berbew | b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306

General

Target

b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
Size

422KB
MD5

6bf81f37685b2c0d1c439c6fe0b0a980
SHA1

9d940319e46c327fcbcea694b19119f112f7b099
SHA256

b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306
SHA512

7115395c8ba3ff013e408e7e3c993ad2ac07118c5cdccd40affcc704a477733b703a4897843990fa88a77737f4929b8913f0103472098065752d19547e6e99ee
SSDEEP

6144:lAyp/bWU5xGEbabO6FSPnvZU1AF+6FSPnvZhDYsKKo6FSPnvZU1AF+6FSPnvZq:ltRxhGaXgA4XfczXgA4XA

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 3 IoCs

pid	Process
2728	Loaokjjg.exe
3012	Lemdncoa.exe
2820	Lepaccmo.exe

Loads dropped DLL 10 IoCs

pid	Process
2412	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
2412	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
2728	Loaokjjg.exe
2728	Loaokjjg.exe
3012	Lemdncoa.exe
3012	Lemdncoa.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe
2748	WerFault.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lioglifg.dll	Loaokjjg.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Loaokjjg.exe	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
File opened for modification	C:\Windows\SysWOW64\Loaokjjg.exe	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
File created	C:\Windows\SysWOW64\Jingpl32.dll	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
File created	C:\Windows\SysWOW64\Lemdncoa.exe	Loaokjjg.exe
File opened for modification	C:\Windows\SysWOW64\Lemdncoa.exe	Loaokjjg.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lemdncoa.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	2820	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loaokjjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemdncoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lioglifg.dll"	Loaokjjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loaokjjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingpl32.dll"	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2728	2412	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe	31
PID 2412 wrote to memory of 2728	2412	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe	31
PID 2412 wrote to memory of 2728	2412	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe	31
PID 2412 wrote to memory of 2728	2412	b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe	31
PID 2728 wrote to memory of 3012	2728	Loaokjjg.exe	32
PID 2728 wrote to memory of 3012	2728	Loaokjjg.exe	32
PID 2728 wrote to memory of 3012	2728	Loaokjjg.exe	32
PID 2728 wrote to memory of 3012	2728	Loaokjjg.exe	32
PID 3012 wrote to memory of 2820	3012	Lemdncoa.exe	33
PID 3012 wrote to memory of 2820	3012	Lemdncoa.exe	33
PID 3012 wrote to memory of 2820	3012	Lemdncoa.exe	33
PID 3012 wrote to memory of 2820	3012	Lemdncoa.exe	33
PID 2820 wrote to memory of 2748	2820	Lepaccmo.exe	34
PID 2820 wrote to memory of 2748	2820	Lepaccmo.exe	34
PID 2820 wrote to memory of 2748	2820	Lepaccmo.exe	34
PID 2820 wrote to memory of 2748	2820	Lepaccmo.exe	34

C:\Users\Admin\AppData\Local\Temp\b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe
"C:\Users\Admin\AppData\Local\Temp\b3851652ab3f3ee8b54c12b960402e76054ce3d2275604ecee0b0d336795e306N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\Loaokjjg.exe
  C:\Windows\system32\Loaokjjg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\Lemdncoa.exe
    C:\Windows\system32\Lemdncoa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\SysWOW64\Lepaccmo.exe
      C:\Windows\system32\Lepaccmo.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 140
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Lemdncoa.exe

Filesize
422KB

MD5
ed84bb2e6d81698914d4ca4f80913402

SHA1
730233800c1763b1fa8b2c7521d9304bffedf445

SHA256
b76e6dd9e74aa3f4f0772d7f896765208985ddbee2a7a57ef913c1af6f6396b4

SHA512
acc3afb4074a16609d49fee86eafaf299e03433c07a9523a1df01d35b6ee26ab5a5fe222e9e10f2d3eab693342ffaa7b68011b50f19b3e0d51e2c1ac2b95f3d1

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
422KB

MD5
8ef0a44efa0c985c14fcffacf06ffa59

SHA1
ff144c2a055bd1955c0222d17833d56d3411fa51

SHA256
7ae83197322708d693bab992f203f989c9189d5e6a55ee5900e6235278a7d031

SHA512
460f67dcdc26c4f684ddd19ae5911b3d8d84cf0f4c6b9ce7110bebbdc2f0b84db9c6cb7010503f76cae5c57ef90a906bbdf1637b282b11ad1d4a31b18d8b816b

Download Submit
\Windows\SysWOW64\Loaokjjg.exe

Filesize
422KB

MD5
5c60613b3889ebc8c72b4b3ba6e6ca34

SHA1
83a70e4b45ddbd4f55afeb2ef9fda346c152199c

SHA256
6facb7783252ab1982732051e93720c77516c2844104cd541f9359bb2393475e

SHA512
94d61f0941384b34d022117f5937e3ed9cedac8ace6456fe3abcdd3047d7a5f1aa1e6e351dda7813016fc3a85a40091a755a3900336c0743dd5b0a45f29f2d00

Download Submit
memory/2412-12-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2412-13-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2412-52-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-50-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-27-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2728-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-42-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-51-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-41-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/3012-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-49-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads