berbew | 41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5

General

Target

41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
Size

74KB
MD5

d2ed00833f0678e38633958e666e4ac0
SHA1

03e803c12a3ed95e2838de4b77dfe31942a4396e
SHA256

41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5
SHA512

eea6193cdc0bb95592b7490287c4cb94103b6483fd8571e20946ae094ee2fcc4b225f4533f462b70f1a6b01f67ed2c0e452cea21d29766b49e21df0892956355
SSDEEP

1536:3PonaODUZBB/9AIiXf+3+YGSdbjPDt+/+2BgjhuY:3waqmBBVyf4RrDthjhuY

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 1 IoCs

pid	Process
2692	Lbjofi32.exe

Loads dropped DLL 6 IoCs

pid	Process
1620	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
1620	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2692	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2692	1620	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe	30
PID 1620 wrote to memory of 2692	1620	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe	30
PID 1620 wrote to memory of 2692	1620	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe	30
PID 1620 wrote to memory of 2692	1620	41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe	30
PID 2692 wrote to memory of 2700	2692	Lbjofi32.exe	31
PID 2692 wrote to memory of 2700	2692	Lbjofi32.exe	31
PID 2692 wrote to memory of 2700	2692	Lbjofi32.exe	31
PID 2692 wrote to memory of 2700	2692	Lbjofi32.exe	31

C:\Users\Admin\AppData\Local\Temp\41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe
"C:\Users\Admin\AppData\Local\Temp\41d166f87828a2663d298980ba712fb10502da78a09ce31131f5b9a7c7d644b5N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\Lbjofi32.exe
  C:\Windows\system32\Lbjofi32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
74KB

MD5
f7e7c1b3e133903fa8ec9a2fe44ba626

SHA1
cf893e3835db7fa0b9ff433bfa00c5fce533123b

SHA256
b4d5cabbd6f4e4953e8b1c4e2b048e94faf2e7599dfde239488d363328d9d8c1

SHA512
6c376e2776f00f784817a9f3b49e41f433e99ee9692205d2b7e2018d27a40769d38c8598c833e3732089adfbb02a09bff82d07576a1c708af896e26acf1907b9

Download Submit
memory/1620-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1620-13-0x0000000001FE0000-0x0000000002017000-memory.dmp

Filesize
220KB

Download
memory/1620-12-0x0000000001FE0000-0x0000000002017000-memory.dmp

Filesize
220KB

Download
memory/1620-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2692-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2692-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads