berbew | 8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76

General

Target

8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
Size

1.3MB
MD5

d6742c524be318d3e89e6c627fcdb940
SHA1

a3dbfc725690789b6245375bddb5a74cd90da207
SHA256

8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76
SHA512

92d41d003a8488d02de4684f79750bceb876532a826e3a68e6c63b15b6270ce38c9aa81649d5560e7fa6d7df3f27435e9baf6375acc88830afbc540aa4e92a4b
SSDEEP

12288:RUiJH3cOK3N7377a20R01F50+OJ3BHCXwpnsKvNA+XTvZHWuEo3oW:RUihyN7a20R0v50+YNpsKv2EvZHp3oW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 3 IoCs

pid	Process
2328	Cdoajb32.exe
2420	Ckiigmcd.exe
2772	Cacacg32.exe

Loads dropped DLL 10 IoCs

pid	Process
2932	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
2932	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
2328	Cdoajb32.exe
2328	Cdoajb32.exe
2420	Ckiigmcd.exe
2420	Ckiigmcd.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe
2676	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Ckiigmcd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2676	2772	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2328	2932	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe	30
PID 2932 wrote to memory of 2328	2932	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe	30
PID 2932 wrote to memory of 2328	2932	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe	30
PID 2932 wrote to memory of 2328	2932	8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe	30
PID 2328 wrote to memory of 2420	2328	Cdoajb32.exe	31
PID 2328 wrote to memory of 2420	2328	Cdoajb32.exe	31
PID 2328 wrote to memory of 2420	2328	Cdoajb32.exe	31
PID 2328 wrote to memory of 2420	2328	Cdoajb32.exe	31
PID 2420 wrote to memory of 2772	2420	Ckiigmcd.exe	32
PID 2420 wrote to memory of 2772	2420	Ckiigmcd.exe	32
PID 2420 wrote to memory of 2772	2420	Ckiigmcd.exe	32
PID 2420 wrote to memory of 2772	2420	Ckiigmcd.exe	32
PID 2772 wrote to memory of 2676	2772	Cacacg32.exe	33
PID 2772 wrote to memory of 2676	2772	Cacacg32.exe	33
PID 2772 wrote to memory of 2676	2772	Cacacg32.exe	33
PID 2772 wrote to memory of 2676	2772	Cacacg32.exe	33

C:\Users\Admin\AppData\Local\Temp\8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe
"C:\Users\Admin\AppData\Local\Temp\8b622c1bc5b59e0cda96d662e302372feb9a1ad3527e170d7df8377e3cf79c76N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\Cdoajb32.exe
  C:\Windows\system32\Cdoajb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\Ckiigmcd.exe
    C:\Windows\system32\Ckiigmcd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\Cacacg32.exe
      C:\Windows\system32\Cacacg32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ckiigmcd.exe

Filesize
1.3MB

MD5
f6249e9357282ea88fb43b298b85567d

SHA1
bf54fdd8385bcdd266efb6bdcfdb6cc2ef231b67

SHA256
6ac09dc6ff4a53c71c4d4267c1da1988860c0a4e82c69c7330f9de7e7ab5a19e

SHA512
288c6ee7264468171369cd45085db0ecf84af60e90213ace55ef2ad58f9f9ef228c4ceebea6e9644fea7cd9dd95fd9c905f68457cc8baf0b29d4716cfb4ea5ae

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
1.3MB

MD5
db38879604b585aed50328517e5d314a

SHA1
35349c439bdc2e39c6f9341ea48c3c5e4a2b994f

SHA256
ab32c53159cd3031983758a43998eab5b1535ca1eccc8e7dc13e28eff33755a4

SHA512
518a3cdedba01f99beedfac9996475fee92394b0ff72984c61bfc6d33382e1106973bd39a9b7e91fe6f19e4c5aec2623f8107d50edb8ceceda11d7dc27a0fe8a

Download Submit
\Windows\SysWOW64\Cdoajb32.exe

Filesize
1.3MB

MD5
d41f47b14308fd1fe27d76be31beaa23

SHA1
0a2f6b376b75452426a60e298efc66959ae67238

SHA256
12390eaf42aec29872f34fb0ef1ffa04c169a9101c2ba29571bb8ae49ecfdbf3

SHA512
231efd2ba027d7005b8b3e412b4a86207276832e64bd31ab6a37a327d233261265a03986c7846fcff918df6d099e4a4618ea2e43eb887314b41e9ea894d56cd3

Download Submit
memory/2328-27-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2328-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-26-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2420-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-17-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2932-18-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2932-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads