berbew | 3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4

General

Target

3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
Size

94KB
MD5

faa70a131d8d440090b46e82f2daa0fa
SHA1

968994cab8ef7abb474f58258ac1530ed7b41958
SHA256

3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4
SHA512

4e6d6b5c48804bc0496181dc2decde01c8b0158f35aec0cdbf031c6421441736c6f944fa556f603033da36f5a8951ca07e7306c40aad60e453e8307dfd71f505
SSDEEP

1536:+UngnRgDV5LuHRXCPUSUx57wKN+entP8r/BOVLFKRQDfRfRa9HprmRfRZ:F/DV5oQmH7wK0etPAKFKeDf5wkpv

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgbfamff.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 3 IoCs

pid	Process
2140	Cddjebgb.exe
2844	Cgbfamff.exe
2428	Ceegmj32.exe

Loads dropped DLL 10 IoCs

pid	Process
2296	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
2296	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
2140	Cddjebgb.exe
2140	Cddjebgb.exe
2844	Cgbfamff.exe
2844	Cgbfamff.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe
2860	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cgbfamff.exe
File opened for modification	C:\Windows\SysWOW64\Cddjebgb.exe	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
File created	C:\Windows\SysWOW64\Lbonaf32.dll	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Cgbfamff.exe	Cddjebgb.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfamff.exe	Cddjebgb.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File created	C:\Windows\SysWOW64\Cddjebgb.exe	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
File created	C:\Windows\SysWOW64\Bhdmagqq.dll	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2860	2428	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfamff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cddjebgb.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cddjebgb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll"	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbonaf32.dll"	Cddjebgb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cddjebgb.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2140	2296	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe	28
PID 2296 wrote to memory of 2140	2296	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe	28
PID 2296 wrote to memory of 2140	2296	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe	28
PID 2296 wrote to memory of 2140	2296	3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe	28
PID 2140 wrote to memory of 2844	2140	Cddjebgb.exe	29
PID 2140 wrote to memory of 2844	2140	Cddjebgb.exe	29
PID 2140 wrote to memory of 2844	2140	Cddjebgb.exe	29
PID 2140 wrote to memory of 2844	2140	Cddjebgb.exe	29
PID 2844 wrote to memory of 2428	2844	Cgbfamff.exe	30
PID 2844 wrote to memory of 2428	2844	Cgbfamff.exe	30
PID 2844 wrote to memory of 2428	2844	Cgbfamff.exe	30
PID 2844 wrote to memory of 2428	2844	Cgbfamff.exe	30
PID 2428 wrote to memory of 2860	2428	Ceegmj32.exe	31
PID 2428 wrote to memory of 2860	2428	Ceegmj32.exe	31
PID 2428 wrote to memory of 2860	2428	Ceegmj32.exe	31
PID 2428 wrote to memory of 2860	2428	Ceegmj32.exe	31

C:\Users\Admin\AppData\Local\Temp\3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe
"C:\Users\Admin\AppData\Local\Temp\3728bd8aa94523cc219d767e094f91dad861f1e691f0cef725ef74db6acbc6c4.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Cddjebgb.exe
  C:\Windows\system32\Cddjebgb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Cgbfamff.exe
    C:\Windows\system32\Cgbfamff.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\Ceegmj32.exe
      C:\Windows\system32\Ceegmj32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cddjebgb.exe

Filesize
94KB

MD5
03b9294961961ca4391bc880d2a3f5a9

SHA1
812159b76a12cfa2f11fed051d90c29b02591b01

SHA256
96b68068c24f326aad9b050052c99cfba6b665a0daf12ccd9809789e73163c91

SHA512
208a5cc9206674305f2d7a26fb66d2e2c885c35c3ca9b263694c114b8af8e8cdba3995e27acae63a7eab3ab7209e6ac9a309f1d15808245c8638672c3aae50db

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
94KB

MD5
b40db9e0a2f4e589994f32f8a9e1496e

SHA1
7bcf2a1f3ede7d69e9367f1f3dfc7bb3d20d884b

SHA256
e634780f14e3a07424879779a8bccf47012d9608a6d498de71fc30f8f46e042e

SHA512
1075c14ed5b381df1899beeab3558a6542b17eaa9e4fb550f9192e4cfbf4a4e9b7d1e40db551fcfd57a297698355e84b2c73418e0ce41dec27463313edf27128

Download Submit
\Windows\SysWOW64\Cgbfamff.exe

Filesize
94KB

MD5
108367d545b09d7f93b4afce32166151

SHA1
576dc946936f5c274cbc7e745c283b5bc5556423

SHA256
921ab8a3822e5e5bfe502570bd9cb944ad9689689138bc4b16e4fb13c241fcae

SHA512
0646d0f01bccb4440a8bb04a5e6a5f8336b9ad179467af1a3cf90177e0efc576c01c85fd00d80dae20aba0192c3bf4162ccd064f163e1ecf7fcf738dc318a9f4

Download Submit
memory/2140-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2296-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2296-18-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2296-17-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2296-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2428-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2844-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2844-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads