Analysis
-
max time kernel
14s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 13:56
Static task
static1
Behavioral task
behavioral1
Sample
ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe
Resource
win10v2004-20241007-en
General
-
Target
ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe
-
Size
226KB
-
MD5
aad648e78a1409c8cb516394fa060d90
-
SHA1
cc54a23f0268b9be845949881c2ca6f8c87dd829
-
SHA256
ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892f
-
SHA512
69f51496d2eeadf9be012d22c8e9af8f9c2e2559f79285d429fbdff4593b5958829defe1791d51abbaa278260e4c31d69d906b6ce7b567840ae6f3b6492bb87b
-
SSDEEP
3072:1OXu3vW9GyDKcWmjRvDKcpDKcWmjRrzNtQtjDKcWmjRrzNtb:uTcLxEtQtsEtb
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqldpfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amebjgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akphfbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akphfbbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amebjgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqldpfmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgfmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgfmlp32.exe -
Berbew family
-
Executes dropped EXE 5 IoCs
pid Process 3064 Qqldpfmh.exe 2888 Qgfmlp32.exe 2344 Amebjgai.exe 2900 Akphfbbl.exe 2908 Bmenijcd.exe -
Loads dropped DLL 14 IoCs
pid Process 972 ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe 972 ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe 3064 Qqldpfmh.exe 3064 Qqldpfmh.exe 2888 Qgfmlp32.exe 2888 Qgfmlp32.exe 2344 Amebjgai.exe 2344 Amebjgai.exe 2900 Akphfbbl.exe 2900 Akphfbbl.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe 2756 WerFault.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Qqldpfmh.exe ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe File created C:\Windows\SysWOW64\Abgqlf32.dll Amebjgai.exe File created C:\Windows\SysWOW64\Amebjgai.exe Qgfmlp32.exe File created C:\Windows\SysWOW64\Jpobja32.dll Qgfmlp32.exe File created C:\Windows\SysWOW64\Akphfbbl.exe Amebjgai.exe File opened for modification C:\Windows\SysWOW64\Akphfbbl.exe Amebjgai.exe File created C:\Windows\SysWOW64\Bopplhfm.dll ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe File opened for modification C:\Windows\SysWOW64\Qgfmlp32.exe Qqldpfmh.exe File created C:\Windows\SysWOW64\Cjehbgng.dll Qqldpfmh.exe File created C:\Windows\SysWOW64\Bmenijcd.exe Akphfbbl.exe File opened for modification C:\Windows\SysWOW64\Bmenijcd.exe Akphfbbl.exe File created C:\Windows\SysWOW64\Diflambo.dll Akphfbbl.exe File created C:\Windows\SysWOW64\Qqldpfmh.exe ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe File created C:\Windows\SysWOW64\Qgfmlp32.exe Qqldpfmh.exe File opened for modification C:\Windows\SysWOW64\Amebjgai.exe Qgfmlp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2756 2908 WerFault.exe 34 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqldpfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfmlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amebjgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akphfbbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmenijcd.exe -
Modifies registry class 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgqlf32.dll" Amebjgai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akphfbbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqldpfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqldpfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgfmlp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amebjgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpobja32.dll" Qgfmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll" Akphfbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehbgng.dll" Qqldpfmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgfmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amebjgai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopplhfm.dll" ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akphfbbl.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 972 wrote to memory of 3064 972 ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe 30 PID 972 wrote to memory of 3064 972 ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe 30 PID 972 wrote to memory of 3064 972 ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe 30 PID 972 wrote to memory of 3064 972 ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe 30 PID 3064 wrote to memory of 2888 3064 Qqldpfmh.exe 31 PID 3064 wrote to memory of 2888 3064 Qqldpfmh.exe 31 PID 3064 wrote to memory of 2888 3064 Qqldpfmh.exe 31 PID 3064 wrote to memory of 2888 3064 Qqldpfmh.exe 31 PID 2888 wrote to memory of 2344 2888 Qgfmlp32.exe 32 PID 2888 wrote to memory of 2344 2888 Qgfmlp32.exe 32 PID 2888 wrote to memory of 2344 2888 Qgfmlp32.exe 32 PID 2888 wrote to memory of 2344 2888 Qgfmlp32.exe 32 PID 2344 wrote to memory of 2900 2344 Amebjgai.exe 33 PID 2344 wrote to memory of 2900 2344 Amebjgai.exe 33 PID 2344 wrote to memory of 2900 2344 Amebjgai.exe 33 PID 2344 wrote to memory of 2900 2344 Amebjgai.exe 33 PID 2900 wrote to memory of 2908 2900 Akphfbbl.exe 34 PID 2900 wrote to memory of 2908 2900 Akphfbbl.exe 34 PID 2900 wrote to memory of 2908 2900 Akphfbbl.exe 34 PID 2900 wrote to memory of 2908 2900 Akphfbbl.exe 34 PID 2908 wrote to memory of 2756 2908 Bmenijcd.exe 35 PID 2908 wrote to memory of 2756 2908 Bmenijcd.exe 35 PID 2908 wrote to memory of 2756 2908 Bmenijcd.exe 35 PID 2908 wrote to memory of 2756 2908 Bmenijcd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe"C:\Users\Admin\AppData\Local\Temp\ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Qqldpfmh.exeC:\Windows\system32\Qqldpfmh.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Qgfmlp32.exeC:\Windows\system32\Qgfmlp32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Bmenijcd.exeC:\Windows\system32\Bmenijcd.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 1407⤵
- Loads dropped DLL
- Program crash
PID:2756
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD5a9137f32f09aeaabb0a87f220ae7804b
SHA14114d12c3478250833df83fcc19ccc18298a0647
SHA2562cddc42a8fd7778d4d40f2c094c3fb6e0d882ad4da8151d706fda584dc616ea6
SHA512ceb37c3b4118ec3e1722feded199e46a6b3d2b8b6abdd8734430056dc2d2734b29baf7528b1bb21ff7e652130168d974372ddb075a23cc7a9a4205c34995c3db
-
Filesize
226KB
MD5d77db05cf38edda203f15828500b72d1
SHA12f59bc90f8245147c424dc76ba96f2295eb2eca1
SHA256f95927012f5845d904b1da5659855245eb6943ebf781dfba3fcaff73b93a2b81
SHA51247726a60d0d7c5e95a822deef867307022acf2a04bf0a38a9f3569f95372da96bf67f71337ca67952d67ea198c6bd0eab78ad3a756f37ff61f2bc25c4ccfef47
-
Filesize
226KB
MD5a1e864d632ab8c5920f83ad03b2f33ae
SHA153e5c7a82059e7d28accf05860dca0016e023a69
SHA2564b434e1e091f61b71363b4412f99a65f0a078d0f28ccaed0ff758fdf5c1c5d3f
SHA5120b38de78395aa1db8fdee60509ba7bd76a0d63895a2dd4bb3ebbecfeb4e35e72f1f4944718ec197c852cee47458d0b0c8982e9d01b61f277639dac150e9d4f00
-
Filesize
226KB
MD5c28db824440bb33f75c02394b67b6da3
SHA1a95a60cbfb73442235c994baeedeae63368c2630
SHA256a556a5459ff6318c2e2e862e405353cce6bd4177e4170b629cda140ba5a160c7
SHA5127ea7f1190a60d82b95305a915a3fda189cb64423a005ef5a65556d4436f86defe64417dde0d024567223664e55466e18c2bd45fc071fa57dcf2f30ae0772386a
-
Filesize
226KB
MD5fb61806d888eca16c9afc429a03744a6
SHA1a103013e7e27ce276cf69283ac2ba942acfb19bb
SHA2569ff0d20ccdfa6259592f1f1d905b52a2c700015b3aa778f3369d592bd8904032
SHA512c74677eabb1a6aa4eb3df38e04917c496f981decffe6cc7ade03fdd98dc8932f147a699d092787dd2cc17cd19bdcd2fc82ffef377df0f3aef48500e352170468