Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    27s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/12/2024, 22:05

General

  • Target

    3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe

  • Size

    93KB

  • MD5

    cdc7168a2201327424f804a47d992090

  • SHA1

    af02239c3ff35e7a0de074331af9c86522d3ae76

  • SHA256

    3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285eb

  • SHA512

    3219b32be37d632abfc555d277b8bf62ac215065b96e5075e8274a41bf3f24292435728d13bf139dc5114474555fd87151d4d6501e62083b767874d0f70d694e

  • SSDEEP

    1536:jbbrB1juQtPD0ZI4CDXf8qVlO7uXcNvvm5yw/Lb0OUrrQ35wNBUyVVM:jbf7FtQZWDX9O7usluTXp6Uv

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • Drops file in System32 directory 15 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 18 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
    "C:\Users\Admin\AppData\Local\Temp\3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\SysWOW64\Nmbknddp.exe
      C:\Windows\system32\Nmbknddp.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\SysWOW64\Nodgel32.exe
        C:\Windows\system32\Nodgel32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\SysWOW64\Nenobfak.exe
          C:\Windows\system32\Nenobfak.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2584
          • C:\Windows\SysWOW64\Niikceid.exe
            C:\Windows\system32\Niikceid.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:3024
            • C:\Windows\SysWOW64\Nlhgoqhh.exe
              C:\Windows\system32\Nlhgoqhh.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1152
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 140
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Niikceid.exe

    Filesize

    93KB

    MD5

    a03247bf902bdc451b985fa2291bcf73

    SHA1

    f6fa817255e7bd6a7b5f68905699ee9ba61819d7

    SHA256

    dc798e1a85798b071f4745d716c15515c8d2c9d1445cba057d1f21a43ceddd86

    SHA512

    998b3324b5c42862fd0229f8e500519186183b5d660997456d799fd9639c149a18d2abdf72183b067b571d165366031bc95e292335ecd38f198792ad34fd93b5

  • C:\Windows\SysWOW64\Nlhgoqhh.exe

    Filesize

    93KB

    MD5

    df11e4b40a5a8b5a12c8a2a1bfe3216d

    SHA1

    4db3dbaecaad70735185c376a1cdb30e5ff602cf

    SHA256

    fa6569df1fa596a088341f7661de7f87b5211b0ca189fa6e53bff0aea760bcfd

    SHA512

    e42213f81dd271b06cae865dc1319d73529abf08c4dde6370e89d80f737ecd5e0ce4cdb5ce0fdfa3d91eb3690f90e1bafc228070ea872efd0c561b99aad673fb

  • C:\Windows\SysWOW64\Nodgel32.exe

    Filesize

    93KB

    MD5

    1b7fcc2ae886850161c400906b3e3575

    SHA1

    f46feba342d3dfd22f47a988cab6bb2340844b6e

    SHA256

    4ca04012c7572c44f3b43e079483583761405fc9968bd79bff77d6fc918c422a

    SHA512

    74420c68df396ed9615ee031226cad252064d44bca2e1112cf3787d2be75140e52054369980aeccfa78016fb08b188f2fe11e5c25a2aef53bd70f27f64f73ea2

  • \Windows\SysWOW64\Nenobfak.exe

    Filesize

    93KB

    MD5

    b4389cffbcf805c3a14b0666a7fe2d28

    SHA1

    1e3f9c2a856fe28b529b8aaf4b84401c6f8afd3d

    SHA256

    726a9a7041a63f724ef1a7663b7f8d9e3b06b0932ce65a0e6d3dbac6bfce2e18

    SHA512

    fe3248363242074c9e6aee369d0f34055923f75c5e50417ea89407fa8e2bdf58182246a2450864a1d1b90cdb06e8d53e22315f9924ad025b26f52ebacf08d716

  • \Windows\SysWOW64\Nmbknddp.exe

    Filesize

    93KB

    MD5

    84163310106504cd6276c259e212dd63

    SHA1

    f1ed9a3178a3f340dc057112d25d42e9c137e662

    SHA256

    34dab8613887b6a993f1de220e9aa5d917d0e59df43cbbb14e243eaef3486af0

    SHA512

    801a09d725a6fe028f490ec73f0968a3f21d681830d33bb396adab46f254a4d974096ced7a48f50d2a85b08fc122bd473a2f839a04606c4bce5d6163410e3792

  • memory/1152-79-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2584-80-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2584-48-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB

  • memory/2612-75-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2612-27-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2612-34-0x0000000000260000-0x000000000028F000-memory.dmp

    Filesize

    188KB

  • memory/2728-11-0x0000000000250000-0x000000000027F000-memory.dmp

    Filesize

    188KB

  • memory/2728-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2728-12-0x0000000000250000-0x000000000027F000-memory.dmp

    Filesize

    188KB

  • memory/2728-78-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2936-81-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2936-14-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3024-71-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3024-61-0x00000000003D0000-0x00000000003FF000-memory.dmp

    Filesize

    188KB