berbew | b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440

General

Target

b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Size

844KB
MD5

d14fe515ac440987f89411f798eab847
SHA1

b485628572c6a26cd3f20b31dcb8bee265923003
SHA256

b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440
SHA512

0aa36545e7649121d81011fc1909533a5cdad62a33b16429039191a1e66feb6cb8b3b6769fc354b22f5b3b739f7bc6eecd13b6de81cbf388c2e13a3615962256
SSDEEP

24576:/uhH5W3TnbQihMpQnqrdX72LbY6x46uR/qYglMi:/MH5W3TbQihw+cdX2x46uhqllMi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 5 IoCs

pid	Process
1072	Dfiafg32.exe
2864	Daqbip32.exe
4404	Ddonekbl.exe
2736	Dknpmdfc.exe
5004	Dmllipeg.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dfiafg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2356	5004	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1072	1352	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe	83
PID 1352 wrote to memory of 1072	1352	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe	83
PID 1352 wrote to memory of 1072	1352	b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe	83
PID 1072 wrote to memory of 2864	1072	Dfiafg32.exe	84
PID 1072 wrote to memory of 2864	1072	Dfiafg32.exe	84
PID 1072 wrote to memory of 2864	1072	Dfiafg32.exe	84
PID 2864 wrote to memory of 4404	2864	Daqbip32.exe	85
PID 2864 wrote to memory of 4404	2864	Daqbip32.exe	85
PID 2864 wrote to memory of 4404	2864	Daqbip32.exe	85
PID 4404 wrote to memory of 2736	4404	Ddonekbl.exe	86
PID 4404 wrote to memory of 2736	4404	Ddonekbl.exe	86
PID 4404 wrote to memory of 2736	4404	Ddonekbl.exe	86
PID 2736 wrote to memory of 5004	2736	Dknpmdfc.exe	87
PID 2736 wrote to memory of 5004	2736	Dknpmdfc.exe	87
PID 2736 wrote to memory of 5004	2736	Dknpmdfc.exe	87

C:\Users\Admin\AppData\Local\Temp\b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe
"C:\Users\Admin\AppData\Local\Temp\b05d58f29d55b239811b21c9a4bb9aa5cdbd0c60bdb7fac213490466f8fd0440.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\Dfiafg32.exe
  C:\Windows\system32\Dfiafg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\Daqbip32.exe
    C:\Windows\system32\Daqbip32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Ddonekbl.exe
      C:\Windows\system32\Ddonekbl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 408
        7⤵
        Program crash
        
        PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5004 -ip 5004
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daqbip32.exe

Filesize
844KB

MD5
ac20183e076d4e5a947d04612bb9c208

SHA1
50d140c8eb5495c9e07e322231e7c47e0f76fd4e

SHA256
6b9aefd4796d5e90c1b19a848cdc94794227b771b0c64544681f291bc7025199

SHA512
b1960c3be8367ceb9a26084dc32d47d38f17b42f2d438746ed3f8d509d7790785695a9ee78527cf6b26767a808d9042458c34c2594e483d3ca70df488d1948e4

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
844KB

MD5
58993bcdd613495713c4072a19f1a952

SHA1
72078b79f122508b7658b0b0c81483a56dcbbb21

SHA256
d829debaa7207eafe507a318e19d1ee11305a5f2c2f47b8dd2d78db435d6370f

SHA512
74432bf26099f629e2cbb121853e73bfda9e1e2e616e3319188894bb66eb2f1b60144d063edc709b5c56b410e54b7c89f428e2e989642d2af70e08df61a37e34

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
844KB

MD5
b432e55e31a8ff4abf3a658478c0dc41

SHA1
9e02a17cddf88954ba0b0176d42332ab8b77ca16

SHA256
5761966b5c5b5bfcc61b41f452e43ee3f8e9da73cf1a0abcaa81ba74cd762667

SHA512
3557a964f985f64b50f7205951fd23766e7f997ded2ffa0bee3cae8395ff6087dd4fce2567a5f70c2d9d95a353ee3aa61c7cf7f50310c67a05dda42b68a4b180

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
844KB

MD5
a0910228e9578bd74e48616d5e611bad

SHA1
bd6aeb71076f8629d9937ecdfd6a8d1bc3bd29b4

SHA256
095acdb2763bb95cd64be7d41d0cb72b9065698b7e543e827f8c191d07ddb882

SHA512
69d99a6f6e450f9e692a64c127ceebf0e3339c703829a4249437cfeb7e936675462f03a5d3ae43fb365f8eec312a377c5653cb7d95dfa78e08d802aa8844371b

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
844KB

MD5
0dce094a0426d645c5f8b0246c3e99da

SHA1
e9645cfb2889f99e6b6bd58c62423cabfe8f6871

SHA256
3933b0515ee4773ea0bbab515e353b5032ae45a8e0a9b2e1bb106a6a1c97f374

SHA512
00b6b32b6d7448a85c2a0e9546759b3a1aed9e5120f679a53221217a519dcc0104e815b1bb1334332ad43dc42b77520e5ae71005526dbf71be77e86f9c0a7883

Download Submit
C:\Windows\SysWOW64\Kngpec32.dll

Filesize
7KB

MD5
da4b16385aaa6bfd11d3e70bcd5b713b

SHA1
de27af28748580c1194da39830eb2701e8e6bcb8

SHA256
771c2b98fc607b5ceb9bc70f4e90ae9703d5febbf56c0ac2ef5b34afbe1b8c31

SHA512
2723cbae26eeae35f8e664ec480f78392d82e66a8c17eab3ae32e8c7208b14fc5536ae999b9e15e61a004c90914d84f56b384632a224a7cb053cc08af3438cbe

Download Submit
memory/1072-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1072-43-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-45-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2736-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-42-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5004-40-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5004-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads