berbew | 0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772

General

Target

0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
Size

481KB
MD5

e4553f50ea8f1c394e4532a5d5db5f20
SHA1

387d208e97a14f8d2aaeb9466e983184d900b196
SHA256

0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772
SHA512

00dd4d974fb1e427a9e61ed902c97011115ba7bd12c1b7d8e2a49f6ca59d32711743441ed21cbdc2845436395e798433e8936a6acb2776d0d0a6b5994e61c100
SSDEEP

6144:yb597EWifTFM6234lKm3mo8Yvi4KsLTFM6234lKm3+ry+dBQ:yN9wWiLFB24lwR45FB24l4++dBQ

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdphjm32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 5 IoCs

pid	Process
2712	Kdphjm32.exe
2708	Kkjpggkn.exe
2588	Kmimcbja.exe
2676	Llpfjomf.exe
3060	Lbjofi32.exe

Loads dropped DLL 14 IoCs

pid	Process
2080	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
2080	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
2712	Kdphjm32.exe
2712	Kdphjm32.exe
2708	Kkjpggkn.exe
2708	Kkjpggkn.exe
2588	Kmimcbja.exe
2588	Kmimcbja.exe
2676	Llpfjomf.exe
2676	Llpfjomf.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe
1484	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Llpfjomf.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Kmimcbja.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Bodilc32.dll	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Llpfjomf.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmimcbja.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Llpfjomf.exe	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Kmimcbja.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1484	3060	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2712	2080	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe	30
PID 2080 wrote to memory of 2712	2080	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe	30
PID 2080 wrote to memory of 2712	2080	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe	30
PID 2080 wrote to memory of 2712	2080	0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe	30
PID 2712 wrote to memory of 2708	2712	Kdphjm32.exe	31
PID 2712 wrote to memory of 2708	2712	Kdphjm32.exe	31
PID 2712 wrote to memory of 2708	2712	Kdphjm32.exe	31
PID 2712 wrote to memory of 2708	2712	Kdphjm32.exe	31
PID 2708 wrote to memory of 2588	2708	Kkjpggkn.exe	32
PID 2708 wrote to memory of 2588	2708	Kkjpggkn.exe	32
PID 2708 wrote to memory of 2588	2708	Kkjpggkn.exe	32
PID 2708 wrote to memory of 2588	2708	Kkjpggkn.exe	32
PID 2588 wrote to memory of 2676	2588	Kmimcbja.exe	33
PID 2588 wrote to memory of 2676	2588	Kmimcbja.exe	33
PID 2588 wrote to memory of 2676	2588	Kmimcbja.exe	33
PID 2588 wrote to memory of 2676	2588	Kmimcbja.exe	33
PID 2676 wrote to memory of 3060	2676	Llpfjomf.exe	34
PID 2676 wrote to memory of 3060	2676	Llpfjomf.exe	34
PID 2676 wrote to memory of 3060	2676	Llpfjomf.exe	34
PID 2676 wrote to memory of 3060	2676	Llpfjomf.exe	34
PID 3060 wrote to memory of 1484	3060	Lbjofi32.exe	35
PID 3060 wrote to memory of 1484	3060	Lbjofi32.exe	35
PID 3060 wrote to memory of 1484	3060	Lbjofi32.exe	35
PID 3060 wrote to memory of 1484	3060	Lbjofi32.exe	35

C:\Users\Admin\AppData\Local\Temp\0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe
"C:\Users\Admin\AppData\Local\Temp\0c088b255bde22f7b255c4716692c53dc9e377874e03021a452aaac2b7139772N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\Kdphjm32.exe
  C:\Windows\system32\Kdphjm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\Kkjpggkn.exe
    C:\Windows\system32\Kkjpggkn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Kmimcbja.exe
      C:\Windows\system32\Kmimcbja.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ipafocdg.dll

Filesize
7KB

MD5
14fff8c915813740fd1e652fb1d8beff

SHA1
9f160cf5056b52e382ca0bcde22d13df12388811

SHA256
3792b0f2c464a1078e494353ca73f05ddf44955d3d67bbe666f579b9856f223f

SHA512
0e316b59bd1357a3285bb4b13933a1fccf6b9a6e287f844211fa569aba93d678b5eccc5a77112c0494ca71cc584f2f9d76dbf423d803f3c39eb68ee20ed481f2

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
481KB

MD5
eb8ed1fb99c9e6eb98c9b576f5814e0f

SHA1
058923833e883652ed231f48db5f5191bfe49449

SHA256
ca5e301a4fb2216a2c9b40e93ef4f6509d7eef7b4b392ae9cf731871de8198f0

SHA512
3420c5a136deba84e17ed07bb195876d7ab629cd98092ba5328a7070c1a2f2bd1aa8b84ed05ed5c82f55817d61ec8a98fe5ba313da1e177d057fe194b36fd7f0

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
481KB

MD5
fef4f1751b0e9c7a6848b0ccc015bb40

SHA1
681a3f9a77e45d83bd8f3999fbcfaa1417fa489f

SHA256
47d13210a31166338103a12a916929ecffa17e5409e2642fb6ddaa899d5337f3

SHA512
a2e7743b546e458b0e5d2f6778c739cb7d3e4f7693e10b601394436715426bba8bb5c3a1e5f407ef853f3ad3946922619404137345cc3442bf0659309d7d2f43

Download Submit
\Windows\SysWOW64\Kmimcbja.exe

Filesize
481KB

MD5
2d1a941391e537e6c865ca9ab1e05282

SHA1
917562e57eba01fd176bb0e15ce375bbdee587e1

SHA256
5c08e8fa641464c82daf749ab33e67bbdd4a090e468be8eb5187af00be74241a

SHA512
d9216bc6e75cd8952273410bce0f23ac07518b1c5a2c2edf42f72034a270581363ccbb38c0f77968e46ea7814521597aead5b61594767740cd03c626303c3026

Download Submit
\Windows\SysWOW64\Lbjofi32.exe

Filesize
481KB

MD5
088bb1b71825b49dd9cf0b4f1b1504a9

SHA1
37f6406a8abc73efb0a969d4c07d1f9d6cf59ebc

SHA256
1b8dcb93663fd6706d6009bbdc9fd49625597b9e336eca07e5d0b34fc9075d9c

SHA512
77d675edc3b48b312ef7017d0586d5639bd0c5cc9b13ef7fc390800f88e34e3f5820572150d53db72ea31737d54c20de133fcdee6b228310f4ab14984c7e6442

Download Submit
\Windows\SysWOW64\Llpfjomf.exe

Filesize
481KB

MD5
65ed31a51816a76d01444bd6d616bf01

SHA1
088423a9fec2465cb80bf029d236e32180ea4ed1

SHA256
45b329214f4dad7a5d60abd4581b100ca091d19d0d4d257787ed9c03ccfefd7f

SHA512
3cc86b8230e59d90214327316f4b18c7ae73085b57f03d4e1df07a06a513cc2710695641a0f61c9a13dcad6dad4fddf586f137fa632c676d607f51a9dcd840ae

Download Submit
memory/2080-17-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2080-18-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2080-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-50-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2588-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-56-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2676-70-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2676-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-41-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2708-28-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2712-27-0x0000000000350000-0x0000000000383000-memory.dmp

Filesize
204KB

Download
memory/2712-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads