berbew | cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b

General

Target

cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Size

93KB
MD5

ce22144f92af71f8c487e6a5fb6a6eed
SHA1

dec5ec7c57d5dd7f64c6b6461d8580ce433e2a62
SHA256

cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b
SHA512

14699699f21f3c5b0663f17a74b2b7ef7abf821f6fc7f048da61e9efd588e5618d0b0b4cfd92107d3834957c649337cac64b156c445e54ca74069a90a5733adb
SSDEEP

1536:u5E7AGB6omjcx2ig2GrzuCNf8O7GnL3qYYqcsRQtRkRLJzeLD9N0iQGRNQR8RyVP:QEbmjAgtrzucDCL3JetSJdEN0s4WE+3e

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Niikceid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 2 IoCs

pid	Process
2688	Niikceid.exe
1948	Nlhgoqhh.exe

Loads dropped DLL 8 IoCs

pid	Process
2696	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
2696	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
2688	Niikceid.exe
2688	Niikceid.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1976	1948	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2688	2696	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe	30
PID 2696 wrote to memory of 2688	2696	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe	30
PID 2696 wrote to memory of 2688	2696	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe	30
PID 2696 wrote to memory of 2688	2696	cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe	30
PID 2688 wrote to memory of 1948	2688	Niikceid.exe	31
PID 2688 wrote to memory of 1948	2688	Niikceid.exe	31
PID 2688 wrote to memory of 1948	2688	Niikceid.exe	31
PID 2688 wrote to memory of 1948	2688	Niikceid.exe	31
PID 1948 wrote to memory of 1976	1948	Nlhgoqhh.exe	32
PID 1948 wrote to memory of 1976	1948	Nlhgoqhh.exe	32
PID 1948 wrote to memory of 1976	1948	Nlhgoqhh.exe	32
PID 1948 wrote to memory of 1976	1948	Nlhgoqhh.exe	32

C:\Users\Admin\AppData\Local\Temp\cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe
"C:\Users\Admin\AppData\Local\Temp\cecc53554728223ec93221bd90a27c72d768f4f6edfca24294ac42989b09ca7b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\Niikceid.exe
  C:\Windows\system32\Niikceid.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Nlhgoqhh.exe
    C:\Windows\system32\Nlhgoqhh.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Niikceid.exe

Filesize
93KB

MD5
ddc7023d162812ce51e9353884bb1037

SHA1
5d5f980df7b4601845c9b148f9197708b6cbfc11

SHA256
8a0bcb31cf223a47442360bcb3ddea9452162d1446b1b04a8f4d2781d6f86405

SHA512
ad478bc2f063bb48d87e337dc5327c07415d0857d4d35ca61ba9cbd49da30da914dd7454a68c07036d95ffcd7a85fb313450748a61a343e1206fd81fee243082

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
93KB

MD5
6b920978757aa8787a3d272edee877de

SHA1
e0e411ead1bce4d3a9873d8b3dcd7e5dc9585ccf

SHA256
8e3b0b73dcdbeb6d034bf09f63633a489ad5547a599b5967664fe7b65dafc0b0

SHA512
01cce40b1ebe2df1ff40ffc8fd765c95005af762fcd2ebce459ff4a9ddc0cb27db6066f77e0713ab41b11c8ee0640a1d2c9a17cb01b02449b88a8fbab23c1c64

Download Submit
memory/1948-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1948-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-12-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2696-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads