Overview

overview

10

Static

static

10

ab4d6ea1ac...1N.exe

windows7-x64

10

ab4d6ea1ac...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe

  • Size

    163KB

  • MD5

    f2deb3cb47fef2674b9ef84a9efd07b0

  • SHA1

    ad36364fff6133fdf0f7501e876497ec08e455e7

  • SHA256

    ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81

  • SHA512

    cc0790bac530c5f00ba49344161f98efcd8b91a846c76d4f1a199db2adc6d28d075fa2826d9897cf0da2e2d187ab7b8714766c9488287091724a2d4c85e4156f

  • SSDEEP

    1536:PdOcprYXI0ET1xkcFLmWU4ZtyEslProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:rpyI0cXfLmWHCEsltOrWKDBr+yJb

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Executes dropped EXE 8 IoCs
  • Drops file in System32 directory 24 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 27 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe
    "C:\Users\Admin\AppData\Local\Temp\ab4d6ea1ace326ce9e7792a30b0541d90b10709261a0d74841d6810dfd8acb81N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\Dmefhako.exe
      C:\Windows\system32\Dmefhako.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Windows\SysWOW64\Delnin32.exe
        C:\Windows\system32\Delnin32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3752
        • C:\Windows\SysWOW64\Dkifae32.exe
          C:\Windows\system32\Dkifae32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3696
          • C:\Windows\SysWOW64\Dmgbnq32.exe
            C:\Windows\system32\Dmgbnq32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3012
            • C:\Windows\SysWOW64\Dogogcpo.exe
              C:\Windows\system32\Dogogcpo.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4012
              • C:\Windows\SysWOW64\Daekdooc.exe
                C:\Windows\system32\Daekdooc.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3584
                • C:\Windows\SysWOW64\Dgbdlf32.exe
                  C:\Windows\system32\Dgbdlf32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1044
                  • C:\Windows\SysWOW64\Dmllipeg.exe
                    C:\Windows\system32\Dmllipeg.exe
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:792
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 396
                      10⤵
                      • Program crash
                      PID:964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 792 -ip 792
    1⤵
      PID:2408

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Daekdooc.exe
      Filesize

      163KB

      MD5

      f24fc6b2ef6fad6b052a4d64e1ace8b0

      SHA1

      62d80da21174abca1815f52e33e12b0bfe47dd2b

      SHA256

      d40d92230045bf86d1714c7eb2767d437d7be4fb524314875854355f1a4d9ad9

      SHA512

      984fe415992d262758e8fac213271138737863a3701f1702ddc41329702a226ebd8dd775a8f30c8e44663ebd3c4e8ef0a6755af84a55eb9afddff9c39995bdb0

      Download Submit

    • C:\Windows\SysWOW64\Delnin32.exe
      Filesize

      163KB

      MD5

      3eaa6394381a27091f7796cc0f96dbb9

      SHA1

      64e267ad10139c71a7c727be53c46fea107aa1b8

      SHA256

      904dc5c1ad6319ab49a7b7d56c476383cd923a372e2935f67169ab021fe8f0cf

      SHA512

      165126bf7c58f77fb97e9b7c5d3bd9b1c0cd2533d31c8043d448e64c0bbb158b380e9f6351bd7c6ea5943d5cc63e0f190948e1277cf97b61557907cd927099ff

      Download Submit

    • C:\Windows\SysWOW64\Dgbdlf32.exe
      Filesize

      163KB

      MD5

      8ca1426310256015b05967e81f0a3135

      SHA1

      28f8903ea138edee70f637033aef731d74145ed1

      SHA256

      bd289e29411b31e466ad11841efe552c5b4e154e2136f1c2458c9d626caf1927

      SHA512

      6d9b6b574be949adc29b4e30706524181fc92d798f14b317ac6f3df20fb57e7a4476caf814f5f87b6793aa54d3e6d208f6b9886ca3e136619daf81f72a9c29a5

      Download Submit

    • C:\Windows\SysWOW64\Dkifae32.exe
      Filesize

      163KB

      MD5

      4520fd4cc0cb8d383baafa1436c82e1e

      SHA1

      d973f3c4331e03ad4b430813e7dc442a74b3b4a0

      SHA256

      d031b5a1be60d6469c7c04378ef5eecf801a9896df885b4c0b77b51d1e3bcc3e

      SHA512

      ebd987144cd8afd4086664da7e2121031264248d5dfb2b501083eec2e45fd88f0533ce9840a5ff60a7f2f44b92bd06e94fc8701d5542beebc7329e84019ff93c

      Download Submit

    • C:\Windows\SysWOW64\Dmefhako.exe
      Filesize

      163KB

      MD5

      b52fc6f938f7bd59853f96f2dd95435e

      SHA1

      5736fef90f832443c36eabc57aac635f6ef0ceae

      SHA256

      349d9a2fb01ac7956fd39dd8d984239cda40cf7803b44b9adea4862d0c604ef7

      SHA512

      014bdc5f83cbd1255c725b979722e2b416b308fb3144140150adffd8a3a14bbf1074eb35398f4689503a3d4aa457c3de7a6890bcb39d94e40ae55b6b3b67ed3e

      Download Submit

    • C:\Windows\SysWOW64\Dmgbnq32.exe
      Filesize

      163KB

      MD5

      1bee5ec1fd1bd6f8406b838d8c10fb55

      SHA1

      bacd79574664a76c611ad896f1623fe7a28a2eec

      SHA256

      074726d66cb86d325f282d9f8c759ad5ee95058c306d9d17da5301a5304aec3c

      SHA512

      0de34aaebb28b58ba55f7669ae723d85ed98c534cb78b2dbb1b97575b88779df825e0f75766915bbff3beb888f938fa045ff27f2d192387844d4ff9814792e13

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      128KB

      MD5

      96e71f19894fde9c33edfe7dce47120b

      SHA1

      4b7a0d79b86351a39595bcfdeb3f5408467b6556

      SHA256

      c6416483bd544b2f41492db5bad2ccd50a1abca6c11b0f7eff0aeee6afe8595f

      SHA512

      e1a2a981983f87751a4faf07b33dda9cf362877682ba7c8183536c57b4d47224e4963f2916434c3381ed02aa511f80c06b7f6e9cf2eec34536c416d0902df888

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      163KB

      MD5

      dd1c96d052f1d112da5a5ee25bad3551

      SHA1

      46238ba21ff73a5c0190f1292d2b6af81ca7573f

      SHA256

      a5a772f541633fcfe0f5fd8dd11859565d64534b1fb72c367503b84e0e0ceedb

      SHA512

      6424fc95cff37a88737bf20c13f19272fa96d1ab798b15ea648951a5787e0a5a0d321e7cb01fa9ea7ceeac7d2f06e409ac76bd975dbb418d1577061b2daed291

      Download Submit

    • C:\Windows\SysWOW64\Dogogcpo.exe
      Filesize

      163KB

      MD5

      f4420d4fcf1410b55e558e47efcfd3a9

      SHA1

      d11809c13d2d0db346ba5da87a1b2bd7039d6995

      SHA256

      92182ccba19078c9f94d09ff49c650446e0cb02ca3c56f8861345537a5c43e00

      SHA512

      411e106a94ee74a089ec29ad01b6dfe25c16c196af6ca6c969fba8e4fd1ab38352b71ee674fba6a753ac39126d3195a4938022468de934962806a7294ac84dbd

      Download Submit

    • memory/792-64-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/792-67-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1044-69-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1044-57-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1928-0-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1928-83-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/1928-1-0x0000000000432000-0x0000000000433000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3012-32-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3012-75-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3584-71-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3584-48-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3696-30-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3696-79-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3752-78-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3752-16-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4012-73-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4012-41-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4324-81-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4324-80-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4324-8-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download