Analysis

  • max time kernel
    94s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 13:32

General

  • Target

    3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe

  • Size

    93KB

  • MD5

    3ba3bcaa66fa6540aac0f3f6b6dd3700

  • SHA1

    cb5ed9ab88614c7679b4f1237242bf46add15473

  • SHA256

    3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4

  • SHA512

    b2f23358e73123f08155630ddda053eeee8a24779fbeb7e1856cd5b214f9e50bc86338e86185eebe0bbf7d0a783329f3cde417dcf5ff724e5fe4cf295bd87c54

  • SSDEEP

    1536:U3c9UO1i+V9EgYT2V6wwmbmPoFDCFvu01DaYfMZRWuLsV+1B:ldDEgqxwwmbOoFGtTgYfc0DV+1B

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 27 IoCs
  • Drops file in System32 directory 38 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 39 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe
    "C:\Users\Admin\AppData\Local\Temp\3a407ba8c5bb9504ec43c2cbf3ab36bcb146bb26f61d1a668fb05721999a5ff4N.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SysWOW64\Bjbndpmd.exe
      C:\Windows\system32\Bjbndpmd.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\Boogmgkl.exe
        C:\Windows\system32\Boogmgkl.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\SysWOW64\Bmbgfkje.exe
          C:\Windows\system32\Bmbgfkje.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\Cbppnbhm.exe
            C:\Windows\system32\Cbppnbhm.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Windows\SysWOW64\Cocphf32.exe
              C:\Windows\system32\Cocphf32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2588
              • C:\Windows\SysWOW64\Cileqlmg.exe
                C:\Windows\system32\Cileqlmg.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2728
                • C:\Windows\SysWOW64\Cebeem32.exe
                  C:\Windows\system32\Cebeem32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2632
                  • C:\Windows\SysWOW64\Cjonncab.exe
                    C:\Windows\system32\Cjonncab.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:3044
                    • C:\Windows\SysWOW64\Cgcnghpl.exe
                      C:\Windows\system32\Cgcnghpl.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:1324
                      • C:\Windows\SysWOW64\Cmpgpond.exe
                        C:\Windows\system32\Cmpgpond.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1988
                        • C:\Windows\SysWOW64\Djdgic32.exe
                          C:\Windows\system32\Djdgic32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in System32 directory
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:560
                          • C:\Windows\SysWOW64\Dpapaj32.exe
                            C:\Windows\system32\Dpapaj32.exe
                            13⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:1152
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 144
                              14⤵
                              • Loads dropped DLL
                              • Program crash
                              PID:1116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Cileqlmg.exe

    Filesize

    93KB

    MD5

    946aa7104b7d806ee58bbf7521d9773f

    SHA1

    c8dc9571cabde2036a27e5e3d0da333a5008afcd

    SHA256

    dd4ab32aba9e01376eb04ee8b6160f3fd8bb0b2f7e569487805245e166848d57

    SHA512

    3bcbe9741180f4a0badf45542d313ac36ff59796835b988f43c460f869a30da73a4c1a9709620709ae81f8fbaa5860cae9d9068b5130f85f98192f6d3f256e55

  • \Windows\SysWOW64\Bjbndpmd.exe

    Filesize

    93KB

    MD5

    5c6f44c19a875391c5cffa61660243a2

    SHA1

    c32ef9265be36b76380dd3572338603d5da18de0

    SHA256

    cc1947035f73ac0c97d99770f37637f7cb281ae322ee2a0efe689b837f4f055a

    SHA512

    908ec2932f9aabcde31d315340a608d836d20a98d2a5eede5faad9e201cc4b819cb28c8168b8041dff742d703f2de66d3c28fbf35e4e7cfb67da9bb9560177f2

  • \Windows\SysWOW64\Bmbgfkje.exe

    Filesize

    93KB

    MD5

    7e0a5c70b131528895b5af922db93a4b

    SHA1

    bd34c88857c63f1b165249bbcfa45f3d16c95f94

    SHA256

    9743d61de0076145ea27e3623e7f9493c76280ef292ba1386a4ed09559ecca6a

    SHA512

    5551a67b87671b71402512907b1313563c61fa411a55801ed45ed08f9f0e9bf0535942ba093e47b2fd9e8bab61ec470841815520df50c1c772457b7905f284be

  • \Windows\SysWOW64\Boogmgkl.exe

    Filesize

    93KB

    MD5

    4e30bc87122de1e3d222af30bfdfea53

    SHA1

    24ca2976c0faee9d128c2b0a6ad59701220271e6

    SHA256

    4e3409136abb4e49913fc4198b6d5215d25263dfbcfca3cb891f26be43dd096d

    SHA512

    cc671d69f87c810cfb4890a131d50ec48a6d415ec014beb9b82cefcc7777aae7e23ebfac5f3d971fff4b09f9b39e57d3ab36b0f5ed3748d8cd8aa7c141396c48

  • \Windows\SysWOW64\Cbppnbhm.exe

    Filesize

    93KB

    MD5

    16ece42c8b1def2ffe6635ebd087bc17

    SHA1

    b3884e5070f1521b72b0ea53e567ccdb8fe642d3

    SHA256

    46482c316c250d3863fdf60c54a39591a16a679cf9bddc5f4614d0651a0c90a1

    SHA512

    cf7981688d0b09c1ea63f44a93e977fc16f044f2ab0403254cc65683a11af8cc7a9edf3653209002751bafa7ecd6cada3bff4a24fc758a4ebabafcfaf6b010dd

  • \Windows\SysWOW64\Cebeem32.exe

    Filesize

    93KB

    MD5

    5184d5f710605cf0fa734e6f099c7a7d

    SHA1

    39d1f3c1e53d245a6e2682f1974bb3ee94c2815b

    SHA256

    52e9dfd9b941475dfe40a5ed005a5b449bf03f758a56feec12cd7ca229390ca2

    SHA512

    3e19525c1e531fc1c641b235539da44d82c808adb1f446faf020d5ffaaf49c7959754b838d0dc7ebd85c36f2f636701563db62c28435f80a391e1d0753caead2

  • \Windows\SysWOW64\Cgcnghpl.exe

    Filesize

    93KB

    MD5

    02bdf2dc181ab10ef363c731780b6802

    SHA1

    8a5c4f094e85107180d39835ec98a931f741867f

    SHA256

    292123e516cf085680ce4012e91981fbf88d9c28df67cfd3d77660e37c4e59c4

    SHA512

    aa295754230c17cea7bb6d08fa6a19c58f99ec3ebaf48978dfcc29713823598df6c0123c31529e800c2b56356dde1e5bd83c5374503aa23d020ffd7696dd7b13

  • \Windows\SysWOW64\Cjonncab.exe

    Filesize

    93KB

    MD5

    5d34bc4c21ce7367013b02f49c6ebaee

    SHA1

    14deb9aa894bb4c4398d2b9a6faa07ffc1d7a5c7

    SHA256

    1a0b02c790a993c687804b8b6d00f8ab10ae1eed45ee620e9b3d3a55e332ebc7

    SHA512

    e6540e846269fa3c7a1c8cc0b576337e609deb6121523bc2ba3e4859a86e492272704dd20df5ab2a6c487e3ea54570f38f9952d62d7456f0144cf20ea98caaaa

  • \Windows\SysWOW64\Cmpgpond.exe

    Filesize

    93KB

    MD5

    32e84713abd8f14c78f60476735af72c

    SHA1

    8310642648278829bee4f8caf40d2001b55e12d7

    SHA256

    65ae26eeb4eb4b0dc90392860ebc9b64bd60579e5f8ada4ad3e9c7b51e5a5b84

    SHA512

    640a1dd11889daf7c9cdc8fe72ff5b63ad31d338550b96cadceaf61ac42ba781078509e0ca402e90f5b3efdf44df5c83fa224c30df05ed4fccc640462c0856bc

  • \Windows\SysWOW64\Cocphf32.exe

    Filesize

    93KB

    MD5

    548755e9093869e5797a4eba439bc5f7

    SHA1

    e1486019f86a504859c026ed885ec8c0f2bc446d

    SHA256

    92225a71211387810a430f9c43da04f5cc149a04cf67f0c5f2957888eb0b6fe7

    SHA512

    a7b5cf43f403693953d6808747ed12a9a0cb0722ae3b2dafd7c92bf6930e57489d173a60c32643d2096402f03bdcd7e7162b65be89708db537fc69be1be96dd8

  • \Windows\SysWOW64\Djdgic32.exe

    Filesize

    93KB

    MD5

    d6686b03c98c3c5dabb44e136d4425b5

    SHA1

    597dc89cfb2c19b112782acfcb553fed61a7dc1c

    SHA256

    79e0e3ea8c77e0f766ad52d1dbd0696bcd907f9f181aaaf8717e8dcdc2eb4abf

    SHA512

    9a0486ec885c71ba2ad88a45e39ac6c64f3390f8fda7688241f67eb4f6b4d14aad9358a00cb4c5849b041e78fc2b9c910616fd8e4030f17fddaec582b324c446

  • \Windows\SysWOW64\Dpapaj32.exe

    Filesize

    93KB

    MD5

    94b8b00bcd457eec336216090048f56a

    SHA1

    fc307ce0dc96432aee6f964c8e7ee8232136871e

    SHA256

    d9d66a5cc54df8862a74c0e106ca0bc21c66844e3e07c1f92d3318ed7ee87ee5

    SHA512

    3a53a90e6539adc1b471fe5495fe5c01914e67dcfbdc0677a034c54ea631d27c7b5336e57e4d6051147658bb413aca2afd909d1eca4215b7ca44065d4de730ad

  • memory/560-191-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/560-152-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1152-161-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1152-193-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1324-120-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1324-185-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1324-128-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/1816-186-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1816-26-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1988-134-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1988-182-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/1988-142-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2320-189-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2448-6-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2448-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2448-190-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2448-12-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2588-171-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2588-77-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2632-181-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2632-94-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2708-39-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2708-176-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2720-52-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2720-175-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2720-60-0x00000000002F0000-0x0000000000323000-memory.dmp

    Filesize

    204KB

  • memory/2728-79-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2728-86-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/2728-178-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/3044-114-0x0000000000250000-0x0000000000283000-memory.dmp

    Filesize

    204KB

  • memory/3044-106-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/3044-172-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB