32d9366fe962b75b76eb01133efc85ea102635457e32ad0ce17b95a61df8b3efaa310e4ab0d560986e18
-
Filesize
144KB
MD51cb2b9d2d84a34602738f54b758ecda3
SHA151c2b86d54034d5da42383ea8816a6dd39e6c627
SHA256239f3911273c312c0eb93c1f5e0847dfe3c1cb231b87f5aaf7df2d7232200f9d
SHA5124e5e9e80cb89970084cc0dd57ba6816bf2756e9bccccdf1adbd1a782ec0caa6ef5cccba6b0527242c9975157d3162e248e1cb26402d03c05f41836f89d0412d6
-
Filesize
144KB
MD522667222fafb40389fedbdaa0ccb81e2
SHA1da67a600e5df411801751518deffe8d327f306cd
SHA256d8cb81594f4187bd3971a0d40d921265180842433b638f85cba526522f2c219e
SHA5122db59ef7a605975521f2ca81430053011caefe73a0100d87fb99833789df24fecba30bcfd479a986827e96c590a870ae6688380bd0ded27982abf323186b286d