Overview

overview

10

Static

static

3

f3254959d6...7b.exe

windows7-x64

10

f3254959d6...7b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3254959d63b21da9350525057ee60f72c5cd8ce23a70ea3d7ee9e47a58fbf7b.exe

  • Size

    96KB

  • MD5

    e6008db18c36584ceb092b8dba66d86c

  • SHA1

    ad221be0c7ae21ddf4c0dc6c61435f685339873c

  • SHA256

    f3254959d63b21da9350525057ee60f72c5cd8ce23a70ea3d7ee9e47a58fbf7b

  • SHA512

    2c2edfa348f3831fb8842c969f610871e86f0c664fed7e024912f71edcbf8aff394b858faaa3f99ca42713724b405fca2441af6ce2c24dea96391f6b84889330

  • SSDEEP

    1536:wuvYf3glHWvDShDALS858nZQYBBE4BAPgnDNBrcN4i6tBYuR3PlNPMAZ:1vYfQ1EIDAT5iZ/BBE4BAPgxed6BYud9

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 16 IoCs
  • Drops file in System32 directory 18 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 21 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3254959d63b21da9350525057ee60f72c5cd8ce23a70ea3d7ee9e47a58fbf7b.exe
    "C:\Users\Admin\AppData\Local\Temp\f3254959d63b21da9350525057ee60f72c5cd8ce23a70ea3d7ee9e47a58fbf7b.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\Cpfaocal.exe
      C:\Windows\system32\Cpfaocal.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\Cgpjlnhh.exe
        C:\Windows\system32\Cgpjlnhh.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\Cklfll32.exe
          C:\Windows\system32\Cklfll32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Windows\SysWOW64\Cddjebgb.exe
            C:\Windows\system32\Cddjebgb.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2648
            • C:\Windows\SysWOW64\Cbgjqo32.exe
              C:\Windows\system32\Cbgjqo32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:604
              • C:\Windows\SysWOW64\Ceegmj32.exe
                C:\Windows\system32\Ceegmj32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:292
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 292 -s 140
                  8⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Cddjebgb.exe
    Filesize

    96KB

    MD5

    5887a377fbbf4daa16934f55ed843f3a

    SHA1

    6e0a5ea3d5b0ad1243bfde3bca319880742d7790

    SHA256

    70e1f724b2bd02137ab77f64c7b9fe5b6417ab6b13224d6a97d2ac908bc8a47f

    SHA512

    c2a1e984e1c8e04cc91c96fceb78c7f168d3e5af41b2c2070a58e042e07e2df4db5715102e148f7726716900f9f901dc3a92b3ad67982b47c6ee41b1d40b691a

    Download Submit

  • C:\Windows\SysWOW64\Ceegmj32.exe
    Filesize

    96KB

    MD5

    9ef87fa897cdf1e37f2077fb97937da0

    SHA1

    44213fe9c03fce3d9fd0ae5490a266427c5f4b96

    SHA256

    331531ca1e88804d49e7610c44ea47572e731a78e891a372d4496479554a585b

    SHA512

    e5e460f246e1bddc451793b75e4d501f60a515ad5870b80c5f60c1f5cc1febdb078045896c427ce341dad709e8083584e2d5dc81a3e6a59094f8e277da640dd9

    Download Submit

  • C:\Windows\SysWOW64\Cgpjlnhh.exe
    Filesize

    96KB

    MD5

    bb067ab9189f15c9bda1d418c3f2f826

    SHA1

    965dc1432acec3655843b2bce179805edb29701d

    SHA256

    882570668a89b0db95dba808e92b4f9179ff3e8117cc76a1525cc09f29cd8374

    SHA512

    75dc4c02bb2265d0d4bdf44423199b7b63b4eea43b6532c0ed95a751ff0457a87f4ee8d232a65fa5aeff9dd6e935e96ce3cd5f1869929efb5403bfe81adb5c56

    Download Submit

  • C:\Windows\SysWOW64\Cklfll32.exe
    Filesize

    96KB

    MD5

    4a4e7c9a5e6b3e77b169d8aa1823e834

    SHA1

    28c84be1939f97c3a989327318beabb9817f8817

    SHA256

    b3e140b5f05b81db710902c36436e6ea1d7743152f6b6a0272ebfcde3310515e

    SHA512

    92ea1ac144c41fce14af3d0d7ad53a67c2a2e226e22cb5f39f58613ec0d969514d0f1039fac300800d95cd68ce31a7c9915202feab2acab7d19f0b0a15bfdb87

    Download Submit

  • C:\Windows\SysWOW64\Cpfaocal.exe
    Filesize

    96KB

    MD5

    77e1f9bf086fbe3c82620fd67afabc90

    SHA1

    3548fa0f6c325f9c697d490f6bc903846f44f711

    SHA256

    2747c6f3965f44cb10f5fd7417a9b9857976e2e7f9f610c68ce2b4650c42b0cd

    SHA512

    7ed79d78d35bcd60340800fcc561f8859c2e8b8f41b3f4c5d591c20132d0550924becf80605bad20c9124a3366e8051c45bb9994dd9497b7a357d075a3f9d478

    Download Submit

  • \Windows\SysWOW64\Cbgjqo32.exe
    Filesize

    96KB

    MD5

    eef43b52ab89c3e008bba53a1b4e18ec

    SHA1

    7577f28e607fd04777bb79a92018fb44eba48640

    SHA256

    c29dfac9e63c3fb9f05800a2eea19f3e2e7d7cdf1a3adf08bb528cc031280c2e

    SHA512

    02818652e1eb0b8900d960b810f7c635858bbca05a69cfba4d5279118efaab698c8de68a72d325304f2feb7e84e6e05978345a34a48d0bf06329bf319e7f5a13

    Download Submit

  • memory/292-90-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/604-89-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/604-74-0x0000000000250000-0x0000000000294000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2620-48-0x0000000000250000-0x0000000000294000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2620-85-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2648-84-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2648-61-0x00000000002D0000-0x0000000000314000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2704-86-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2704-14-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2784-12-0x0000000000300000-0x0000000000344000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2784-87-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2784-0-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2784-13-0x0000000000300000-0x0000000000344000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2956-88-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2956-27-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2956-35-0x00000000002D0000-0x0000000000314000-memory.dmp

    Filesize

    272KB

    Download