Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 06:28
General
-
Target
c30fe8707a57eb46869fd779831504c333fb480663976ccb2448fa51b25e6610N.exe
-
Size
94KB
-
MD5
acd35bfdd151e4ca5381a0a7bf7df050
-
SHA1
137bebfe292190f3067a51652132afa1eabd2b44
-
SHA256
c30fe8707a57eb46869fd779831504c333fb480663976ccb2448fa51b25e6610
-
SHA512
947ae6d1b7ec2618ca85139202a52102ab85e0cc6e901e0254a63a80afb859e3a18ec643e7ede3be60a72eca6a11de610baf0a9665013f6ba9c7c8f129c465f5
-
SSDEEP
1536:l0WjgU/mYUDyhgX78b75j2TrCG4V6l5dbZm7BR9L4DT2EnINU:ljjgkBLyr8bATrCGB5dbZm6+o5
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Executes dropped EXE 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c30fe8707a57eb46869fd779831504c333fb480663976ccb2448fa51b25e6610N.exe"C:\Users\Admin\AppData\Local\Temp\c30fe8707a57eb46869fd779831504c333fb480663976ccb2448fa51b25e6610N.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lfkaag32.exeC:\Windows\system32\Lfkaag32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Liimncmf.exeC:\Windows\system32\Liimncmf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Llgjjnlj.exeC:\Windows\system32\Llgjjnlj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lljfpnjg.exeC:\Windows\system32\Lljfpnjg.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mipcob32.exeC:\Windows\system32\Mipcob32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mlopkm32.exeC:\Windows\system32\Mlopkm32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mibpda32.exeC:\Windows\system32\Mibpda32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mplhql32.exeC:\Windows\system32\Mplhql32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mckemg32.exeC:\Windows\system32\Mckemg32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Meiaib32.exeC:\Windows\system32\Meiaib32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Mpoefk32.exeC:\Windows\system32\Mpoefk32.exe23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe25⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe26⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe28⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Menjdbgj.exeC:\Windows\system32\Menjdbgj.exe29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe30⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe32⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe36⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Nlmllkja.exeC:\Windows\system32\Nlmllkja.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ngbpidjh.exeC:\Windows\system32\Ngbpidjh.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nloiakho.exeC:\Windows\system32\Nloiakho.exe45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Njciko32.exeC:\Windows\system32\Njciko32.exe47⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe51⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\Njefqo32.exeC:\Windows\system32\Njefqo32.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe53⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ogkcpbam.exeC:\Windows\system32\Ogkcpbam.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe63⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe66⤵
-
C:\Windows\SysWOW64\Ojoign32.exeC:\Windows\system32\Ojoign32.exe67⤵
-
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe68⤵
-
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe69⤵
-
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe70⤵
-
C:\Windows\SysWOW64\Pfjcgn32.exeC:\Windows\system32\Pfjcgn32.exe71⤵
-
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe72⤵
-
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe73⤵
-
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe74⤵
-
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe75⤵
-
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
C:\Windows\SysWOW64\Ajanck32.exeC:\Windows\system32\Ajanck32.exe77⤵
-
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe78⤵
-
C:\Windows\SysWOW64\Aqncedbp.exeC:\Windows\system32\Aqncedbp.exe79⤵
-
C:\Windows\SysWOW64\Ajfhnjhq.exeC:\Windows\system32\Ajfhnjhq.exe80⤵
-
C:\Windows\SysWOW64\Aqppkd32.exeC:\Windows\system32\Aqppkd32.exe81⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Afmhck32.exeC:\Windows\system32\Afmhck32.exe82⤵
-
C:\Windows\SysWOW64\Amgapeea.exeC:\Windows\system32\Amgapeea.exe83⤵
-
C:\Windows\SysWOW64\Aglemn32.exeC:\Windows\system32\Aglemn32.exe84⤵
-
C:\Windows\SysWOW64\Aadifclh.exeC:\Windows\system32\Aadifclh.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bnhjohkb.exeC:\Windows\system32\Bnhjohkb.exe86⤵
-
C:\Windows\SysWOW64\Bebblb32.exeC:\Windows\system32\Bebblb32.exe87⤵
-
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe88⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe89⤵
-
C:\Windows\SysWOW64\Bjagjhnc.exeC:\Windows\system32\Bjagjhnc.exe90⤵
-
C:\Windows\SysWOW64\Balpgb32.exeC:\Windows\system32\Balpgb32.exe91⤵
-
C:\Windows\SysWOW64\Bcjlcn32.exeC:\Windows\system32\Bcjlcn32.exe92⤵
-
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe93⤵
-
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe94⤵
-
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe95⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe96⤵
-
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe97⤵
-
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe98⤵
-
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe99⤵
-
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe100⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe101⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe102⤵
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe103⤵
-
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe104⤵
-
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe105⤵
-
C:\Windows\SysWOW64\Dhfajjoj.exeC:\Windows\system32\Dhfajjoj.exe106⤵
-
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe107⤵
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe108⤵
-
C:\Windows\SysWOW64\Danecp32.exeC:\Windows\system32\Danecp32.exe109⤵
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe110⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Djgjlelk.exeC:\Windows\system32\Djgjlelk.exe112⤵
-
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe113⤵
-
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe114⤵
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe115⤵
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe116⤵
-
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe117⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe118⤵
-
C:\Windows\SysWOW64\Dhmgki32.exeC:\Windows\system32\Dhmgki32.exe119⤵
-
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe120⤵
-
C:\Windows\SysWOW64\Dmjocp32.exeC:\Windows\system32\Dmjocp32.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-