Analysis

  • max time kernel
    14s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 13:56

General

  • Target

    ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe

  • Size

    226KB

  • MD5

    aad648e78a1409c8cb516394fa060d90

  • SHA1

    cc54a23f0268b9be845949881c2ca6f8c87dd829

  • SHA256

    ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892f

  • SHA512

    69f51496d2eeadf9be012d22c8e9af8f9c2e2559f79285d429fbdff4593b5958829defe1791d51abbaa278260e4c31d69d906b6ce7b567840ae6f3b6492bb87b

  • SSDEEP

    3072:1OXu3vW9GyDKcWmjRvDKcpDKcWmjRrzNtQtjDKcWmjRrzNtb:uTcLxEtQtsEtb

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • Drops file in System32 directory 15 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 18 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe
    "C:\Users\Admin\AppData\Local\Temp\ed96b15e8cd306ebb53d9386a94178803313b1ba7dc0de7ad47ee972aa54892fN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Windows\SysWOW64\Qqldpfmh.exe
      C:\Windows\system32\Qqldpfmh.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\Qgfmlp32.exe
        C:\Windows\system32\Qgfmlp32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\SysWOW64\Amebjgai.exe
          C:\Windows\system32\Amebjgai.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2344
          • C:\Windows\SysWOW64\Akphfbbl.exe
            C:\Windows\system32\Akphfbbl.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2900
            • C:\Windows\SysWOW64\Bmenijcd.exe
              C:\Windows\system32\Bmenijcd.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2908
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 140
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2756

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Qgfmlp32.exe

          Filesize

          226KB

          MD5

          a9137f32f09aeaabb0a87f220ae7804b

          SHA1

          4114d12c3478250833df83fcc19ccc18298a0647

          SHA256

          2cddc42a8fd7778d4d40f2c094c3fb6e0d882ad4da8151d706fda584dc616ea6

          SHA512

          ceb37c3b4118ec3e1722feded199e46a6b3d2b8b6abdd8734430056dc2d2734b29baf7528b1bb21ff7e652130168d974372ddb075a23cc7a9a4205c34995c3db

        • \Windows\SysWOW64\Akphfbbl.exe

          Filesize

          226KB

          MD5

          d77db05cf38edda203f15828500b72d1

          SHA1

          2f59bc90f8245147c424dc76ba96f2295eb2eca1

          SHA256

          f95927012f5845d904b1da5659855245eb6943ebf781dfba3fcaff73b93a2b81

          SHA512

          47726a60d0d7c5e95a822deef867307022acf2a04bf0a38a9f3569f95372da96bf67f71337ca67952d67ea198c6bd0eab78ad3a756f37ff61f2bc25c4ccfef47

        • \Windows\SysWOW64\Amebjgai.exe

          Filesize

          226KB

          MD5

          a1e864d632ab8c5920f83ad03b2f33ae

          SHA1

          53e5c7a82059e7d28accf05860dca0016e023a69

          SHA256

          4b434e1e091f61b71363b4412f99a65f0a078d0f28ccaed0ff758fdf5c1c5d3f

          SHA512

          0b38de78395aa1db8fdee60509ba7bd76a0d63895a2dd4bb3ebbecfeb4e35e72f1f4944718ec197c852cee47458d0b0c8982e9d01b61f277639dac150e9d4f00

        • \Windows\SysWOW64\Bmenijcd.exe

          Filesize

          226KB

          MD5

          c28db824440bb33f75c02394b67b6da3

          SHA1

          a95a60cbfb73442235c994baeedeae63368c2630

          SHA256

          a556a5459ff6318c2e2e862e405353cce6bd4177e4170b629cda140ba5a160c7

          SHA512

          7ea7f1190a60d82b95305a915a3fda189cb64423a005ef5a65556d4436f86defe64417dde0d024567223664e55466e18c2bd45fc071fa57dcf2f30ae0772386a

        • \Windows\SysWOW64\Qqldpfmh.exe

          Filesize

          226KB

          MD5

          fb61806d888eca16c9afc429a03744a6

          SHA1

          a103013e7e27ce276cf69283ac2ba942acfb19bb

          SHA256

          9ff0d20ccdfa6259592f1f1d905b52a2c700015b3aa778f3369d592bd8904032

          SHA512

          c74677eabb1a6aa4eb3df38e04917c496f981decffe6cc7ade03fdd98dc8932f147a699d092787dd2cc17cd19bdcd2fc82ffef377df0f3aef48500e352170468

        • memory/972-83-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/972-12-0x0000000000220000-0x0000000000280000-memory.dmp

          Filesize

          384KB

        • memory/972-7-0x0000000000220000-0x0000000000280000-memory.dmp

          Filesize

          384KB

        • memory/972-0-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2344-39-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2344-80-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2344-52-0x0000000000220000-0x0000000000280000-memory.dmp

          Filesize

          384KB

        • memory/2344-51-0x0000000000220000-0x0000000000280000-memory.dmp

          Filesize

          384KB

        • memory/2344-82-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2888-78-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2888-81-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2900-54-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2900-77-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2900-74-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2908-67-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2908-79-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/2908-76-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/3064-19-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/3064-75-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB

        • memory/3064-72-0x0000000000400000-0x0000000000460000-memory.dmp

          Filesize

          384KB