berbew | 3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00

General

Target

3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Size

96KB
MD5

f49246913336342c7600e974f7a7527d
SHA1

79ae9062f628b9f36edeb2e18a48b37871d23e0e
SHA256

3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00
SHA512

f7217cd291a5af721c96f885870f759af07e41403d7aade2e85df14078d289e542ad50769d6743f3645c32a0a6c82f9146ab7f05036de94ea9e08bdcb2e1b54c
SSDEEP

1536:s0dOQK8drd+lMtdhfGFE6DOM1/So853EatOy/BOmg1CMy0QiLiizHNQNdq:S6rdbhfwDfQo85vt95Omg1CMyELiAHOi

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 1 IoCs

pid	Process
2808	Nlhgoqhh.exe

Loads dropped DLL 6 IoCs

pid	Process
2996	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
2996	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe
2936	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	2808	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2808	2996	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe	30
PID 2996 wrote to memory of 2808	2996	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe	30
PID 2996 wrote to memory of 2808	2996	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe	30
PID 2996 wrote to memory of 2808	2996	3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe	30
PID 2808 wrote to memory of 2936	2808	Nlhgoqhh.exe	31
PID 2808 wrote to memory of 2936	2808	Nlhgoqhh.exe	31
PID 2808 wrote to memory of 2936	2808	Nlhgoqhh.exe	31
PID 2808 wrote to memory of 2936	2808	Nlhgoqhh.exe	31

C:\Users\Admin\AppData\Local\Temp\3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe
"C:\Users\Admin\AppData\Local\Temp\3f1e56926b67b98a5a76d67635986f56349067202a5559cfaf6f91ad30d99f00.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\Nlhgoqhh.exe
  C:\Windows\system32\Nlhgoqhh.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
96KB

MD5
5a557720c889ae02570468cae7868d42

SHA1
835cbee094c2f2331eb1b93a7bb8365e547056f0

SHA256
ae07a0678f92ced68be493ac4572a2257b9d306a7826bfdc33519c884bef2994

SHA512
40c6b1da2c11385dc140b96a8af47541379b179f85df919ab9c2b68e2f8d2b39c7cfe2daec52a3002f6310b57e6b6d1c22796c8a5fe0916b50a0f606bc652eaa

Download Submit
memory/2808-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-12-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2996-11-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/2996-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads