Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 20:46
Static task
static1
Behavioral task
behavioral1
Sample
3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe
Resource
win10v2004-20241007-en
General
-
Target
3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe
-
Size
96KB
-
MD5
433d315407a1beae1c4a318faf40c2ca
-
SHA1
bbdd836aa0a94fd1996c60b385eace87447219ac
-
SHA256
3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c
-
SHA512
3b62c8e85e550fab0af4c829caae60236f7e0d29c150897325669b2d7793471195d81b350ec170aa324b5dbce974abed1f7f7c3a57c498eb00f0913a5d2a6389
-
SSDEEP
3072:95GSGbrkmGvjX25dEwxIDl5Dvbd69jc0vH:95GdIjqiwslFbd6NVH
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llpfjomf.exe -
Berbew family
-
Executes dropped EXE 2 IoCs
pid Process 2692 Llpfjomf.exe 2968 Lbjofi32.exe -
Loads dropped DLL 8 IoCs
pid Process 1620 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe 1620 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe 2692 Llpfjomf.exe 2692 Llpfjomf.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe 2820 WerFault.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Llpfjomf.exe 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe File created C:\Windows\SysWOW64\Bccjfi32.dll 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe File created C:\Windows\SysWOW64\Lbjofi32.exe Llpfjomf.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Llpfjomf.exe File created C:\Windows\SysWOW64\Ipafocdg.dll Llpfjomf.exe File created C:\Windows\SysWOW64\Llpfjomf.exe 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2820 2968 WerFault.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjofi32.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" Llpfjomf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll" 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llpfjomf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2692 1620 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe 30 PID 1620 wrote to memory of 2692 1620 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe 30 PID 1620 wrote to memory of 2692 1620 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe 30 PID 1620 wrote to memory of 2692 1620 3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe 30 PID 2692 wrote to memory of 2968 2692 Llpfjomf.exe 31 PID 2692 wrote to memory of 2968 2692 Llpfjomf.exe 31 PID 2692 wrote to memory of 2968 2692 Llpfjomf.exe 31 PID 2692 wrote to memory of 2968 2692 Llpfjomf.exe 31 PID 2968 wrote to memory of 2820 2968 Lbjofi32.exe 32 PID 2968 wrote to memory of 2820 2968 Lbjofi32.exe 32 PID 2968 wrote to memory of 2820 2968 Lbjofi32.exe 32 PID 2968 wrote to memory of 2820 2968 Lbjofi32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe"C:\Users\Admin\AppData\Local\Temp\3b884198e0c13a00fe2c7474d87dc63f494d2cdbecb3a3da461a22f064a9ed2c.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Lbjofi32.exeC:\Windows\system32\Lbjofi32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1404⤵
- Loads dropped DLL
- Program crash
PID:2820
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5164d5e6eb1671ff3b8dca6306796aa44
SHA141cbd3b8af275eb944e540a7664c7a040efd03e3
SHA256b20ae5298e6b3217f7979de483e7fbae111d56462231244dd91c429a5a2a981a
SHA51252188370bc86e3b58a32fe4fcbddd5f57c13b789f3a4839c2b2e66fe22b0a763a52737b656a14eaaa6bfe0674fe992424acf2218d7e28bd6a3cd82bb72b95a2a
-
Filesize
96KB
MD5af38fc7db8acc590ce1dac164282a159
SHA1c88d1fed846598f1eb00ab82f6345cd83462a490
SHA2566188b641850b775690ba35cfe32fd0cc4aeac382b7359ae4ad483fe4c200594f
SHA5124da6d426296d631720144a9b6ca5df1fb901d99e1f0aa00edccd239354edd9128abe90d66f41adbbd792cebe04dd89b48dbea511d8128da44cb65e3ce77e3af7