berbew | 3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285eb

General

Target

3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
Size

93KB
MD5

cdc7168a2201327424f804a47d992090
SHA1

af02239c3ff35e7a0de074331af9c86522d3ae76
SHA256

3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285eb
SHA512

3219b32be37d632abfc555d277b8bf62ac215065b96e5075e8274a41bf3f24292435728d13bf139dc5114474555fd87151d4d6501e62083b767874d0f70d694e
SSDEEP

1536:jbbrB1juQtPD0ZI4CDXf8qVlO7uXcNvvm5yw/Lb0OUrrQ35wNBUyVVM:jbf7FtQZWDX9O7usluTXp6Uv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 5 IoCs

pid	Process
2936	Nmbknddp.exe
2612	Nodgel32.exe
2584	Nenobfak.exe
3024	Niikceid.exe
1152	Nlhgoqhh.exe

Loads dropped DLL 14 IoCs

pid	Process
2728	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
2728	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
2936	Nmbknddp.exe
2936	Nmbknddp.exe
2612	Nodgel32.exe
2612	Nodgel32.exe
2584	Nenobfak.exe
2584	Nenobfak.exe
3024	Niikceid.exe
3024	Niikceid.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe
576	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nodgel32.exe	Nmbknddp.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	Nodgel32.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Nenobfak.exe

Program crash 1 IoCs

pid	pid_target	Process
576	1152	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Nmbknddp.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2936	2728	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe	30
PID 2728 wrote to memory of 2936	2728	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe	30
PID 2728 wrote to memory of 2936	2728	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe	30
PID 2728 wrote to memory of 2936	2728	3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe	30
PID 2936 wrote to memory of 2612	2936	Nmbknddp.exe	31
PID 2936 wrote to memory of 2612	2936	Nmbknddp.exe	31
PID 2936 wrote to memory of 2612	2936	Nmbknddp.exe	31
PID 2936 wrote to memory of 2612	2936	Nmbknddp.exe	31
PID 2612 wrote to memory of 2584	2612	Nodgel32.exe	32
PID 2612 wrote to memory of 2584	2612	Nodgel32.exe	32
PID 2612 wrote to memory of 2584	2612	Nodgel32.exe	32
PID 2612 wrote to memory of 2584	2612	Nodgel32.exe	32
PID 2584 wrote to memory of 3024	2584	Nenobfak.exe	33
PID 2584 wrote to memory of 3024	2584	Nenobfak.exe	33
PID 2584 wrote to memory of 3024	2584	Nenobfak.exe	33
PID 2584 wrote to memory of 3024	2584	Nenobfak.exe	33
PID 3024 wrote to memory of 1152	3024	Niikceid.exe	34
PID 3024 wrote to memory of 1152	3024	Niikceid.exe	34
PID 3024 wrote to memory of 1152	3024	Niikceid.exe	34
PID 3024 wrote to memory of 1152	3024	Niikceid.exe	34
PID 1152 wrote to memory of 576	1152	Nlhgoqhh.exe	35
PID 1152 wrote to memory of 576	1152	Nlhgoqhh.exe	35
PID 1152 wrote to memory of 576	1152	Nlhgoqhh.exe	35
PID 1152 wrote to memory of 576	1152	Nlhgoqhh.exe	35

C:\Users\Admin\AppData\Local\Temp\3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe
"C:\Users\Admin\AppData\Local\Temp\3556b6fe9b68b32bfb4fd075be993b7d4fb66cf0df0209152a2c7d11ff5285ebN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\Nmbknddp.exe
  C:\Windows\system32\Nmbknddp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\Nodgel32.exe
    C:\Windows\system32\Nodgel32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Nenobfak.exe
      C:\Windows\system32\Nenobfak.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Niikceid.exe

Filesize
93KB

MD5
a03247bf902bdc451b985fa2291bcf73

SHA1
f6fa817255e7bd6a7b5f68905699ee9ba61819d7

SHA256
dc798e1a85798b071f4745d716c15515c8d2c9d1445cba057d1f21a43ceddd86

SHA512
998b3324b5c42862fd0229f8e500519186183b5d660997456d799fd9639c149a18d2abdf72183b067b571d165366031bc95e292335ecd38f198792ad34fd93b5

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
93KB

MD5
df11e4b40a5a8b5a12c8a2a1bfe3216d

SHA1
4db3dbaecaad70735185c376a1cdb30e5ff602cf

SHA256
fa6569df1fa596a088341f7661de7f87b5211b0ca189fa6e53bff0aea760bcfd

SHA512
e42213f81dd271b06cae865dc1319d73529abf08c4dde6370e89d80f737ecd5e0ce4cdb5ce0fdfa3d91eb3690f90e1bafc228070ea872efd0c561b99aad673fb

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
93KB

MD5
1b7fcc2ae886850161c400906b3e3575

SHA1
f46feba342d3dfd22f47a988cab6bb2340844b6e

SHA256
4ca04012c7572c44f3b43e079483583761405fc9968bd79bff77d6fc918c422a

SHA512
74420c68df396ed9615ee031226cad252064d44bca2e1112cf3787d2be75140e52054369980aeccfa78016fb08b188f2fe11e5c25a2aef53bd70f27f64f73ea2

Download Submit
\Windows\SysWOW64\Nenobfak.exe

Filesize
93KB

MD5
b4389cffbcf805c3a14b0666a7fe2d28

SHA1
1e3f9c2a856fe28b529b8aaf4b84401c6f8afd3d

SHA256
726a9a7041a63f724ef1a7663b7f8d9e3b06b0932ce65a0e6d3dbac6bfce2e18

SHA512
fe3248363242074c9e6aee369d0f34055923f75c5e50417ea89407fa8e2bdf58182246a2450864a1d1b90cdb06e8d53e22315f9924ad025b26f52ebacf08d716

Download Submit
\Windows\SysWOW64\Nmbknddp.exe

Filesize
93KB

MD5
84163310106504cd6276c259e212dd63

SHA1
f1ed9a3178a3f340dc057112d25d42e9c137e662

SHA256
34dab8613887b6a993f1de220e9aa5d917d0e59df43cbbb14e243eaef3486af0

SHA512
801a09d725a6fe028f490ec73f0968a3f21d681830d33bb396adab46f254a4d974096ced7a48f50d2a85b08fc122bd473a2f839a04606c4bce5d6163410e3792

Download Submit
memory/1152-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2584-48-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2612-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2612-34-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2728-11-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2728-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-12-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2728-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-61-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads