Overview

overview

10

Static

static

3

d9aab37b12...7N.exe

windows7-x64

10

d9aab37b12...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 03:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9aab37b12b7fecd8ba4d2c11e3fb6cf0458f057ad960ad870fa137ecbb11db7N.exe

  • Size

    860KB

  • MD5

    89e8accc2ab5ed55c4f670ec316ad4d0

  • SHA1

    a3bd970acf676714396b4c1ac280086afa71fb68

  • SHA256

    d9aab37b12b7fecd8ba4d2c11e3fb6cf0458f057ad960ad870fa137ecbb11db7

  • SHA512

    2d6b53f77fedbaff14d23d6e97bdebfcdeed80b00bc74b12073703de197b5dfc6c704c6f3e03a6f8ffc1bd0e314e03bd5c0506b7ef047874253c221994f9c2ea

  • SSDEEP

    24576:A5hPuh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YS:vbazR0vD

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • Drops file in System32 directory 15 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 18 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9aab37b12b7fecd8ba4d2c11e3fb6cf0458f057ad960ad870fa137ecbb11db7N.exe
    "C:\Users\Admin\AppData\Local\Temp\d9aab37b12b7fecd8ba4d2c11e3fb6cf0458f057ad960ad870fa137ecbb11db7N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\SysWOW64\Bhdgjb32.exe
      C:\Windows\system32\Bhdgjb32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\Bbikgk32.exe
        C:\Windows\system32\Bbikgk32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\SysWOW64\Bdkgocpm.exe
          C:\Windows\system32\Bdkgocpm.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\SysWOW64\Cpceidcn.exe
            C:\Windows\system32\Cpceidcn.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2788
            • C:\Windows\SysWOW64\Ceegmj32.exe
              C:\Windows\system32\Ceegmj32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:264
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 140
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:1496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Bbikgk32.exe
    Filesize

    860KB

    MD5

    98f0cd8a07df539d975dc23128feedf3

    SHA1

    4a1ad9a7f1abef2a8fa2273e8f82c2fd185b9b9a

    SHA256

    88ebf8eb97c367a76648a826a269f73b2c703292d430feba89201a9d094412df

    SHA512

    91c0068986bbc8928799482788e592f494b27956ce326d896bea73e5cc893ab2bfe74712d5c372d2b500149ee51cd5a7c66869257a264cf88cf1d02c874a12f0

    Download Submit

  • C:\Windows\SysWOW64\Bdkgocpm.exe
    Filesize

    860KB

    MD5

    7c9033bdf2123502847a04175c704774

    SHA1

    601cc7016f0ba20cdbde060214e0876aa43b2810

    SHA256

    c421fcfafaf7ae60c7dd1223cf65e2b876a9963ec84cf1beaf9be7e3cdc841e8

    SHA512

    5c8871623fd7d072f815c35b330a128fae27afe444896292514f51c00c225a52ee01655d8d37a155245b21123eecc65344aab933c1aac2e43e4c51ee52273ff4

    Download Submit

  • C:\Windows\SysWOW64\Bhdgjb32.exe
    Filesize

    860KB

    MD5

    efa2342a949baffe8522a2c4bb50a17c

    SHA1

    f16c25d10d55e36a83ea2e353f61c5933ea7baac

    SHA256

    597bf7b98b0d40781a3cb668d13522b4fb3dd423edecb90d7433b8d7faf68657

    SHA512

    b15b2c77f3b6b17cc79d0da7ae3dee24340b18478f5f52f8fbec69a855122aed1ec339ebd5f1ebb6e0f0f42df3a7c7cb624ea2fff1f0aa2d3205fcead69d8a57

    Download Submit

  • C:\Windows\SysWOW64\Ceegmj32.exe
    Filesize

    860KB

    MD5

    d9c81e8c8861f549017d31c6554075e3

    SHA1

    a109666633a0df65902ee08f9546d34f1ed8bdab

    SHA256

    3efa6f2aa5fdfe3c82c592234617f292905c5d6c72f0d73b91132df3dfc897e2

    SHA512

    924c95b6ab01ce81e3a48a8733a6242ffcf0b16614bf466856db0a2c3f78b085075a35ff24d22476e7019e7fa3178f3fc3f83e8e19f04f8bcdff53957a4d89a6

    Download Submit

  • C:\Windows\SysWOW64\Cpceidcn.exe
    Filesize

    860KB

    MD5

    a2a96c98c718eed6bc2510ecb8a0ea8d

    SHA1

    ae7ce9d019f51ef0a315a2e26bf62f3799d7c86e

    SHA256

    50496aa3b344ff73db8a6e732932be1c8c7e7ec177899df1edf600b4e56f998c

    SHA512

    a1ce36c594cf8a24b7dc819fe495ced0f4aee4d4c3f71430e84dd97c7f8ddebedddc5bdd486b57cab819ad15aaf5c77f74944d188cf01b3830c83bc04a8ba386

    Download Submit

  • memory/264-70-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/264-85-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2716-78-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2716-55-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2788-81-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2788-57-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2816-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2816-18-0x00000000005D0000-0x0000000000603000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2816-83-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2816-14-0x00000000005D0000-0x0000000000603000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2956-42-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2956-36-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2956-29-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2956-79-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2972-19-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2972-26-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2972-27-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

    Download