Analysis
-
max time kernel
81s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/11/2024, 08:29
Static task
static1
Behavioral task
behavioral1
Sample
8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe
Resource
win10v2004-20241007-en
General
-
Target
8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe
-
Size
384KB
-
MD5
dac2d5aaddf54e79c2e0b66bf53b43e0
-
SHA1
2635895f5c26b6310dc678ab9127fa49114a7ea8
-
SHA256
8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7f
-
SHA512
2d94c7af70f2e513ad4b5f990e3930d1e886b3476a81851557aaf9cc6ad9445bfc27088169ce398dc9482aff2c23c1d5bd53e1934e57e379fd4a2665362c30ba
-
SSDEEP
6144:QEmpGOgosBJqf7dkzIe/pDCdGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEAz/6DG1ETl:sL3d7dIDpDSGyXu1jGG1wsGeBgRTGAzG
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kipmhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khnapkjg.exe -
Berbew family
-
Executes dropped EXE 4 IoCs
pid Process 1636 Khnapkjg.exe 2740 Kipmhc32.exe 2760 Lmmfnb32.exe 2888 Lepaccmo.exe -
Loads dropped DLL 12 IoCs
pid Process 3044 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe 3044 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe 1636 Khnapkjg.exe 1636 Khnapkjg.exe 2740 Kipmhc32.exe 2740 Kipmhc32.exe 2760 Lmmfnb32.exe 2760 Lmmfnb32.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe 2776 WerFault.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lepaccmo.exe Lmmfnb32.exe File opened for modification C:\Windows\SysWOW64\Khnapkjg.exe 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe File created C:\Windows\SysWOW64\Kipmhc32.exe Khnapkjg.exe File opened for modification C:\Windows\SysWOW64\Kipmhc32.exe Khnapkjg.exe File created C:\Windows\SysWOW64\Lmmfnb32.exe Kipmhc32.exe File created C:\Windows\SysWOW64\Pigckoki.dll Kipmhc32.exe File opened for modification C:\Windows\SysWOW64\Lepaccmo.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Oldhgaef.dll Lmmfnb32.exe File created C:\Windows\SysWOW64\Khnapkjg.exe 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe File created C:\Windows\SysWOW64\Jkbcekmn.dll 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe File created C:\Windows\SysWOW64\Dkpnde32.dll Khnapkjg.exe File opened for modification C:\Windows\SysWOW64\Lmmfnb32.exe Kipmhc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2776 2888 WerFault.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepaccmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khnapkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipmhc32.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbcekmn.dll" 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kipmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmmfnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll" Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khnapkjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll" Lmmfnb32.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3044 wrote to memory of 1636 3044 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe 30 PID 3044 wrote to memory of 1636 3044 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe 30 PID 3044 wrote to memory of 1636 3044 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe 30 PID 3044 wrote to memory of 1636 3044 8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe 30 PID 1636 wrote to memory of 2740 1636 Khnapkjg.exe 31 PID 1636 wrote to memory of 2740 1636 Khnapkjg.exe 31 PID 1636 wrote to memory of 2740 1636 Khnapkjg.exe 31 PID 1636 wrote to memory of 2740 1636 Khnapkjg.exe 31 PID 2740 wrote to memory of 2760 2740 Kipmhc32.exe 32 PID 2740 wrote to memory of 2760 2740 Kipmhc32.exe 32 PID 2740 wrote to memory of 2760 2740 Kipmhc32.exe 32 PID 2740 wrote to memory of 2760 2740 Kipmhc32.exe 32 PID 2760 wrote to memory of 2888 2760 Lmmfnb32.exe 33 PID 2760 wrote to memory of 2888 2760 Lmmfnb32.exe 33 PID 2760 wrote to memory of 2888 2760 Lmmfnb32.exe 33 PID 2760 wrote to memory of 2888 2760 Lmmfnb32.exe 33 PID 2888 wrote to memory of 2776 2888 Lepaccmo.exe 34 PID 2888 wrote to memory of 2776 2888 Lepaccmo.exe 34 PID 2888 wrote to memory of 2776 2888 Lepaccmo.exe 34 PID 2888 wrote to memory of 2776 2888 Lepaccmo.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe"C:\Users\Admin\AppData\Local\Temp\8c416e1ed3e04818310a1921739a71e97fea30372e5e7cc2c9e8200b729c7d7fN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Khnapkjg.exeC:\Windows\system32\Khnapkjg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Kipmhc32.exeC:\Windows\system32\Kipmhc32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Lepaccmo.exeC:\Windows\system32\Lepaccmo.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1406⤵
- Loads dropped DLL
- Program crash
PID:2776
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5b6d8a1464658f9536d76d5305add2622
SHA1f5e807449d7617169dd25d2f8b4807729fd6129c
SHA256a38a6cb432a2a593a189842ef0282143a5bcd02453a8f3a3f9919da1a3a0ee46
SHA5120ab6619c7e2c1ae70e978779d828247dafa787af1980f080b9776d6df4a50ddd8c2ed957ba4c2fd6c6544353fe491635e1e28590d31c25ad20dd2de0da037409
-
Filesize
384KB
MD53d602280e6e5a09ad9b6b92e341a5522
SHA1fcd59463d0dd11db5d9825f52b6cf6b985d0c89d
SHA256698ab781981927c5bfeee10b06c91febd6d26ddce4089578bc7f01e1798ed164
SHA51268629d220a20ff3b7c38ed516486982d5ea719dcca9eceff989cacf68c09098e7dcde95d80560db3d339bf4a99305cad00889f1263c09c48cb25cb7dccebfdef
-
Filesize
384KB
MD5c7b29c862d65d68a3a019dfc29523b26
SHA1d1eb6be275bb9fbbc047950843183c1eccd10595
SHA2567d948daa8ea2887a87ece353464799bf02fbe30a6c9bdbe1cb33380df5c1600a
SHA51217469da03f17549ce6145b2eda8712265ed23562b18124dd8a67e66e40fa710974270df19d10fe45f372afba6634663645fdc895519077b822c637ff578fd2d0
-
Filesize
384KB
MD5f837de2f0304847586dad0b119d430be
SHA1046571fc70c48bcc5847daf990c7cc3660f5d22a
SHA2562ba44901c5de9696ece414cca2d7b0c861bac29a6ca0d61324ec2603b1db3665
SHA51215e14fe76773292efc278871b873913b65b19abbaceef41b55607be6b8c9c962c0c27bcfe0ac494c017d266d3d26bca5ae8169153e21842d4afaed017778d310