Overview

overview

10

Static

static

10

0aeb98f087...1N.exe

windows7-x64

10

0aeb98f087...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0aeb98f087c616de55490f53ae3973b17e66ddc16a9c319d55c4342e018f8821N.exe

  • Size

    448KB

  • MD5

    a51c013eef98b94d12752396ef6afb80

  • SHA1

    a4832530ff65ac639d18a3ece97d191030524d12

  • SHA256

    0aeb98f087c616de55490f53ae3973b17e66ddc16a9c319d55c4342e018f8821

  • SHA512

    88c6f5d18c30cd570c7020de6c848c371cd48a24d675f0109312bdcffbf163606bd814b4ded191c1cbcfb9846cfc921cc2590b057b1f566552f5fca2109b3ab7

  • SSDEEP

    6144:I99U/ZaxxiLUmKyIxLDXXoq9FJZCUmKyIxL4:6Uhw832XXf9Do3p

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 15 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 18 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0aeb98f087c616de55490f53ae3973b17e66ddc16a9c319d55c4342e018f8821N.exe
    "C:\Users\Admin\AppData\Local\Temp\0aeb98f087c616de55490f53ae3973b17e66ddc16a9c319d55c4342e018f8821N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Windows\SysWOW64\Dmjocp32.exe
      C:\Windows\system32\Dmjocp32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\SysWOW64\Deagdn32.exe
        C:\Windows\system32\Deagdn32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4428
        • C:\Windows\SysWOW64\Dhocqigp.exe
          C:\Windows\system32\Dhocqigp.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4144
          • C:\Windows\SysWOW64\Dknpmdfc.exe
            C:\Windows\system32\Dknpmdfc.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:876
            • C:\Windows\SysWOW64\Dmllipeg.exe
              C:\Windows\system32\Dmllipeg.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3460
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 408
                7⤵
                • Program crash
                PID:1272
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3460 -ip 3460
    1⤵
      PID:1484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Deagdn32.exe
      Filesize

      448KB

      MD5

      945b501b2a13863da66ad47cfd65ed37

      SHA1

      1de87fe6220384400b7db4189dab0eeab263f52a

      SHA256

      04343caddbf728d03cd31cb730a7b01262ee92db16b98df2e1c35e572d16b0c0

      SHA512

      fecb0f3b17e84c91c9b19982c1f80505387f903459f96d4996c94e1e98aab5c1b8706ae101ff83f31ed93d984d1892dc8521525ac43521b15305715b3dc24973

      Download Submit

    • C:\Windows\SysWOW64\Dhocqigp.exe
      Filesize

      448KB

      MD5

      2caa8cb013718826f61bb024f8fcdf8c

      SHA1

      ca0ec02b6554a9be22e7723755d9f50fc3d1ddee

      SHA256

      8988e54b24d286ab5dd0a4dc8ef1d3c73c3dd9b27519f69eb3d4b2b6561f8787

      SHA512

      239ce12d970ba9c03d9a4d58071747a890d8312a664ff616893a07d029d64353cb2c00466f2af9a2b2af5f73272952e357096bfc23e2f7c049fe25617d48eb54

      Download Submit

    • C:\Windows\SysWOW64\Dknpmdfc.exe
      Filesize

      448KB

      MD5

      74f2b5b7e77f50349caddca9e321934b

      SHA1

      78ddb64f64fefff29b5dc723cb8625f17efe01e5

      SHA256

      d0d4a09b1b339d6030f149ec38d81e2c3e2d15b4e77ed3761128cddb7540360f

      SHA512

      fd4f69e33f45e1a62de09632a332022aaa8ab5c1ad25ef54b7f4dec6bfdfc0da0a75c791802c2076e52c6b446dd513839f33b968183614e28643a98f620efe4c

      Download Submit

    • C:\Windows\SysWOW64\Dmjocp32.exe
      Filesize

      448KB

      MD5

      c2b739814c2d5cc031baf589b50b10be

      SHA1

      8901a928a59f8ad4ada40caf89978bc2342ca833

      SHA256

      1501a9d9a57d1adbc18eda2b8ab0115b92d84aeb90e5abe2fdd6767778b0a237

      SHA512

      abf66917e86bde5e53631cf3b327d890393b50987063ec39e228e0711d93bb76889ebaee9a3c8bd0a5d718c16c1e5498b9878b11317785112bd993a9e3e049b7

      Download Submit

    • C:\Windows\SysWOW64\Dmllipeg.exe
      Filesize

      448KB

      MD5

      4e292ea8ad0047d2eb4966607bd681f9

      SHA1

      d6570fca63ff23dd1a9e3116654917ed358dc1d6

      SHA256

      0f1c1c52ba3f89d1bce01e7e3462130bca97d6066f3b7c4c9b44e5d22eb5f970

      SHA512

      f7661e421425947524d201b70d6f902eed1fe37517fbe87b43c2a1597912cad3d04509eb1dcf59e6ca2582508eea196f3e4c343fa98e40fbf14a3b00bcd48bba

      Download Submit

    • C:\Windows\SysWOW64\Kngpec32.dll
      Filesize

      7KB

      MD5

      da4b16385aaa6bfd11d3e70bcd5b713b

      SHA1

      de27af28748580c1194da39830eb2701e8e6bcb8

      SHA256

      771c2b98fc607b5ceb9bc70f4e90ae9703d5febbf56c0ac2ef5b34afbe1b8c31

      SHA512

      2723cbae26eeae35f8e664ec480f78392d82e66a8c17eab3ae32e8c7208b14fc5536ae999b9e15e61a004c90914d84f56b384632a224a7cb053cc08af3438cbe

      Download Submit

    • memory/876-38-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/876-44-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2840-19-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2840-50-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3460-42-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3460-39-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4144-40-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4144-46-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4428-48-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4428-37-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4860-0-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4860-52-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4860-51-0x0000000000400000-0x0000000000460000-memory.dmp

      Filesize

      384KB

      Download