Overview

overview

10

Static

static

10

3b9efd2ed3...1N.exe

windows7-x64

10

3b9efd2ed3...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b9efd2ed3655ff4c50af03990cd2c0dbe343379d59ae2710df3d081f024c811N.exe

  • Size

    163KB

  • MD5

    9e2f688380439fa0c574539669e18d60

  • SHA1

    645604f4f69b961a635ad38cb467294c37d0b2f5

  • SHA256

    3b9efd2ed3655ff4c50af03990cd2c0dbe343379d59ae2710df3d081f024c811

  • SHA512

    fa63e34d3868175c6550584e40d73ce104eccaea11f7193dbf7be62a1b54aafbdff09eb1726642aec644a973c12d678da844f5e27befa43427ef7b6944dc1e59

  • SSDEEP

    3072:cZlq3RN4Ie+qPxkXJMIRltOrWKDBr+yJb:/3L4Ie+qP2X5RLOf

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b9efd2ed3655ff4c50af03990cd2c0dbe343379d59ae2710df3d081f024c811N.exe
    "C:\Users\Admin\AppData\Local\Temp\3b9efd2ed3655ff4c50af03990cd2c0dbe343379d59ae2710df3d081f024c811N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\Ddakjkqi.exe
      C:\Windows\system32\Ddakjkqi.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Windows\SysWOW64\Dogogcpo.exe
        C:\Windows\system32\Dogogcpo.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\SysWOW64\Dhocqigp.exe
          C:\Windows\system32\Dhocqigp.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3904
          • C:\Windows\SysWOW64\Dmllipeg.exe
            C:\Windows\system32\Dmllipeg.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3180
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 396
              6⤵
              • Program crash
              PID:1292
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3180 -ip 3180
    1⤵
      PID:1180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Ddakjkqi.exe
      Filesize

      163KB

      MD5

      081d151d8608376911c196a93ec89f0e

      SHA1

      5328d6547dad3026c99b1199871bfd3fb63b2fdc

      SHA256

      cb94685a89b0d5cd52531b4fafe243e4af9a385055dac5dc7e0ce90911a83b67

      SHA512

      bf949edd51c0131d64311d6488226f55a6dfad8cc561828d503955b3e1ed4cc16b73a5730f5efaef5af4a0bb4d9de95471a9abc78e4a3185dea6a329d316ba64

      Download Submit

    • C:\Windows\SysWOW64\Dhocqigp.exe
      Filesize

      163KB

      MD5

      cfa113acab258765cbe63466d0f6e3e5

      SHA1

      588206b58432bd9f3073a6005fb62a5ec8ce1c4a

      SHA256

      de195e04af20b9ab3432bc3de39b80fff5326b7cb7756d92c1d075233932e71f

      SHA512

      4cb070020c6be89046794d3325735e1d14d200abd67458888cbaf7302b31a344ef332a3c06d353e3ff4e9bb796314a26cf877ee8d918d009537c09d7aa8bffe9

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      163KB

      MD5

      dd1c96d052f1d112da5a5ee25bad3551

      SHA1

      46238ba21ff73a5c0190f1292d2b6af81ca7573f

      SHA256

      a5a772f541633fcfe0f5fd8dd11859565d64534b1fb72c367503b84e0e0ceedb

      SHA512

      6424fc95cff37a88737bf20c13f19272fa96d1ab798b15ea648951a5787e0a5a0d321e7cb01fa9ea7ceeac7d2f06e409ac76bd975dbb418d1577061b2daed291

      Download Submit

    • C:\Windows\SysWOW64\Dogogcpo.exe
      Filesize

      163KB

      MD5

      0ecc7023354107fba4318a76eeae3eaf

      SHA1

      c417eaed30a738a0e9abbdb31b65ca78277f51d2

      SHA256

      64ff07976ef3aac7828303b8a5794fe46bb2de1894ddfb3f50ef4e4c2af2209a

      SHA512

      54f9f0d25a12732fdec5ec16a1a4a33626be3a2a1935b396f36ffd71651bbf48f79b5f26be3294c4bb6b2359147ed3e263d50b4d91775cef7b354c188bea4d8e

      Download Submit

    • memory/888-8-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/888-41-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2116-16-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2116-40-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2164-0-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/2164-1-0x0000000000432000-0x0000000000433000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2164-43-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3180-32-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3180-36-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3904-25-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3904-37-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download