Analysis
-
max time kernel
109s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
23-11-2024 18:40
General
-
Target
c6dd389fc6513c83b80976fa6d9b53397874488241965313e7dfc5e5cfbdb06dN.exe
-
Size
72KB
-
MD5
d7bb6ad9585cb6a187ab06b4abb2ac10
-
SHA1
bc5eb096e6d6623b434346a784efa0f897f07f76
-
SHA256
c6dd389fc6513c83b80976fa6d9b53397874488241965313e7dfc5e5cfbdb06d
-
SHA512
bf3cb9621474bb31fee923c46731f312da0742ce0152453eeab6aa070d8db905aa1e264739d476881ce2ae6c840a3200b59f2ae16db937ac56b80e9d4419aed8
-
SSDEEP
1536:AR7cgUrfEOPNJngt6beiwQwLAkj85UYSI9C2lzwmmyFZXxxNbJ:A+VrjjngUbHw7mmy9xlJ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6dd389fc6513c83b80976fa6d9b53397874488241965313e7dfc5e5cfbdb06dN.exe"C:\Users\Admin\AppData\Local\Temp\c6dd389fc6513c83b80976fa6d9b53397874488241965313e7dfc5e5cfbdb06dN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Efolib32.exeC:\Windows\system32\Efolib32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Elnagijk.exeC:\Windows\system32\Elnagijk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eamgeo32.exeC:\Windows\system32\Eamgeo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Eapcjo32.exeC:\Windows\system32\Eapcjo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fpdqlkhe.exeC:\Windows\system32\Fpdqlkhe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fefboabg.exeC:\Windows\system32\Fefboabg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Fbjchfaq.exeC:\Windows\system32\Fbjchfaq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Foacmg32.exeC:\Windows\system32\Foacmg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gbolce32.exeC:\Windows\system32\Gbolce32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gmhmdc32.exeC:\Windows\system32\Gmhmdc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gmkjjbhg.exeC:\Windows\system32\Gmkjjbhg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Gcjogidl.exeC:\Windows\system32\Gcjogidl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Hnapja32.exeC:\Windows\system32\Hnapja32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Heoadcmh.exeC:\Windows\system32\Heoadcmh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Hddoep32.exeC:\Windows\system32\Hddoep32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Ikqcgj32.exeC:\Windows\system32\Ikqcgj32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Ikcpmieg.exeC:\Windows\system32\Ikcpmieg.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Iqbekpal.exeC:\Windows\system32\Iqbekpal.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\SysWOW64\Imifpagp.exeC:\Windows\system32\Imifpagp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Iccnmk32.exeC:\Windows\system32\Iccnmk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Imkbeqem.exeC:\Windows\system32\Imkbeqem.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Jbhkngcd.exeC:\Windows\system32\Jbhkngcd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Jkgfgl32.exeC:\Windows\system32\Jkgfgl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Jkjbml32.exeC:\Windows\system32\Jkjbml32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Kagkebpb.exeC:\Windows\system32\Kagkebpb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Kjopnh32.exeC:\Windows\system32\Kjopnh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\Kffpcilf.exeC:\Windows\system32\Kffpcilf.exe33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Kmdbkbpn.exeC:\Windows\system32\Kmdbkbpn.exe34⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lepfoe32.exeC:\Windows\system32\Lepfoe32.exe35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Linoeccp.exeC:\Windows\system32\Linoeccp.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Lgjfmlkm.exeC:\Windows\system32\Lgjfmlkm.exe38⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mpcjfa32.exeC:\Windows\system32\Mpcjfa32.exe39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe40⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mgoohk32.exeC:\Windows\system32\Mgoohk32.exe41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Medligko.exeC:\Windows\system32\Medligko.exe42⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mefiog32.exeC:\Windows\system32\Mefiog32.exe43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Mdlfpcnd.exeC:\Windows\system32\Mdlfpcnd.exe44⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe46⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nhlkkabh.exeC:\Windows\system32\Nhlkkabh.exe47⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Njmhcj32.exeC:\Windows\system32\Njmhcj32.exe48⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ncellpog.exeC:\Windows\system32\Ncellpog.exe49⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nffenj32.exeC:\Windows\system32\Nffenj32.exe50⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Nqlikc32.exeC:\Windows\system32\Nqlikc32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe52⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ojdndi32.exeC:\Windows\system32\Ojdndi32.exe53⤵
-
C:\Windows\SysWOW64\Oqnfqcjk.exeC:\Windows\system32\Oqnfqcjk.exe54⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe55⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Omeged32.exeC:\Windows\system32\Omeged32.exe56⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe57⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Okjdfq32.exeC:\Windows\system32\Okjdfq32.exe58⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe59⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Okmqlp32.exeC:\Windows\system32\Okmqlp32.exe60⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Oqiidg32.exeC:\Windows\system32\Oqiidg32.exe61⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pbienj32.exeC:\Windows\system32\Pbienj32.exe62⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe64⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe65⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe66⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\Ppelfbol.exeC:\Windows\system32\Ppelfbol.exe67⤵
-
C:\Windows\SysWOW64\Pjkpckob.exeC:\Windows\system32\Pjkpckob.exe68⤵
-
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe70⤵
-
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe71⤵
-
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe72⤵
-
C:\Windows\SysWOW64\Ahhgkdfo.exeC:\Windows\system32\Ahhgkdfo.exe73⤵
-
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe74⤵
-
C:\Windows\SysWOW64\Ajipmocp.exeC:\Windows\system32\Ajipmocp.exe75⤵
-
C:\Windows\SysWOW64\Aabhiikm.exeC:\Windows\system32\Aabhiikm.exe76⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe77⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Amiioj32.exeC:\Windows\system32\Amiioj32.exe78⤵
-
C:\Windows\SysWOW64\Ahomlb32.exeC:\Windows\system32\Ahomlb32.exe79⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe80⤵
-
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe81⤵
-
C:\Windows\SysWOW64\Bmnbjill.exeC:\Windows\system32\Bmnbjill.exe82⤵
-
C:\Windows\SysWOW64\Bffgbo32.exeC:\Windows\system32\Bffgbo32.exe83⤵
-
C:\Windows\SysWOW64\Bbmggp32.exeC:\Windows\system32\Bbmggp32.exe84⤵
- Modifies registry class
-
C:\Windows\SysWOW64\Blelpeoa.exeC:\Windows\system32\Blelpeoa.exe85⤵
-
C:\Windows\SysWOW64\Benpik32.exeC:\Windows\system32\Benpik32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Bofebqlb.exeC:\Windows\system32\Bofebqlb.exe87⤵
-
C:\Windows\SysWOW64\Bepmokco.exeC:\Windows\system32\Bepmokco.exe88⤵
-
C:\Windows\SysWOW64\Bnkbcmaj.exeC:\Windows\system32\Bnkbcmaj.exe89⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Chafpfqp.exeC:\Windows\system32\Chafpfqp.exe90⤵
-
C:\Windows\SysWOW64\Caijik32.exeC:\Windows\system32\Caijik32.exe91⤵
-
C:\Windows\SysWOW64\Cdhgegfd.exeC:\Windows\system32\Cdhgegfd.exe92⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Cnpknl32.exeC:\Windows\system32\Cnpknl32.exe93⤵
-
C:\Windows\SysWOW64\Cghpgbce.exeC:\Windows\system32\Cghpgbce.exe94⤵
-
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
-
C:\Windows\SysWOW64\Cgklma32.exeC:\Windows\system32\Cgklma32.exe96⤵
-
C:\Windows\SysWOW64\Clheeh32.exeC:\Windows\system32\Clheeh32.exe97⤵
-
C:\Windows\SysWOW64\Cjlenm32.exeC:\Windows\system32\Cjlenm32.exe98⤵
-
C:\Windows\SysWOW64\Dcdjgbed.exeC:\Windows\system32\Dcdjgbed.exe99⤵
-
C:\Windows\SysWOW64\Dfbfcn32.exeC:\Windows\system32\Dfbfcn32.exe100⤵
-
C:\Windows\SysWOW64\Dokjlcjh.exeC:\Windows\system32\Dokjlcjh.exe101⤵
-
C:\Windows\SysWOW64\Ddgcdjip.exeC:\Windows\system32\Ddgcdjip.exe102⤵
-
C:\Windows\SysWOW64\Domgache.exeC:\Windows\system32\Domgache.exe103⤵
-
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe104⤵
-
C:\Windows\SysWOW64\Dgkike32.exeC:\Windows\system32\Dgkike32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Ecdffe32.exeC:\Windows\system32\Ecdffe32.exe106⤵
-
C:\Windows\SysWOW64\Ecfcle32.exeC:\Windows\system32\Ecfcle32.exe107⤵
-
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe108⤵
-
C:\Windows\SysWOW64\Ejbhno32.exeC:\Windows\system32\Ejbhno32.exe109⤵
-
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe110⤵
-
C:\Windows\SysWOW64\Eiheok32.exeC:\Windows\system32\Eiheok32.exe111⤵
-
C:\Windows\SysWOW64\Epamlegl.exeC:\Windows\system32\Epamlegl.exe112⤵
-
C:\Windows\SysWOW64\Fenedlec.exeC:\Windows\system32\Fenedlec.exe113⤵
-
C:\Windows\SysWOW64\Fpdjaeei.exeC:\Windows\system32\Fpdjaeei.exe114⤵
-
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe115⤵
-
C:\Windows\SysWOW64\Flmglfhk.exeC:\Windows\system32\Flmglfhk.exe116⤵
-
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe117⤵
-
C:\Windows\SysWOW64\Fjbdmbmb.exeC:\Windows\system32\Fjbdmbmb.exe118⤵
-
C:\Windows\SysWOW64\Fpoleilj.exeC:\Windows\system32\Fpoleilj.exe119⤵
-
C:\Windows\SysWOW64\Fjdqbbkp.exeC:\Windows\system32\Fjdqbbkp.exe120⤵
-
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-