berbew | a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246

General

Target

a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
Size

419KB
MD5

cf57b5833a71c2b60439fe35ff7b9990
SHA1

1098da3fcf80ac515052d43c0e16e06fe3bbfc1f
SHA256

a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246
SHA512

9fc68544e263ebe259ca5f3d2fb874ecf85ee7a4e42743d4afa574e3bbc0289662c0448a928c62ed55958501eb146b60cad59c323a7e38a2a925d18700c8e16a
SSDEEP

6144:4rml2NByvZ6Mxv5Rar3O6B9fZSLhZmzbByvZ6Mxv5R1L/gBSfGmtE1se:4rm6ByvNv54B9f01ZmHByvNv5fJPGs

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbdiia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbdiia32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 4 IoCs

pid	Process
1992	Cbdiia32.exe
2136	Cbffoabe.exe
2684	Cegoqlof.exe
2668	Dpapaj32.exe

Loads dropped DLL 8 IoCs

pid	Process
1868	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
1868	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
1992	Cbdiia32.exe
1992	Cbdiia32.exe
2136	Cbffoabe.exe
2136	Cbffoabe.exe
2684	Cegoqlof.exe
2684	Cegoqlof.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cbdiia32.exe	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cbdiia32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cbdiia32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Cegoqlof.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32†Gngdgj32.¾ll	Dpapaj32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID	Dpapaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\ = "C:\\Windows\\system32†Gngdgj32.¾ll"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è\Th¨ead³ngMµdelÚ = "›par®men®"	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbdiia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs\I´Pro¹Ser¬er3è	Dpapaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CL‰ID\ÿs	Dpapaj32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1992	1868	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe	31
PID 1868 wrote to memory of 1992	1868	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe	31
PID 1868 wrote to memory of 1992	1868	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe	31
PID 1868 wrote to memory of 1992	1868	a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe	31
PID 1992 wrote to memory of 2136	1992	Cbdiia32.exe	32
PID 1992 wrote to memory of 2136	1992	Cbdiia32.exe	32
PID 1992 wrote to memory of 2136	1992	Cbdiia32.exe	32
PID 1992 wrote to memory of 2136	1992	Cbdiia32.exe	32
PID 2136 wrote to memory of 2684	2136	Cbffoabe.exe	33
PID 2136 wrote to memory of 2684	2136	Cbffoabe.exe	33
PID 2136 wrote to memory of 2684	2136	Cbffoabe.exe	33
PID 2136 wrote to memory of 2684	2136	Cbffoabe.exe	33
PID 2684 wrote to memory of 2668	2684	Cegoqlof.exe	34
PID 2684 wrote to memory of 2668	2684	Cegoqlof.exe	34
PID 2684 wrote to memory of 2668	2684	Cegoqlof.exe	34
PID 2684 wrote to memory of 2668	2684	Cegoqlof.exe	34

C:\Users\Admin\AppData\Local\Temp\a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe
"C:\Users\Admin\AppData\Local\Temp\a78cf150ee52e9182ce6d868293e6141ac9ebb2cfa22ace7e95a396a87dac246N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\SysWOW64\Cbdiia32.exe
  C:\Windows\system32\Cbdiia32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\SysWOW64\Cbffoabe.exe
    C:\Windows\system32\Cbffoabe.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Windows\SysWOW64\Cegoqlof.exe
      C:\Windows\system32\Cegoqlof.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Cbdiia32.exe

Filesize
419KB

MD5
b8990df8e9c03191fd30230741022813

SHA1
c039bd49bb8be11062fffa0b180c66166bd9c968

SHA256
cab19332daef078600ec60f7a10ea4bd6fd20dbcd4b3764a73b9ddee11f828ea

SHA512
c1bdeed2801c3df1130822999faa2b2a51707739dbac313db497c54cb634d06458f4b390ad09f79fe4b2722a99a6c8b13421062a953cea9f51e3d7be3c909876

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
419KB

MD5
62d23f5c1c25f83796e5e9c04fb6322c

SHA1
901fbef8d98dff179b3cd0607b1f80f8e063336c

SHA256
56fcfe0b3a6be472c3ec58976d06146e6aabe0998f99f4964518f4d86bc31dee

SHA512
5fe284a5d304a8769e448839d8fa58a5200d20de139dd9a4354cc58b8613db0463dbcb6ecb33757a5bc502306e59a7e737ff2d0748cb66eabba66e74dbb91cb5

Download Submit
\Windows\SysWOW64\Cegoqlof.exe

Filesize
419KB

MD5
3f34aba39611cc766e558d12e857b92d

SHA1
abd60f4101059049add21bbf787fbe92b721f3dc

SHA256
92243bbfadf080f55321f63a31f7b487f5bcc7fc28f734a2b663a53a2984f434

SHA512
77f42d45e15bcdbacdabbe0f8f996da1c56428977c8d2fa0d37cc18089097dd98b5eb6c16af77dfc327f3a2734a2d9925934d0667b88917c2ae3cb2d5db52867

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
419KB

MD5
d2c690ce66163a9e62f889d1444f9b43

SHA1
663b4f9d17a46e4051aa18c6a4624cf2e61433d1

SHA256
d66b3ccc14fbc9a2bb94ee0c95de23844b59cdd28d0396677894d514f182f107

SHA512
b28712669df5474e09f661f082b2bf84fb60c587ecfe77dbe7e9e717b7e78baa40a83dbcb5728ccfcbd574390846e88aad6318a497b36794b99e3eac04b86aeb

Download Submit
memory/1868-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-6-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1868-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-20-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1992-25-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1992-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-40-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2136-39-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2136-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-63-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-55-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/2684-54-0x0000000000340000-0x0000000000373000-memory.dmp

Filesize
204KB

Download
memory/2684-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads