berbew | 661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569

General

Target

661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
Size

74KB
MD5

fde95c27c676016004a917a48bc508d0
SHA1

8758dfb5b201ee12baf603ec71658279dc7b874a
SHA256

661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569
SHA512

e2f4d61e39e420db0c1549b3811b3a001089aab13e2ab6ecea4ebdd217a7aa0a0f22f7837f760befdf274bf3f6d737da31ead2132607523299a7df183d0c1ce5
SSDEEP

1536:Vw8yyX3jB2PiJN++Q0WYV6S1IqGUZvQA18/pS7GTZ8XC:VM0t4iJN++/F1Iqj3j7QZ8y

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 4 IoCs

pid	Process
2844	Cegoqlof.exe
1040	Djdgic32.exe
3060	Dmbcen32.exe
2616	Dpapaj32.exe

Loads dropped DLL 11 IoCs

pid	Process
2688	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
2688	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
2844	Cegoqlof.exe
2844	Cegoqlof.exe
1040	Djdgic32.exe
1040	Djdgic32.exe
3060	Dmbcen32.exe
3060	Dmbcen32.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cegoqlof.exe	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2632	2616	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegoqlof.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2844	2688	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe	31
PID 2688 wrote to memory of 2844	2688	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe	31
PID 2688 wrote to memory of 2844	2688	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe	31
PID 2688 wrote to memory of 2844	2688	661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe	31
PID 2844 wrote to memory of 1040	2844	Cegoqlof.exe	32
PID 2844 wrote to memory of 1040	2844	Cegoqlof.exe	32
PID 2844 wrote to memory of 1040	2844	Cegoqlof.exe	32
PID 2844 wrote to memory of 1040	2844	Cegoqlof.exe	32
PID 1040 wrote to memory of 3060	1040	Djdgic32.exe	33
PID 1040 wrote to memory of 3060	1040	Djdgic32.exe	33
PID 1040 wrote to memory of 3060	1040	Djdgic32.exe	33
PID 1040 wrote to memory of 3060	1040	Djdgic32.exe	33
PID 3060 wrote to memory of 2616	3060	Dmbcen32.exe	34
PID 3060 wrote to memory of 2616	3060	Dmbcen32.exe	34
PID 3060 wrote to memory of 2616	3060	Dmbcen32.exe	34
PID 3060 wrote to memory of 2616	3060	Dmbcen32.exe	34
PID 2616 wrote to memory of 2632	2616	Dpapaj32.exe	35
PID 2616 wrote to memory of 2632	2616	Dpapaj32.exe	35
PID 2616 wrote to memory of 2632	2616	Dpapaj32.exe	35
PID 2616 wrote to memory of 2632	2616	Dpapaj32.exe	35

C:\Users\Admin\AppData\Local\Temp\661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe
"C:\Users\Admin\AppData\Local\Temp\661044aa3a88a98b907f0cbb8c2ec1d85174a8af6b03c63be616dfb4fec5d569N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Cegoqlof.exe
  C:\Windows\system32\Cegoqlof.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\Djdgic32.exe
    C:\Windows\system32\Djdgic32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\SysWOW64\Dmbcen32.exe
      C:\Windows\system32\Dmbcen32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 144
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Cegoqlof.exe

Filesize
74KB

MD5
08fcea0ded7352c8fc273adcee2ccdd8

SHA1
9d113ec441f6a8c6747b7faed7ca9b0d8dfb181e

SHA256
0c37750955f9470bb030f39151d6a403afb18248c98820238bfd489ec2b61aa6

SHA512
1dc2a9b4e1243b063bd7836ccf27802451205afc125f6fba4c16c0c1c2a8b7c0b36224cf7fb03b64d31cf3c88b5278ecbe9c3f41137c3a9d1be9b763818e08e1

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
74KB

MD5
303f5626c775f29c88e0b25e5b7ea80f

SHA1
9739f17d3f1ad8ca025a4943425d1f82f87af0c2

SHA256
c6d3d86a83e390d093d55383c2e30a696fa10715b1a66ac01709e123e702e1d1

SHA512
ea6f4d5a9724229f98b87ea84a9066d8bfd0151f24d0c7b291bcaeb069b47cec09ad6bd1fedfe474edd86bfc6c2b9b2a95d7b424862bacfcffbf55b528cc87c6

Download Submit
\Windows\SysWOW64\Dmbcen32.exe

Filesize
74KB

MD5
570f643154847a982119ae235ce318c3

SHA1
ebf063209b6640da00ae1c251eefb0bae04f9da0

SHA256
9631a7de101296f3ed7711bbe84d5fc41e99f2633f7ecf2ef226d60e0bd86510

SHA512
b81d7f0438da9054ea7af7ef39241d5f663b727f2d71c8466727cf1d81536da800bab301dd5a7c20dabad078f30650d2ec287f4e5ea8fdad568039c04ea89732

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
74KB

MD5
24289d92b8a272a57efc82519d06f0d2

SHA1
703c246dae5ca431ce19e470505073967da4f090

SHA256
9d622b160d05b7f45ccaf491e9aa41a91754979985fd9327e6d15e5565a1f329

SHA512
72c92a7ef1b17d84cad90739646c6a4b0be6af2f8b77b79c7cdff13168920fb9b7bce061465a7eaaed5a90aed41a0296501c010f8f28ccc2c80ea725b9771383

Download Submit
memory/1040-26-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1040-35-0x0000000000320000-0x0000000000357000-memory.dmp

Filesize
220KB

Download
memory/1040-62-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2616-61-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2688-12-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/2688-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2688-60-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-13-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3060-47-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/3060-59-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads