Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 03:04

General

  • Target

    c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe

  • Size

    84KB

  • MD5

    d050b81b655f5c565b67cbe74fdd9c02

  • SHA1

    40e5513be3a5f6dc902b9b9ab2cca1a62ad2fc3a

  • SHA256

    c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d

  • SHA512

    c51e5f0dea07fc10a4263226d9cbb9725e6eba12b20f8bd181f134a285ffa4be4fb74867305ea49efea280fa505ed73296f192cce2d7b257770f2d2c70359fba

  • SSDEEP

    1536:3+r3dFPzQl/OcyQUP6VmdnX5sGovuXSREXHfVPfMVwNKT1iqWUPGc4T7VL3:3+r3LPUl/OcyQQEmFph2uCREXdXNKT1m

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 25 IoCs
  • Drops file in System32 directory 33 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 36 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe
    "C:\Users\Admin\AppData\Local\Temp\c99e13a7452cab6d62d45a9e386468e329536c841765dddf22e87da5762a0c5d.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\Cnimiblo.exe
      C:\Windows\system32\Cnimiblo.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\Cagienkb.exe
        C:\Windows\system32\Cagienkb.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\SysWOW64\Ckmnbg32.exe
          C:\Windows\system32\Ckmnbg32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\SysWOW64\Caifjn32.exe
            C:\Windows\system32\Caifjn32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2852
            • C:\Windows\SysWOW64\Cgcnghpl.exe
              C:\Windows\system32\Cgcnghpl.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2564
              • C:\Windows\SysWOW64\Cnmfdb32.exe
                C:\Windows\system32\Cnmfdb32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2540
                • C:\Windows\SysWOW64\Cmpgpond.exe
                  C:\Windows\system32\Cmpgpond.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2928
                  • C:\Windows\SysWOW64\Cgfkmgnj.exe
                    C:\Windows\system32\Cgfkmgnj.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2008
                    • C:\Windows\SysWOW64\Djdgic32.exe
                      C:\Windows\system32\Djdgic32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1156
                      • C:\Windows\SysWOW64\Danpemej.exe
                        C:\Windows\system32\Danpemej.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2016
                        • C:\Windows\SysWOW64\Dpapaj32.exe
                          C:\Windows\system32\Dpapaj32.exe
                          12⤵
                          • Executes dropped EXE
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:2528
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 144
                            13⤵
                            • Loads dropped DLL
                            • Program crash
                            PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Cgcnghpl.exe

    Filesize

    84KB

    MD5

    37a8e80284dff58062a1a7ed53280b9e

    SHA1

    662598309756707baddb23695b50cfaa9787229c

    SHA256

    f46e0ece6e2f934d41043e46954a18b964f349a58601f60ab57607b9792f97cd

    SHA512

    0c896415be605999c19731131e7565c1a8267bfbc43ec0d84a190c19f10a85d349159814c86a7128f78a843174e752340c35c8bc17691a6a1a870291b53dd89c

  • C:\Windows\SysWOW64\Cgfkmgnj.exe

    Filesize

    84KB

    MD5

    2951d56e43c070e371a0fdaf59e1f889

    SHA1

    c578c07b25d49b556051e629e0045010fee4d816

    SHA256

    c5d1f4a7e00bfb0e5259f6989df9fe18742333862d822a0debb3b6093cd81c3f

    SHA512

    df5128c1ee06103c039448c81496d49e850921a166c4169c8360331a3de0e296b2e73cb8a13e228640977eec7533f1c5be7528c332adabe7478f5c86cfb4b772

  • \Windows\SysWOW64\Cagienkb.exe

    Filesize

    84KB

    MD5

    128cf1151e7fc060984d025fd7fad457

    SHA1

    1e61ec22b7878019ee63cd3fb2eaff47b651a5bd

    SHA256

    ed9bf88ac6cf1e8ce44173d36fb2f69eff1c907c58a5df33b39e2d7a802ad483

    SHA512

    b264998d2d16f6f40090268fe018dc7df351e4c08a36a0780f9a32d12a52d10771885b040a31f1da950c719733823406db37a7cc00440fbeb03f8835c5ccd588

  • \Windows\SysWOW64\Caifjn32.exe

    Filesize

    84KB

    MD5

    73ccc8c5b634178994b1be8cb4cf5e80

    SHA1

    56da2a420ada3cb7640b9d0cdb296ed0e61a6246

    SHA256

    580a3ea093ba8249b0f2df81bd150299caefe36ff1c6b91e63f1f4ceb09f729e

    SHA512

    89d05ae4331e99ee2b262d7abdec89a0cbdf5e8b32812ced24ace8143240ac38415f3f167debf5a37080843ebee94e3939ef741837607a045aaec621a9ecbe5e

  • \Windows\SysWOW64\Ckmnbg32.exe

    Filesize

    84KB

    MD5

    3053ef90d93099d6956cf4ce11756983

    SHA1

    86b8172774d3b54514e727386c0a79a097f23167

    SHA256

    99fd667f6d2b33908e1c92057d162caf0d74fd9c10c3c5ffd011e883629636a8

    SHA512

    47f7dc6f0a5f33b53b394e8247570a1b6ac83375406cf391481b11980c68f4a31e22e622144fd68bb5a3586cd9916bfc8a1181457a44b4e72e09a03073f7e5e1

  • \Windows\SysWOW64\Cmpgpond.exe

    Filesize

    84KB

    MD5

    7ecfefc53087bae6a57ea4835f064fa4

    SHA1

    d03701166a0342efe2bdb5f61f905c6b268be8b1

    SHA256

    a92ca3276eec8978e7985c38c53e75e53887c54adeb8734901ae114880475c69

    SHA512

    ff1b8d977c654a6ae204ddb03807729f36da878d50aca768e177e68f2f9bf0f188f209073e257cb6081b1f96f6d59adf36f4d5712b4c39cf2ff45fa9f5f19f6d

  • \Windows\SysWOW64\Cnimiblo.exe

    Filesize

    84KB

    MD5

    a01e2a381f7a6d8d81ae686a6a70cb61

    SHA1

    606ae05b3d4d280b7710c70cdd129b61b26175ea

    SHA256

    7efac4589b82b33caee532730b1ec2540ea5a2393c63480518867408278eb717

    SHA512

    afc76b71a9160f12958784bdf3ed14a806765708a93c5bd2290ca59126539b47ecbc00ae6f16ae4ba0f1b3734764fca801a2ea915ce0a4e0fae48babc84e963e

  • \Windows\SysWOW64\Cnmfdb32.exe

    Filesize

    84KB

    MD5

    cba6ccc33676abd6b3b5799ef7fe0e63

    SHA1

    ad4e4015d6fd3bccf7267f9913ea51944364e13e

    SHA256

    c426ffcd83612df5493b72cec2e5673c8cc520ac1e229e6c7e4e20cf4c14c681

    SHA512

    bda151f5951295d2c56ad36688f0337d7a63bc75f9edb09546ded4eb0eac7b0e98b39ca7efff4b399ac7d4fed03466e5ec74cf077aaa333a94ec878910efb0cf

  • \Windows\SysWOW64\Danpemej.exe

    Filesize

    84KB

    MD5

    e42da69fa9f8a80f6c8b73f7b5069067

    SHA1

    10a182d3c1c9606784ba46742332268913fdf725

    SHA256

    0a389a8a0101dfb5493f059775d56854dba7531ea4c11ed87af0ce2c4b4ab09f

    SHA512

    139369d4e1ac2ac551ec0f0913946406a9365f78fb3bce16b32dac9676f6ffc5f1c5f77dd257fec6ffa66adc4c68b798d9e714ba7032fc2b1290123fbcbb2a33

  • \Windows\SysWOW64\Djdgic32.exe

    Filesize

    84KB

    MD5

    8a154bd35d7f3aeda5a60dbc96120923

    SHA1

    65b202b42dfcac0d5806c810eca2efbd1e072c05

    SHA256

    a6e85810140a0074de4ca195a5ac277ea423437261f30fabb2af9f9fa3a9791d

    SHA512

    9706f08209bf943f2e1d918f9d15c74e9990150aa84b70c818948c11bea1396afdd3d284316ab0639a3b1e7362bef030c2ea62a76bef8fd2955d80b4c97d8cee

  • \Windows\SysWOW64\Dpapaj32.exe

    Filesize

    84KB

    MD5

    69b820f8f168b9fb70910adcbd43f614

    SHA1

    707d02efda8413f7796b2d207476af6337342ffb

    SHA256

    d368bb4f781fd3602f3dde6b62b9513f05663db5dbb5410baa08182e1254a8d8

    SHA512

    69ddbe2b43a5ec8d5aa41c539c59092089a103ac0a17931176985340a9e57020ab847c998ab2ab3d6dd32909cbdd794ab4b5cd2d2b8df47853c0903a0d2cb022

  • memory/1156-165-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/1156-134-0x0000000000260000-0x000000000029F000-memory.dmp

    Filesize

    252KB

  • memory/2008-117-0x00000000002E0000-0x000000000031F000-memory.dmp

    Filesize

    252KB

  • memory/2008-109-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2008-166-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2016-148-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2016-164-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2072-162-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2072-13-0x0000000001F30000-0x0000000001F6F000-memory.dmp

    Filesize

    252KB

  • memory/2072-0-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2072-12-0x0000000001F30000-0x0000000001F6F000-memory.dmp

    Filesize

    252KB

  • memory/2440-27-0x0000000000270000-0x00000000002AF000-memory.dmp

    Filesize

    252KB

  • memory/2440-28-0x0000000000270000-0x00000000002AF000-memory.dmp

    Filesize

    252KB

  • memory/2440-14-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2440-160-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2528-149-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2528-163-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2540-91-0x0000000000250000-0x000000000028F000-memory.dmp

    Filesize

    252KB

  • memory/2540-88-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2540-157-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2564-77-0x00000000002D0000-0x000000000030F000-memory.dmp

    Filesize

    252KB

  • memory/2564-69-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2564-161-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2776-42-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2776-50-0x0000000000250000-0x000000000028F000-memory.dmp

    Filesize

    252KB

  • memory/2776-55-0x0000000000250000-0x000000000028F000-memory.dmp

    Filesize

    252KB

  • memory/2776-158-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2852-167-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/2928-156-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/3056-40-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

  • memory/3056-159-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB