berbew | 6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b

General

Target

6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
Size

64KB
MD5

810ce960209b0ea063d595c8e5b0a527
SHA1

a101df1eb17bbe97a91902467df688e2ad40d307
SHA256

6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b
SHA512

d7654ba23315eac587a6cc036bbfe430d34d6f7f289455459c8b98c6f3961499e5ecf4eebe1c5efacb67380831200115f6353dcb7ae0b00f0c400a6b4366613b
SSDEEP

1536:6zpFnRIpBR26xkH44G5aqjjcsv8atsb/t9X8DGg9JUkXUwXfzwP:6VFnKpBsFVrTFAPzwP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 2 IoCs

pid	Process
4852	Dhocqigp.exe
3672	Dmllipeg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhocqigp.exe	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2708	3672	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 4852	4860	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe	85
PID 4860 wrote to memory of 4852	4860	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe	85
PID 4860 wrote to memory of 4852	4860	6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe	85
PID 4852 wrote to memory of 3672	4852	Dhocqigp.exe	86
PID 4852 wrote to memory of 3672	4852	Dhocqigp.exe	86
PID 4852 wrote to memory of 3672	4852	Dhocqigp.exe	86

C:\Users\Admin\AppData\Local\Temp\6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe
"C:\Users\Admin\AppData\Local\Temp\6ec43d7c695510ba12d88622254708db9b17fb4e5b3ffc0a8647db9ba914016b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\SysWOW64\Dhocqigp.exe
  C:\Windows\system32\Dhocqigp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\Dmllipeg.exe
    C:\Windows\system32\Dmllipeg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 396
      4⤵
      Program crash
      PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3672 -ip 3672
1⤵
PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
64KB

MD5
8d46b016bbb1bf9d443a3882411a63dc

SHA1
04349f1226aacc97f09316bb96ce3e4b920793dd

SHA256
06e02f4cdbcb812b4b7c1439c06ef9fc7134fbbf51091e0916ee04b96a61074a

SHA512
241ce291e7c00691edd23ad3ec02135a88fa91ea737f727dfcc85c483bb38c557f7f03e1d4f2431d5e3ff990b9517e6e14809e4ca45d2f718a9c962f151d964a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
0dc9c7f19484a7080e45731b3653f671

SHA1
d9a90853ae6364e1449a8c5c3a6664efe7ca89c4

SHA256
1fc0376d36e2b2e86dfccc28956f8f3bf69284291542021bf68def4ddece4546

SHA512
c6bd421cf02daee45fac2c3296f90fc4aba67e9970d38a1385d5d836aa3b3553ad782cb998180ce6716018527be07fe82187a193d4cb7c3736dfa16c74d71a87

Download Submit
memory/3672-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3672-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4852-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4860-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads