berbew | b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b

General

Target

b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
Size

192KB
MD5

4098d005b1f711e6eab197d727362dc5
SHA1

fc8c3960f29639022795a6e90d24e1920c1fe753
SHA256

b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b
SHA512

ce63f23df1464fa3875e3a5a8f279641ec241bdd417e8ebbcf9be31a2c14b37e81e733706a9d9509c3e8919b28dfc14224138c1d85ad165695b4781fa5d84ee9
SSDEEP

3072:5cNfLE24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424hoc:5OLpsFj5tPNki9HZdc

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exeCcjoli32.exeDjdgic32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Executes dropped EXE 3 IoCs

Processes:

Ccjoli32.exeDjdgic32.exeDpapaj32.exe

pid process

2852 Ccjoli32.exe
2568 Djdgic32.exe
2912 Dpapaj32.exe

pid	process
2852	Ccjoli32.exe
2568	Djdgic32.exe
2912	Dpapaj32.exe

Loads dropped DLL 9 IoCs

Processes:

b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exeCcjoli32.exeDjdgic32.exeWerFault.exe

pid	process
2708	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
2708	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
2852	Ccjoli32.exe
2852	Ccjoli32.exe
2568	Djdgic32.exe
2568	Djdgic32.exe
2076	WerFault.exe
2076	WerFault.exe
2076	WerFault.exe

Drops file in System32 directory 9 IoCs

Processes:

b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exeCcjoli32.exeDjdgic32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe

Drops file in Windows directory 2 IoCs

Processes:

Dpapaj32.exe

description	ioc	process
File created	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe
File opened for modification	C:\Windows\system32†Dhhhbg32.¿xe	Dpapaj32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2076 2912 WerFault.exe

pid	pid_target	process
2076	2912	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exeCcjoli32.exeDjdgic32.exeDpapaj32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 12 IoCs

Processes:

b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exeCcjoli32.exeDjdgic32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exeCcjoli32.exeDjdgic32.exeDpapaj32.exe

description	pid	process	target process
PID 2708 wrote to memory of 2852	2708	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe	Ccjoli32.exe
PID 2708 wrote to memory of 2852	2708	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe	Ccjoli32.exe
PID 2708 wrote to memory of 2852	2708	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe	Ccjoli32.exe
PID 2708 wrote to memory of 2852	2708	b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe	Ccjoli32.exe
PID 2852 wrote to memory of 2568	2852	Ccjoli32.exe	Djdgic32.exe
PID 2852 wrote to memory of 2568	2852	Ccjoli32.exe	Djdgic32.exe
PID 2852 wrote to memory of 2568	2852	Ccjoli32.exe	Djdgic32.exe
PID 2852 wrote to memory of 2568	2852	Ccjoli32.exe	Djdgic32.exe
PID 2568 wrote to memory of 2912	2568	Djdgic32.exe	Dpapaj32.exe
PID 2568 wrote to memory of 2912	2568	Djdgic32.exe	Dpapaj32.exe
PID 2568 wrote to memory of 2912	2568	Djdgic32.exe	Dpapaj32.exe
PID 2568 wrote to memory of 2912	2568	Djdgic32.exe	Dpapaj32.exe
PID 2912 wrote to memory of 2076	2912	Dpapaj32.exe	WerFault.exe
PID 2912 wrote to memory of 2076	2912	Dpapaj32.exe	WerFault.exe
PID 2912 wrote to memory of 2076	2912	Dpapaj32.exe	WerFault.exe
PID 2912 wrote to memory of 2076	2912	Dpapaj32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe
"C:\Users\Admin\AppData\Local\Temp\b32883de9563d0e41569f9f175fcf18ed77d3be071b5d628088bec89eacccd7b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\Ccjoli32.exe
  C:\Windows\system32\Ccjoli32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\Djdgic32.exe
    C:\Windows\system32\Djdgic32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\Dpapaj32.exe
      C:\Windows\system32\Dpapaj32.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 144
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
192KB

MD5
4495f9ea4b2622dffc1d2982637f434a

SHA1
8d835d02244fc89b0daa149ee1ca4a260f07832f

SHA256
048e2ba1fec6b2acde617610d011cffb344b83f9b86e3453fb078f2479f3dd5a

SHA512
e5766c74d0e2575862bb2ff8de3c4930ba8798f82319b05d6df15b50750e268771292903068b6f50b5ca8284b136b64220075470e726f75b0ab2c41b0f4537f5

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
192KB

MD5
d4c7dcf0bb69143d7d6e38958db95197

SHA1
1bbc11c48e8d04ffd2ea96cc0a4a8c8b55ad0dc9

SHA256
9117e2683ae09b77604eab59ecf6436bab5e64cfe1a7567de7eb9fcfc1c45d70

SHA512
094ae75f9402636c08cbe42417d4d4b567f2469c45841f6ff06c8720c2e610f3d3e34924219ba553efb5deca5d5871550a8bf9571b38579a9ebd35364544423e

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
192KB

MD5
97ace74562215a705f4ca302d4772c38

SHA1
25ae91971c94a90313c11bbedd34560d8894f72a

SHA256
a06e0ec20e44015999f205b54ee61fedbe90bc9e8a3b35a08c518b663d2613d7

SHA512
8c8972d6e49a1ebc19073aaa094cfa2607fdd85862fb1e45dbb4fe618bef8dd98644c779fdd085e958d1e71e83eba77854f96398bca37f541beb3ca36a469903

Download Submit
memory/2568-40-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2568-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-17-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2708-18-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2708-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-22-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2912-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads