berbew | 7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9

General

Target

7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
Size

1024KB
MD5

9a5ea2dda653d26372099ba70c900150
SHA1

806f44ad8f4e66f3f1bf9e0ff01f3d4f3cf0a372
SHA256

7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9
SHA512

48f0bbc5f04dbdd506436da03f3ff9050886087aa0224b16b1ee9a687baf158c3e042099f77f0bd777a42b30e934259f12739224939c979ab67b4e54a8660ab8
SSDEEP

12288:4jUthOvbFIkY660fIaDZkY660f8jTK/XhdAwlt01PBExKN4P6IfKTLR+6CwUkEoH:UlCgsaDZgQjGkwlks/6HnEO

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 4 IoCs

pid	Process
2696	Cfmhdpnc.exe
2656	Cgoelh32.exe
2144	Caifjn32.exe
2604	Dpapaj32.exe

Loads dropped DLL 11 IoCs

pid	Process
1668	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
1668	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
2696	Cfmhdpnc.exe
2696	Cfmhdpnc.exe
2656	Cgoelh32.exe
2656	Cgoelh32.exe
2144	Caifjn32.exe
2144	Caifjn32.exe
2620	WerFault.exe
2620	WerFault.exe
2620	WerFault.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cfmhdpnc.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2620	2604	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2696	1668	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe	31
PID 1668 wrote to memory of 2696	1668	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe	31
PID 1668 wrote to memory of 2696	1668	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe	31
PID 1668 wrote to memory of 2696	1668	7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe	31
PID 2696 wrote to memory of 2656	2696	Cfmhdpnc.exe	32
PID 2696 wrote to memory of 2656	2696	Cfmhdpnc.exe	32
PID 2696 wrote to memory of 2656	2696	Cfmhdpnc.exe	32
PID 2696 wrote to memory of 2656	2696	Cfmhdpnc.exe	32
PID 2656 wrote to memory of 2144	2656	Cgoelh32.exe	33
PID 2656 wrote to memory of 2144	2656	Cgoelh32.exe	33
PID 2656 wrote to memory of 2144	2656	Cgoelh32.exe	33
PID 2656 wrote to memory of 2144	2656	Cgoelh32.exe	33
PID 2144 wrote to memory of 2604	2144	Caifjn32.exe	34
PID 2144 wrote to memory of 2604	2144	Caifjn32.exe	34
PID 2144 wrote to memory of 2604	2144	Caifjn32.exe	34
PID 2144 wrote to memory of 2604	2144	Caifjn32.exe	34
PID 2604 wrote to memory of 2620	2604	Dpapaj32.exe	35
PID 2604 wrote to memory of 2620	2604	Dpapaj32.exe	35
PID 2604 wrote to memory of 2620	2604	Dpapaj32.exe	35
PID 2604 wrote to memory of 2620	2604	Dpapaj32.exe	35

C:\Users\Admin\AppData\Local\Temp\7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe
"C:\Users\Admin\AppData\Local\Temp\7188142e0688c91cc7ab12a62cb8d45a4153d261f22489a4529541b7bd693fb9N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\Cfmhdpnc.exe
  C:\Windows\system32\Cfmhdpnc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\Cgoelh32.exe
    C:\Windows\system32\Cgoelh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\SysWOW64\Caifjn32.exe
      C:\Windows\system32\Caifjn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 144
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Caifjn32.exe

Filesize
1024KB

MD5
b5fed3fa66e0b4a8c050cafa3b37db4e

SHA1
523e6b0fb3d0b61a427daf735e000680d5ac072f

SHA256
cd91ca57f16aebdf809a969a31de6e1190bb74d1941dff0c1006672302fed964

SHA512
74e3d5c57e63e1ef1404a89499d4c00d215c039bb2b93efc8061a17e812db93cc1551fcdfa59e69493721bc5f367b0717e0a628db22f6b24fedd2ac5949655ab

Download Submit
\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
1024KB

MD5
4a85bd252c5399378b43f8c49e04ad1a

SHA1
0af8197f580921b319c5aabb4b855c0af9dd2deb

SHA256
9b43897289d1057e99fc82a5d821106b43ee69286d35f1afe26fc1a9644b2d71

SHA512
7fbadc26576bdbc4730ec814060610085f0489fd68a72246e712655393efad287fb7c45fbfe56f3e22caf370153f17b9e9f46adae21be9fc3c78ad15a7efd949

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
1024KB

MD5
94e41317d5ef23f847270b06f2ff70de

SHA1
abe6a48224e03024975aa13c79983ff940ad360b

SHA256
fd9b2b07975e3abd790243b4c000a6a1c7557b9eaf084a2c1f33745ded47b148

SHA512
4800024b75e0dcce8c3e78c62470fa11f278c0e762880cd42d1b2bb395577d7dfa5371f49593baf75ca6aeb8bda5fa80323e99d96a14ad748cf1c98002363519

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
1024KB

MD5
9a933721b46c87dabd846d1fed6bedce

SHA1
67888c39a63d1699ef10fb0b33c2b26a744c6f1f

SHA256
897c15622eb4e7062b16bcf933671b32dc2a7f95ef956ecdd5b7b7cc3ff383c6

SHA512
c5d538e948b08fcff1006e9c82a5abad148a94c2d1baa76f0440c69ff6f5dfc6c00a4e100dcc1658ceda497e1e5fff32d6ed21922858c65c47909a8208a8b6f9

Download Submit
memory/1668-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-13-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1668-12-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1668-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-42-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-55-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/2604-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2604-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2656-40-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2656-41-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2656-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-22-0x0000000000490000-0x00000000004C4000-memory.dmp

Filesize
208KB

Download
memory/2696-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2696-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads