Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 12:13

General

  • Target

    ed2fec15c88461d3070fe94a420c538efe58af861d0199469a99295a5e6fdd66N.exe

  • Size

    112KB

  • MD5

    c2f3eca8928c77bf2144364acabdc8b3

  • SHA1

    431d40c12d8739e769c0cb028d9b89ab971d8013

  • SHA256

    dce975cb5f05325086081fdc6bbee667d5666bdcf0908fd86e7a14deabac6fc0

  • SHA512

    4a0db837af40e158ec15208dc63e7f2aa1012651292feb323a7ee9c0d0fd8858974e81aa0966323c28e93f28efa82e75809b05c2d645ee3a357a22a5ee87d4d3

  • SSDEEP

    1536:ObZ25k1X+Jv9aGW7nls7yxv1FDVRqC2LiJ9VqDlzVxyh+CbxMQguz6V34euullnn:ImtJvcffRqPiJ9IDlRxyhTbhgu+tAcrB

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 16 IoCs
  • Drops file in System32 directory 18 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 21 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed2fec15c88461d3070fe94a420c538efe58af861d0199469a99295a5e6fdd66N.exe
    "C:\Users\Admin\AppData\Local\Temp\ed2fec15c88461d3070fe94a420c538efe58af861d0199469a99295a5e6fdd66N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\SysWOW64\Kfaalh32.exe
      C:\Windows\system32\Kfaalh32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\Kkmmlgik.exe
        C:\Windows\system32\Kkmmlgik.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\SysWOW64\Kageia32.exe
          C:\Windows\system32\Kageia32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2752
          • C:\Windows\SysWOW64\Kgcnahoo.exe
            C:\Windows\system32\Kgcnahoo.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2600
            • C:\Windows\SysWOW64\Libjncnc.exe
              C:\Windows\system32\Libjncnc.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2624
              • C:\Windows\SysWOW64\Lbjofi32.exe
                C:\Windows\system32\Lbjofi32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2244
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 140
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:1584

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Kkmmlgik.exe

          Filesize

          112KB

          MD5

          ca51d71ae3687a18ef7b2ff8cb6bc616

          SHA1

          da09acaf82ce5626890e1b7ad7e49247f47de65b

          SHA256

          a85b8937e64aa51a19e97dfb7ba40a6935edaf4aef466c2fc04dd777bdc26e2f

          SHA512

          11c82b00d2b387f9f4a95cf4943c610f446bc0110cebc45d8595fa21edf888022f75aa5439c7edd82080992cd4890658872e5d9a4977e7115832ce0e02c56705

        • \Windows\SysWOW64\Kageia32.exe

          Filesize

          112KB

          MD5

          da7e35bdb5784e52f90e94e67ebe4e23

          SHA1

          34d00206eaadee8aada35c766771a8ae7095e836

          SHA256

          e178a997fe0ed4e39c7c29d7114a5499b924e6e3980f71b2d537af91d424b772

          SHA512

          b085378dadb942977714184b6940daeaee4b25cef60a46a5648ddc24267a8af34b9cb825d7f32329f6943408cf815d427f9ebc72b98162f3f5eca0aad5e590ca

        • \Windows\SysWOW64\Kfaalh32.exe

          Filesize

          112KB

          MD5

          ffd565086989ebafdba506931567c42c

          SHA1

          a064ff8c0c9568a592b5ae5a2548b6e1747239c9

          SHA256

          216d54a1114e1a2495a066438918bad730a37545bcca54b676434e4c1c0d91d5

          SHA512

          42251958dab319ffc8b1767b5f4ee048fbff045f2dac09e890b5c8cf997a0bdc292da9818d801c6e527861965bfb1a89561474ab75723eee7b21f1fb290ae537

        • \Windows\SysWOW64\Kgcnahoo.exe

          Filesize

          112KB

          MD5

          342fea65081e12f79779788173489658

          SHA1

          b644763bc8c6fc215044827d0238e65660160579

          SHA256

          a43f85d1f913cc9fe4d08e8f383532064dab74deea62d18ffeb5203727cad7cc

          SHA512

          8f5a711b08b18d9ce035fd03560003fae203a6d4d72a1dcac6b44567820fb7630a048b7db6230721ca4c15bfe76cca8f8108007471c751d1346b4c67946779af

        • \Windows\SysWOW64\Lbjofi32.exe

          Filesize

          112KB

          MD5

          793601d7d57706c6a655731706c37a49

          SHA1

          0b5c1ae65907729597b3c6b4e51db52b64812c9f

          SHA256

          7049ff97b431a9ee8c3fe2cbc59be481df7d38e273e6905192da411f7d189b1c

          SHA512

          73801890b91a3f1ed635f38019c107de3515aa1a21e5980b34303ae9781a0c08b35bb6a3cfd15cd3fe0f24be08c132851c5577114d85b1ade345538190c784a3

        • \Windows\SysWOW64\Libjncnc.exe

          Filesize

          112KB

          MD5

          dc71da404d9f48ee6808f7786db742d9

          SHA1

          4103c678a718fa6829756689bcdc51ce561c6af2

          SHA256

          04572a9c0f81f61a63930b7dd7b1dc1089327e84695fb2d20e7684bfeab5e5fa

          SHA512

          09a283fbad721e8da6852dcb3718e766fd43c7d83350179b9f8c2582b3c53a06d0ef974496094a5312a56f95ad624179e668ac69f8083f061512717e6a9ad3ae

        • memory/2244-81-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2600-54-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2600-87-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2624-79-0x0000000000250000-0x0000000000290000-memory.dmp

          Filesize

          256KB

        • memory/2624-67-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2624-86-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2640-12-0x0000000000250000-0x0000000000290000-memory.dmp

          Filesize

          256KB

        • memory/2640-0-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2640-91-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2640-13-0x0000000000250000-0x0000000000290000-memory.dmp

          Filesize

          256KB

        • memory/2652-29-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2652-90-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2688-27-0x0000000000440000-0x0000000000480000-memory.dmp

          Filesize

          256KB

        • memory/2688-14-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2688-88-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2752-89-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2752-41-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB