Overview

overview

10

Static

static

10

1a8e0f6048...56.exe

windows7-x64

10

1a8e0f6048...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 21:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a8e0f6048cee4c815f2249dd56e8a25c18001cbe3159b144ed0d145ab095e56.exe

  • Size

    337KB

  • MD5

    e5025db850ffc531fc3a96788382e9e9

  • SHA1

    0fb2d2a4c8ce23804b766adac790e8d832b4edd4

  • SHA256

    1a8e0f6048cee4c815f2249dd56e8a25c18001cbe3159b144ed0d145ab095e56

  • SHA512

    fde732b2e1acf50e3ad6ced3452db49ab4e3ead053b4a129b3753f5508127969b01cc3682c56a9d46f6866577c26b10dcf2fd6c2f914c82e46ad614d96130153

  • SSDEEP

    3072:b3ozJmh3ScDgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc05:b4QhCcD1+fIyG5jZkCwi8n

Score
10/10
berbewnjratbackdoordiscoverypersistencetrojan

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 15 IoCs
  • Drops file in System32 directory 45 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 48 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a8e0f6048cee4c815f2249dd56e8a25c18001cbe3159b144ed0d145ab095e56.exe
    "C:\Users\Admin\AppData\Local\Temp\1a8e0f6048cee4c815f2249dd56e8a25c18001cbe3159b144ed0d145ab095e56.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SysWOW64\Cfpnph32.exe
      C:\Windows\system32\Cfpnph32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Windows\SysWOW64\Cdcoim32.exe
        C:\Windows\system32\Cdcoim32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\Cfbkeh32.exe
          C:\Windows\system32\Cfbkeh32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1208
          • C:\Windows\SysWOW64\Cdfkolkf.exe
            C:\Windows\system32\Cdfkolkf.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4768
            • C:\Windows\SysWOW64\Cjpckf32.exe
              C:\Windows\system32\Cjpckf32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3964
              • C:\Windows\SysWOW64\Cjbpaf32.exe
                C:\Windows\system32\Cjbpaf32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4820
                • C:\Windows\SysWOW64\Cegdnopg.exe
                  C:\Windows\system32\Cegdnopg.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:4732
                  • C:\Windows\SysWOW64\Dmcibama.exe
                    C:\Windows\system32\Dmcibama.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:3436
                    • C:\Windows\SysWOW64\Dhhnpjmh.exe
                      C:\Windows\system32\Dhhnpjmh.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3580
                      • C:\Windows\SysWOW64\Delnin32.exe
                        C:\Windows\system32\Delnin32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1664
                        • C:\Windows\SysWOW64\Dfnjafap.exe
                          C:\Windows\system32\Dfnjafap.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1596
                          • C:\Windows\SysWOW64\Ddakjkqi.exe
                            C:\Windows\system32\Ddakjkqi.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:668
                            • C:\Windows\SysWOW64\Dmjocp32.exe
                              C:\Windows\system32\Dmjocp32.exe
                              14⤵
                              • Adds autorun key to be loaded by Explorer.exe on startup
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:3636
                              • C:\Windows\SysWOW64\Dhocqigp.exe
                                C:\Windows\system32\Dhocqigp.exe
                                15⤵
                                • Adds autorun key to be loaded by Explorer.exe on startup
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • System Location Discovery: System Language Discovery
                                • Modifies registry class
                                • Suspicious use of WriteProcessMemory
                                PID:432
                                • C:\Windows\SysWOW64\Dmllipeg.exe
                                  C:\Windows\system32\Dmllipeg.exe
                                  16⤵
                                  • Executes dropped EXE
                                  • System Location Discovery: System Language Discovery
                                  PID:4864
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 220
                                    17⤵
                                    • Program crash
                                    PID:4336
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4864 -ip 4864
    1⤵
      PID:3632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Cdcoim32.exe
      Filesize

      337KB

      MD5

      ad33105fa8b99d7c56e43c125acad887

      SHA1

      3a6a8290869af84df3d973564aa71b090e384902

      SHA256

      2328d818327b69bf465395effe1b5ebc260fb669ee2774ca10589c5f2957d041

      SHA512

      0027305d7fdefdc02ee02c8a19a5395bb3084e7f3f39d237e009a104a9bd963b371508a289b220bdc64146ad9cc8b40fa09b76ae2b1cb5680b53258bdca758b9

      Download Submit

    • C:\Windows\SysWOW64\Cdfkolkf.exe
      Filesize

      337KB

      MD5

      e1ea16a97cd804fcb1fe1ace959a5f72

      SHA1

      00cf4912995ffd058d85511a8ae7f807803f4225

      SHA256

      c58147e5412a7b7b760fc9d2e423eac03a6d576c8cd482d6ff5685d548c0c3d1

      SHA512

      60d2be1db7d697e5821b9879540887612cebc3cb214ca803471f7c5129df80d3975ee36ccd223c0f1726d2e556ba59079a90f1f994f9ca77542cde300758e7b5

      Download Submit

    • C:\Windows\SysWOW64\Cegdnopg.exe
      Filesize

      337KB

      MD5

      e933c09343d5465b884ad1ea7cee50b2

      SHA1

      a511d1a1870d3c8c67f2b06e23d2f8f48f31ebf6

      SHA256

      1a84332f23ece6142863613096e186c5382c1336cc0ecf30e1e7e8c4c844302f

      SHA512

      b2a8d396136c02e04dae42832d120d3a8d7afe3d67830b7a278c4adc052469ad9de7180f41ad1b924028df40360bba3d18f19494db401281f486972cfb927616

      Download Submit

    • C:\Windows\SysWOW64\Cfbkeh32.exe
      Filesize

      337KB

      MD5

      41d21cfc7ea037ae148eed24cc6da01b

      SHA1

      cc9fcc8d0da5c14eb8abae4487679ac954e40257

      SHA256

      2b7b50dc9072e6058cbbe30fe422984494098ac55f146f5c5343767db7e87f13

      SHA512

      5512a5a1c07c73e338086af5c153d391e531a54db749848260225c57db988efaf5a9f7f2a25c44e0d5bfba18f4624ce29178e7d2d03a1fd2fec5503d6a0cf918

      Download Submit

    • C:\Windows\SysWOW64\Cfpnph32.exe
      Filesize

      337KB

      MD5

      6a2f92cc42918d76c07919e4333231d7

      SHA1

      19be8c6d69b20f322872f70dd8153064b6e4d9e0

      SHA256

      e34e9264e3348ff36afb52e4b15a460a90ed855c205cedacc774483dd2131c0c

      SHA512

      67bf6a4b3b285ee87515a163bbf7ae77bff24d74297e3b4bb6f8f80fb61c311bb6881bfd028b63a90c938496eaf5010d29eaa4be1c8070d9689396896d2d85e8

      Download Submit

    • C:\Windows\SysWOW64\Cjbpaf32.exe
      Filesize

      337KB

      MD5

      100b4bedb258d7668325a100ae55ca71

      SHA1

      1983277b3ee2430684300ae5c35afc2fe5a53643

      SHA256

      9713da9141e8a1a9d5f67a9a8d5d7594738273239554e84138cbb8e0a9b5db18

      SHA512

      bc450041e0be8d96106b36bdec960da068e43965ec93487f4915685d96cbe83318bdaf13fd5f1a3d44e701c70fa32bf8ffce4a7af43d9ff18f89a3c9693201db

      Download Submit

    • C:\Windows\SysWOW64\Cjpckf32.exe
      Filesize

      337KB

      MD5

      7b14d440b1fc6435f7feef8ca6395821

      SHA1

      f5a655b8b6fb8d120dbaa45bc1205458679903f9

      SHA256

      0ad1579784fed5d74d3028b0ff99b7d05f62d028a1303959c18d5968c54bcd5d

      SHA512

      24ee3b9099076be1404beb4a987013bed585a2ea4967f26b91f5f2799180dcbac0d643b0d63325216c9fb58b89525a2cab53477c74231d2b480c90203c5273c4

      Download Submit

    • C:\Windows\SysWOW64\Ddakjkqi.exe
      Filesize

      337KB

      MD5

      df8b3fd81c80000d106a7262f5d46d6b

      SHA1

      5dbc75311ffd3d5952f69b2374e2f26db1f358a9

      SHA256

      e350026a5ffe1ede4744896887e572924cc5156394bcfc72faef82a0da2d780f

      SHA512

      2e36e0e60b1dca4e32bc83dfea85e1bdda24cb70cab26863a5d1adfa079ab01cdf9fa37c11a2133f0151eeef9f29f1424017e015831b20399c9c44d4976a9367

      Download Submit

    • C:\Windows\SysWOW64\Delnin32.exe
      Filesize

      337KB

      MD5

      d76f2596f07e8183e5e4609076aae9b9

      SHA1

      56c7334db5d0d8c2d7c7ec6f88c1e5e944d0be1e

      SHA256

      a19414fc93d4433ec548b6efbc40f4f45e19b4660da28d4381ec3db87145ef1e

      SHA512

      b625bb0f462b83eaaf057ebd6dd2d9bfcf6d4e486fd80d1c3a649a0463dc992e65065a7cdf700b0fa7d2b01e904e3a5aeee95b9f81ab037ec30c17727aaa5020

      Download Submit

    • C:\Windows\SysWOW64\Dfnjafap.exe
      Filesize

      337KB

      MD5

      652b80b95cbfa68eb7ed02f5714a40e4

      SHA1

      d07c544dcefe2f38bbce050d2cebfc06b935504a

      SHA256

      35a1d47b7d5fbe0421a0c25ab23844ce3e146b318fdf7cfedeac96bf6f323c22

      SHA512

      c81093b2c4d04b8e10879276495e7de26f84000b1bb9998e88b5cb3549672ce1caaea058b4eb7b21d025f50f1915fcf9bf827cbac1d5831273a491a929ae285b

      Download Submit

    • C:\Windows\SysWOW64\Dhhnpjmh.exe
      Filesize

      337KB

      MD5

      31ae854200ce27a7d734cac102d570f5

      SHA1

      b91ef2d7dbc542cef1cf47d6d91ec112661dcb56

      SHA256

      bd2d2baaa8f7f2074743b0c51b1956528109a440e2d95bd4f9a55e41b2cc088c

      SHA512

      9f319f952c7efa22a55a86af78d2118820ac9509cce0ddbcd3a30221cd1b999826072a576ff3139f8dc005093f3e0a17d807fe21e25ea33877a73cca088effe1

      Download Submit

    • C:\Windows\SysWOW64\Dhocqigp.exe
      Filesize

      337KB

      MD5

      c79717d7b5397a845788bf3602bec116

      SHA1

      3c2ed68115833abbe47a121befe52092a90cefe1

      SHA256

      a6b09b6707dcd7acd7800db29794ee13d5bcc669ca4dc36972327370839ee842

      SHA512

      f3462ad93286d4327326a66ae54e2d8059a5bdea6609cda397ff0e9c678766ed729c9f2157fe1515a9778dc8ad1d2da3bfb3ebfa6a6f3f4522be8b1ff6eb6e79

      Download Submit

    • C:\Windows\SysWOW64\Dmcibama.exe
      Filesize

      337KB

      MD5

      cfdf8ab1ab9e095d920bc5a8fc818a82

      SHA1

      100fe97bf879667b50631098e7f1fc752461b069

      SHA256

      15128797d3c1921dfbb33288dbae178677e43ba7b4f5cc2ff51128b15cad0ba9

      SHA512

      d9ee002808bec5417aa5bd4f3e56c937091ee82b7d88cfaea69515049a3276bd15364142782903effac4dbdd429c929b33ec5c4566a637d4e78c57311e872dfb

      Download Submit

    • C:\Windows\SysWOW64\Dmjocp32.exe
      Filesize

      337KB

      MD5

      b421be8950ef2238c59330a4921d04f5

      SHA1

      763f72831496334983cb8fc025a34ad2720f3d08

      SHA256

      9b524400c7932c1bb1007559e169b028e4c34db44eb1a3aabdd066af59724468

      SHA512

      2af55b2277fd3b4d17e218e2520dd2a567d226256e0165476809aae684496d50f029a79661c863b715a96ed2301a9e435d273b3d7b5c078d53819f2e7385fb69

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      337KB

      MD5

      ff97369aded66c85a1fc405a7350b78a

      SHA1

      ba649a2c01a17acb916cc53996dfc16e4bf21c72

      SHA256

      cc1fa71e85d1210d0b871a029985f9986fc4fd894aabef6b5d8e56152f97e66f

      SHA512

      cd1c29f2cac526d518fd380503804e38d7d568bee596cefafe24714d691922abcddd95fc6f63938c0224fbb7cb1a934ad19309229983c4f70b00cfd33c332407

      Download Submit

    • memory/432-112-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/432-125-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/668-96-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/668-128-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1208-145-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1208-24-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1596-130-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1596-89-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1664-80-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1664-132-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1888-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1888-0-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1888-151-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2740-17-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2740-147-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3436-64-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3436-136-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3580-72-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3580-134-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3636-126-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3636-104-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3964-40-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3964-141-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4548-8-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4548-149-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4732-56-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4732-138-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4768-143-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4768-33-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4820-48-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4820-139-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4864-120-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4864-124-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download