Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2024, 21:31

General

  • Target

    3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe

  • Size

    90KB

  • MD5

    ea2f0bab000cc4cc8e6ab767e7a82304

  • SHA1

    f33c39cb5389b28d2d990735319ed154bd42b698

  • SHA256

    3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9

  • SHA512

    24fa1cb22e2fc981bd4305274d71e6cc15a9efbba49d853cd4ca79d6fa76291d5864c6458207f3b7ab26c5d01fed0dd89e6dc315ebf4094f00f6ec6122843832

  • SSDEEP

    1536:beCgdjTg0iDjC0WiQ3/3FW0oVzG0u/Ub0VkVN6:bbgJIjILvs0CG0u/Ub0+N6

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Drops file in System32 directory 9 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 12 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe
    "C:\Users\Admin\AppData\Local\Temp\3f90d20b1226a6289f6fe7c022fa6968a5b053b4a89223a0cfde79b81d009aa9.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\SysWOW64\Fpgnoo32.exe
      C:\Windows\system32\Fpgnoo32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Windows\SysWOW64\Fedfgejh.exe
        C:\Windows\system32\Fedfgejh.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Windows\SysWOW64\Flnndp32.exe
          C:\Windows\system32\Flnndp32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 140
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Fpgnoo32.exe

    Filesize

    90KB

    MD5

    a8a307f72b0590f6eedb130e1b916fe6

    SHA1

    19e9aa9ba4d213e3fa25acffab9b570ff8fe73df

    SHA256

    819714c4108e78e131d9fe2402a5352f712f2d26430f8e407e9b39f9a5714908

    SHA512

    1a285b694fa73611ea4c0ab197dc3f558f4e5814de8775b1b77309a20485415cc0840a60ef876a5df582a34232bb306b25ff1fcddd18982de6d8ec1ed0981d05

  • \Windows\SysWOW64\Fedfgejh.exe

    Filesize

    90KB

    MD5

    ea6634ea0a68e39cd215eb45aab407e1

    SHA1

    caef5d8567b208de054bf2220fa7eddc40d8603e

    SHA256

    34b30d8721eea9c6c6438d53f13960b5f1cf89837e2dc0afbd123d99224e3769

    SHA512

    b167ca35420fc75d2de6f22695244cf70f9e1b2183668c5e0068759b7308695318e7bf14c971e1f5412e9383393e5d3e771b35b48a65fcd5a1bfc915c6a71bc9

  • \Windows\SysWOW64\Flnndp32.exe

    Filesize

    90KB

    MD5

    71725a2299179bb59a18ed3525bf4b08

    SHA1

    8e8be64c58ab65f9426312c1906b955b41da3cdd

    SHA256

    a977f6dbe074201dbaca0512b992f63600bf6cc98728d95c732eab4884637c77

    SHA512

    503855c8a87258b3f906e08018d02425f70f909cb7f0298e19f7eef09034fbad016bd755b04188a0aff1f0f75f717e09c03cd03e0bc9f554a0a1593bc6b0596e

  • memory/1760-0-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/1760-12-0x0000000000280000-0x00000000002BD000-memory.dmp

    Filesize

    244KB

  • memory/1760-46-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/2380-13-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/2380-31-0x0000000000260000-0x000000000029D000-memory.dmp

    Filesize

    244KB

  • memory/2380-45-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/2504-32-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/2748-40-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

  • memory/2748-47-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB