berbew | 57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112

General

Target

57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
Size

96KB
MD5

f353fc1110599ef9ce8de6ebf9f4994f
SHA1

a193af579af213e4b13cf7ead91161fc3d674e2c
SHA256

57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112
SHA512

ad982b03fb829cacca5df980a668d3e2226f695ecbebdf9bd244b66a7ffdfdc72fad18c300b55522480d1fa21594eac67406cc50982327c7b5b1935baf257542
SSDEEP

1536:FPcL9zTdUJo0jQo6Cjkk37fs1e6zoOuB3KY2tpZ74S7V+5pUMv84WMRw8Dkqq:OL9z5qjuCjv3bs1d63KYiP4Sp+7H7wWO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 4 IoCs

pid	Process
1960	Clojhf32.exe
2256	Cnmfdb32.exe
2808	Djdgic32.exe
2696	Dpapaj32.exe

Loads dropped DLL 11 IoCs

pid	Process
2572	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
2572	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
1960	Clojhf32.exe
1960	Clojhf32.exe
2256	Cnmfdb32.exe
2256	Cnmfdb32.exe
2808	Djdgic32.exe
2808	Djdgic32.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Clojhf32.exe	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2612	2696	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1960	2572	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe	31
PID 2572 wrote to memory of 1960	2572	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe	31
PID 2572 wrote to memory of 1960	2572	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe	31
PID 2572 wrote to memory of 1960	2572	57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe	31
PID 1960 wrote to memory of 2256	1960	Clojhf32.exe	32
PID 1960 wrote to memory of 2256	1960	Clojhf32.exe	32
PID 1960 wrote to memory of 2256	1960	Clojhf32.exe	32
PID 1960 wrote to memory of 2256	1960	Clojhf32.exe	32
PID 2256 wrote to memory of 2808	2256	Cnmfdb32.exe	33
PID 2256 wrote to memory of 2808	2256	Cnmfdb32.exe	33
PID 2256 wrote to memory of 2808	2256	Cnmfdb32.exe	33
PID 2256 wrote to memory of 2808	2256	Cnmfdb32.exe	33
PID 2808 wrote to memory of 2696	2808	Djdgic32.exe	34
PID 2808 wrote to memory of 2696	2808	Djdgic32.exe	34
PID 2808 wrote to memory of 2696	2808	Djdgic32.exe	34
PID 2808 wrote to memory of 2696	2808	Djdgic32.exe	34
PID 2696 wrote to memory of 2612	2696	Dpapaj32.exe	35
PID 2696 wrote to memory of 2612	2696	Dpapaj32.exe	35
PID 2696 wrote to memory of 2612	2696	Dpapaj32.exe	35
PID 2696 wrote to memory of 2612	2696	Dpapaj32.exe	35

C:\Users\Admin\AppData\Local\Temp\57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe
"C:\Users\Admin\AppData\Local\Temp\57a8ccdf691710ece173bfda70e7e3c16d905a942b4fe300841defa49a47e112.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\Clojhf32.exe
  C:\Windows\system32\Clojhf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\Cnmfdb32.exe
    C:\Windows\system32\Cnmfdb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\SysWOW64\Djdgic32.exe
      C:\Windows\system32\Djdgic32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 144
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
6127bbe380f8449bc57a1e085f8c0b9d

SHA1
4036cd9084590dac6da842024ffe1abcf7028bb3

SHA256
4b195a928b227dc7cd7edec560a31da0824e518142a9af362d82b3be2d35a1d1

SHA512
8a4c1b18b9c3842adb5d00ab577e5e318b6fb05370f78508bef66a6187a896c5c6ccf9553c1a8884baa2046cbd76c346319346ca4140bfc2f6a9e333000efb4d

Download Submit
\Windows\SysWOW64\Cnmfdb32.exe

Filesize
96KB

MD5
34f3e145edcf331a6ca4194f5779f810

SHA1
1c6439b95a94d6538bee5a6df221bdf2005799b8

SHA256
6a23f833be75fd15c67b5ad139d31f55f89ec7095c0f3e8510dbebb5776761dc

SHA512
540fd240223ae77a3ead7b389e3a3232c358985b5087fb5c30e9c36e69785f41c692b9fe36f7826ea6b9bcbb90fe6ed9b0d9bc8c72c4bae5ab885f5272fd8fbf

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
96KB

MD5
a51eb93e96c60ce832b50df857daa2bb

SHA1
09b46ea5f25bc47660549540d654cc259951606a

SHA256
657f790229a2f2b572dbfb32ba1f8f2a8888c48986f453d58ded221971460621

SHA512
d46974d6f9a9f892f7e431e5bcacb1f5f670acdcf5c9af0bad5bb414ef07eab1c51bce37ce3758955ab41a8cf9835e83ef4c0462ea99ed6e70422126db0cdcd4

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
4da687e9ed87d20f7ba5db654d775fb5

SHA1
b955b20f096c76eb9accc0808fd9cefc9db2d959

SHA256
32cfea5233451292d194b555ee709e54295d9485db2271f18cbea7cf1fecc9d8

SHA512
cc508809bbf3bed7d30e9a30cca1d335a2906a2e9301b6962ba4f2a1cb7a2212371b171bdacd2782be9cff7854ab8272e5b85db2d7d10cf28abbabd55f33b9d6

Download Submit
memory/1960-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2256-27-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2256-35-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/2256-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-17-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/2572-18-0x0000000000310000-0x000000000034F000-memory.dmp

Filesize
252KB

Download
memory/2572-61-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-53-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-62-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads