Analysis

  • max time kernel
    93s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 01:38

General

  • Target

    a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe

  • Size

    94KB

  • MD5

    a5499dc1d4789a198e5e4845aeb139db

  • SHA1

    624aafbcf55e68998057ff5a08117f7ff19460c5

  • SHA256

    a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d

  • SHA512

    ae611913b08ae1f43c5962be13d5f4c49f0c894e7ac1b29afed5f32440f0beda06ae0ca6f066c1970a3dc162d0228cf3f707ef34ca84c181420adbfc4280a64a

  • SSDEEP

    1536:kxkKvjMJdQsLqpF809kJvsjxmS2bkXQXjcbZHaTKoO9RSkx3WhkKXBnFsRQD6RfP:kxkKv0KsLqptvmSckACHa7admk2Bnmeu

Malware Config

Extracted

Family

berbew

C2

http://viruslist.com/wcmd.txt

http://viruslist.com/ppslog.php

http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 11 IoCs
  • Drops file in System32 directory 33 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 36 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe
    "C:\Users\Admin\AppData\Local\Temp\a2890c7da3c91d97ff029c68168bba78e906c1135265835525409bed095fc92d.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\SysWOW64\Djgjlelk.exe
      C:\Windows\system32\Djgjlelk.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Windows\SysWOW64\Dmefhako.exe
        C:\Windows\system32\Dmefhako.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\SysWOW64\Dhkjej32.exe
          C:\Windows\system32\Dhkjej32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4460
          • C:\Windows\SysWOW64\Dfnjafap.exe
            C:\Windows\system32\Dfnjafap.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2096
            • C:\Windows\SysWOW64\Dmgbnq32.exe
              C:\Windows\system32\Dmgbnq32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4752
              • C:\Windows\SysWOW64\Ddakjkqi.exe
                C:\Windows\system32\Ddakjkqi.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:244
                • C:\Windows\SysWOW64\Dfpgffpm.exe
                  C:\Windows\system32\Dfpgffpm.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:1504
                  • C:\Windows\SysWOW64\Dmjocp32.exe
                    C:\Windows\system32\Dmjocp32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:512
                    • C:\Windows\SysWOW64\Dddhpjof.exe
                      C:\Windows\system32\Dddhpjof.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:4420
                      • C:\Windows\SysWOW64\Dknpmdfc.exe
                        C:\Windows\system32\Dknpmdfc.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • System Location Discovery: System Language Discovery
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:1068
                        • C:\Windows\SysWOW64\Dmllipeg.exe
                          C:\Windows\system32\Dmllipeg.exe
                          12⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:4964
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 416
                            13⤵
                            • Program crash
                            PID:3540
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4964 -ip 4964
    1⤵
      PID:2320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Ddakjkqi.exe

      Filesize

      94KB

      MD5

      66bb32b515ffdfc131df33c33b3a6b5c

      SHA1

      fcc6f2d2fae42ccdc1b2d4df6534dbf1afd36f32

      SHA256

      d2edafb5ed9dce85e5192889e5b48f816d65149aa42856b88e06396bb47b9ab1

      SHA512

      20c87b1085c81343b5705057a9438937341410d2b6c78a898eeb319fd267232aa300c1dc42f6b6bca2b66bf0868a5009b28acbbc7a1560db4641703288f520e9

    • C:\Windows\SysWOW64\Dddhpjof.exe

      Filesize

      94KB

      MD5

      b05b8b0f3647b61cc7b5a689f12294e7

      SHA1

      638911fd8e0cdb0d6d53e31109c12151fbc21766

      SHA256

      6c15c34a5ca10a8f391f75ab93693ad64f0e3e8ccef4d1563e6f9d401ec2fa59

      SHA512

      92413573988ff75c28338049418e5164498c140066bffaaea06e6abccbefde9fbc700c6ce8807d9205867478080564ee2320e2f02f46d4ae5b0a32fa078b5c31

    • C:\Windows\SysWOW64\Dfnjafap.exe

      Filesize

      94KB

      MD5

      a74508a2e313361b014d5457bf678640

      SHA1

      92428c24834ab06c99108a2511bd18c93be6cc8c

      SHA256

      4676a338e2c144c412d55f000ed8dc8261b224dc950ada3ad05de0f5a0169856

      SHA512

      81891af9ba495bde305f4ab1961f841df6d03f530f08f9d61c266a5a975791608dd3fb0dd8c0ac4b3715f0c85505d2c6d5333bf06b085c8ec13663404194ac5d

    • C:\Windows\SysWOW64\Dfpgffpm.exe

      Filesize

      94KB

      MD5

      45cb84fdfc764ab89ab087d17ea357a9

      SHA1

      5a2996383ea9f6dc9fbd38a343c73ea8e7ccad4d

      SHA256

      42b620a3f92de97f20670b9e78502b1ba8896fd2a77d0b0f795c935f40cc4b48

      SHA512

      d8705278c96850954932de9b246c2796315a8bb7e402ebf402a5dcf28ce98afa425bcabb1b88f1db4376fe0fe4d47699adbbcfc28db505f53e979e2ce69f3226

    • C:\Windows\SysWOW64\Dhkjej32.exe

      Filesize

      94KB

      MD5

      0b1a8b8e306f2cf6f93542f892743223

      SHA1

      d62463d881ead6df7b604e8db1723c89520334ad

      SHA256

      2adc527382fcbb4b31c355a8a272a024752718340e8d4ffed0916440c168ffe2

      SHA512

      5553a09aba55e55eb83e57933ac3db40e5ac79f89526afb898b7ac282a2feb8d8dd74b1bf24f585404d08304e7b560becb40d47d0e7bb5ebb2f36bd74e1772c9

    • C:\Windows\SysWOW64\Djgjlelk.exe

      Filesize

      94KB

      MD5

      64aa3ec4420f847c4c14e0416f4e1a6e

      SHA1

      5664c57232ed4b071c83171a10ea1ab5fa568547

      SHA256

      a3ca47a9b89da34ccefaaa6ee85cbcedfedb5e21ec468ff071780f5738c90b35

      SHA512

      fb15b38da57aa52fbe094344c7295625d6fcdcacd645b8da8724e00669e5999af96303991b6d65f56d7c0e53704806669d8b8576d3b0b04aabdddcb41c982653

    • C:\Windows\SysWOW64\Dknpmdfc.exe

      Filesize

      94KB

      MD5

      9e629385817baf4041586129e0e3f71d

      SHA1

      c1a5826057d359a8da0d6d13a2257c36ad7b5195

      SHA256

      c00002629d26a606c257adec00db72abf89d16da8d1bebf61be43c2af5bf0297

      SHA512

      0115c5811de43935612a9d84bff235d747147f2fd1199f19da7e66161109a7d52cb28ea32b7772a3ad20857803074fb148c08b9e7c9197ed6945da7d6bbf21c1

    • C:\Windows\SysWOW64\Dmefhako.exe

      Filesize

      94KB

      MD5

      0c3e8599c23a22e83ffb01c72b6fc6a9

      SHA1

      bb4292548a8b77fa31ddf6738ba0069787027500

      SHA256

      abfeb1de6ba348950dfdc18a09596e06a30ca517612d4efd19d52ccfba8d9fe9

      SHA512

      774b6fa0b75eea85397e59aae14769ad2d82e2e84e608ecab2decd682d8ed8cabd1cfc842fcb3a87a5efed39f19fe7463244f6a120bd8b741dc2792e15378999

    • C:\Windows\SysWOW64\Dmgbnq32.exe

      Filesize

      94KB

      MD5

      210c3d40d178cf1ffc04a26cf9471e42

      SHA1

      438fd0ec9b1b3395223c8fdd063462486246130f

      SHA256

      eda4079e0e53bd1ded0fa514f63ba5c80765c9ffe8485cb4bc77242d2ad4cdd6

      SHA512

      6f6f994ac9bfed74aaec8c3a5041d7b2a4afeef0b97c0bf10c294e0ad8d7b7dada175cd300de0517c9cc1646fccedc04f7700007aa3507e85d891a884cfe50ce

    • C:\Windows\SysWOW64\Dmjocp32.exe

      Filesize

      94KB

      MD5

      c9edf6999bf429e942e31d066009949c

      SHA1

      235235836c9297cd47f45aa3f2a17411b3fad88b

      SHA256

      f2f48cb5933c137d2d332c8ea0bf48605331a5e7b0f3e43df89fc8e6a763a64d

      SHA512

      4664908d69e10f97ce284300528f903c3b286582317cb4f7c3932852f9529d509e47c2661e9f66216748ade2db6108ac5ae4bfa9f55f5ae2e2547c5961b8d91c

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      94KB

      MD5

      117bba748103438ccaa28ab0e1d292f1

      SHA1

      d2e2ede024cc3bd93e9185a25c194f7baa1d8ada

      SHA256

      99c84b0b29ab068b29e1806b6d1c7b5bce57bba3cb0c1fa72cae705d56d1640e

      SHA512

      846975d5e0bf5dc7127bceeda63e72f3fa634cc5acec70197b4e43b745fb4d366e88c6d5918e438851927f37a5a690313107f46ec3847013087083dfaf75b5f4

    • C:\Windows\SysWOW64\Ihidnp32.dll

      Filesize

      7KB

      MD5

      28df198c649799b6e5afcc8168bac965

      SHA1

      aa422926d1c83c269b39892c7cc46309f708d004

      SHA256

      ebafd16cbc01a8502c3fa7fbaaee8e49c2d1845a3ba4ae2b73dfa08712429ed7

      SHA512

      c2cd0b6f4e0a8c861811dbd478bce1a4e7fcec4e158a5505e1022c2f3dd2eeab367a7c208d6b8541ae7ed4dc1b545660e2dc3807570d6df0482d03400192f202

    • memory/244-47-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/244-94-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/512-93-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/512-63-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/732-99-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/732-8-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1068-80-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1068-90-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1436-100-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1436-0-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1504-56-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/1504-92-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2096-31-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2096-96-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2324-15-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/2324-98-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4420-91-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4420-71-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4460-23-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4460-97-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4752-95-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4752-40-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4964-87-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

    • memory/4964-89-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB