Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0832f97c73...0e.exe

windows7-x64

10

0832f97c73...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2024, 02:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0832f97c730c64fc42df3b768564486cec9e637c225f042638a0e47b100c060e.exe

  • Size

    96KB

  • MD5

    d7388294fc29e17806c9140899059da1

  • SHA1

    189c330f4fa38425c75bf5574ecc839a4cad156b

  • SHA256

    0832f97c730c64fc42df3b768564486cec9e637c225f042638a0e47b100c060e

  • SHA512

    77bf69856644b04a7679818af5d604ab5eceeeda2d4a60c57f759a6ee37a960ece3959814cf593829df80e9fd833b195f808f64d1554ac32d1eaada9b2607812

  • SSDEEP

    1536:lAddaQqaSC2BlTj5PTYOXnd62Lv7RZObZUUWaegPYAG:lAdBedbZTYOXdHvClUUWae9

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 18 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 21 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0832f97c730c64fc42df3b768564486cec9e637c225f042638a0e47b100c060e.exe
    "C:\Users\Admin\AppData\Local\Temp\0832f97c730c64fc42df3b768564486cec9e637c225f042638a0e47b100c060e.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\SysWOW64\Delnin32.exe
      C:\Windows\system32\Delnin32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3724
      • C:\Windows\SysWOW64\Dfnjafap.exe
        C:\Windows\system32\Dfnjafap.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3512
        • C:\Windows\SysWOW64\Daconoae.exe
          C:\Windows\system32\Daconoae.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Windows\SysWOW64\Dogogcpo.exe
            C:\Windows\system32\Dogogcpo.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1676
            • C:\Windows\SysWOW64\Dgbdlf32.exe
              C:\Windows\system32\Dgbdlf32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:920
              • C:\Windows\SysWOW64\Dmllipeg.exe
                C:\Windows\system32\Dmllipeg.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:764
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 404
                  8⤵
                  • Program crash
                  PID:2732
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 764 -ip 764
    1⤵
      PID:3956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Daconoae.exe
      Filesize

      96KB

      MD5

      b9909e23386206ee1da89d9f46e54d5b

      SHA1

      4ead52e850c0213dc55f660c1c59c9331c54b614

      SHA256

      e2e830ebb86694422132d62bb25f36be7f9a6cb9ae2e088253b7a8c017a8dbc6

      SHA512

      02c9125860725934f8c1355bca93e7fcbf3270559889e8511f107e1867cdfff34146b4c9423ee9b7b3b180e8250260df0f75c50182b11b62ea83b33a39a315e8

      Download Submit

    • C:\Windows\SysWOW64\Delnin32.exe
      Filesize

      96KB

      MD5

      89b4546bac2330155176550d9a6c8403

      SHA1

      f9a921a1733ff98ac39fcb978395647d69df6fdf

      SHA256

      d9f285bd344f6b0d56ad8cb4702c3b126a275cc308cae114cf4251aee385ef6e

      SHA512

      c20c081a34a7528ed96a5a953f27499503f976ca65541d2f4c409b31428d1462786b683ed969557a14946be950b955b7819e2aa1549d504edb689b3d404373ae

      Download Submit

    • C:\Windows\SysWOW64\Dfnjafap.exe
      Filesize

      96KB

      MD5

      9beae04192543394b9ad84b5f0ce84de

      SHA1

      f556e4d8b2ad2b6b38d62e6d1e11bc0b381d7b32

      SHA256

      63aaf4b22f33c2e475d021421e69d49a469c1a188d8f2b8591714284c526766a

      SHA512

      ae3386282bcbe39d6d556125cf526a22084b850af6470f8ea34502b535c27cc563b1d499b56741437454390a11459e0dc654dba938165a0266a9076f76985e33

      Download Submit

    • C:\Windows\SysWOW64\Dgbdlf32.exe
      Filesize

      96KB

      MD5

      3f73414e02e9aef4ad2687bd49764815

      SHA1

      861c9403f0c08810e20a749cafaf391c59340e47

      SHA256

      0295a9843c4e339d9538fabb6539c8ae250c303f31e717d6311279bb04763a5a

      SHA512

      d0d51a5349e109f61968728f26ae23be49c36d9603cf1c9fd7589080a412790ab158c083702a264d7362e806156c8a0097806a7c152d29211c2802a0f41017d6

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      96KB

      MD5

      37e4711345260ca42d1ce37748535aa1

      SHA1

      0c326d63cc62aae3a4300bc55c478e000a01d51e

      SHA256

      619ccc17251afac018146c6425e99ec3e22128ff276412d7332a81cc3b77ea71

      SHA512

      ad9152dbc3a975182818a8af3b7e453d76a6351e0b24d730745cd86b14021b69603be2ead4d8c6c053c5bd42c3ad07d6a5e4609253ef1539c935ec1f4cfb98f3

      Download Submit

    • C:\Windows\SysWOW64\Dogogcpo.exe
      Filesize

      96KB

      MD5

      4258add3cdeab9daec60ff843f881028

      SHA1

      4d1faafd0cea04cef76b42961a4195c3ad99adcc

      SHA256

      43f204365e01c72c8e5d93680e2faae6556e070812cef5353efbf9ab20832cb9

      SHA512

      ced99bb839a91e5e28aa8ed61f7aa502a743cf5258b0cf4c625d1a5e74f83371cccc16ecc0cf4608c14cabc2c49c119020f33609302b1c0617da9a06d711fabf

      Download Submit

    • memory/764-52-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/764-48-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/920-53-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/920-40-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1676-55-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1676-32-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2104-63-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2104-0-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2104-1-0x0000000000431000-0x0000000000432000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2244-24-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/2244-57-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3512-59-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3512-16-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3724-61-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3724-9-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download