Analysis
-
max time kernel
96s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-12-2024 20:19
General
-
Target
211cab45edbdeb3c4a35b0fbff9b227942c776f17ce1b9472a427ca660381b99.exe
-
Size
240KB
-
MD5
d46ab5fc672883d6913b06ccecdf265e
-
SHA1
3f84a6606782aab2dfa52be12d37ecd71a0290e6
-
SHA256
211cab45edbdeb3c4a35b0fbff9b227942c776f17ce1b9472a427ca660381b99
-
SHA512
8fb879670e47b18e600c181e009f243e9e5a1c7873de7730ba1522257b0ecfc1ea9a9b5e004fc725f77f817246e0e5a1e422c1dc6df00f69cc4bccb70e3723c3
-
SSDEEP
6144:gxWuNGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEA:gxHGyXu1jGG1wsGeBgRTGA
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs
-
Berbew
Berbew is a backdoor written in C++.
-
Berbew family
-
Executes dropped EXE 19 IoCs
-
Drops file in System32 directory 57 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 60 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\211cab45edbdeb3c4a35b0fbff9b227942c776f17ce1b9472a427ca660381b99.exe"C:\Users\Admin\AppData\Local\Temp\211cab45edbdeb3c4a35b0fbff9b227942c776f17ce1b9472a427ca660381b99.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Cmqmma32.exeC:\Windows\system32\Cmqmma32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ddonekbl.exeC:\Windows\system32\Ddonekbl.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dfnjafap.exeC:\Windows\system32\Dfnjafap.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 42021⤵
- Program crash
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4696 -ip 46961⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5ed4020ee949b8d371f61f2613445aa01
SHA1751e4ca1191eccdf335326a9a8d57c2ba55fe3eb
SHA2567ad3076e9277441bd6876be455fffd1837ff3ab44c343865579da84aacbec4f6
SHA51253fb5c3b52f254cef703d21d5b261b54f01f062a828d750a91e1b307822e10b22f6af1cea53e5bfe47a44e01e28704df97e35eb53de7b328162d9e9c4d272286
-
Filesize
240KB
MD5a86ca40eb8241608cae83c97ff47f6b9
SHA1d76f5d8eb762579d8d244f48ee5c09233dc61879
SHA25621010fa30064eb5f3c9d83f11dba14b6663ba19e1a61d1c4093785130241a3c4
SHA5124febc86ea998f4a88944cb0e9e9f9dd1c74af0f024a24de97ce973058287c044d287f3c775b8006dce083226b32b4e2f24cd467fa5a3fc4a483f39e38d111675
-
Filesize
240KB
MD5524932cda944c1a9cbbbee6aa5927a83
SHA1c364dcb14dc6c049d1239f976e4f99cc7bd41403
SHA2569c10f965f8611a00d1c78fba761aa420f57f143511f9dcfce871243912a2b792
SHA5123278f33ab43d26a7581073dfdddcf42bfa855f15b0c86032247912649a8dfde4615fba7c5b62662aad02fda9b7aae5b8de95366ffbdfa819884c7e2ed25f756f
-
Filesize
240KB
MD5d123e0325b3bb7a3b182ba0c691f5bd0
SHA1ae989dfecdbcfbf88bb5ca0ddbe54765c4a8f160
SHA2568f74713ad44edc0f92ee1dde2e0232a8edd843792fe89758138fde1a765fb4ce
SHA5120bb28f15f1a1cb89cfb9fa51ca11fdd1c31672601857ce1a5512f6910357de06db20607f984bddb583f0f02e8896b39f465c440bdd9542032b58ef1ff30289f6
-
Filesize
240KB
MD5a82a8b528f35f403946d33ce261c262a
SHA1af0d647945b634731a235fdcde1a9b6f5c17e436
SHA256ba58ade3a3fb56be15d91b691ed28117308141618c0bbe82d3ced50d665566fb
SHA51213a93727e31b134a473edac5eba6817e00f7467b5d16df101df1ed620dfd747f74f932d6720fc9cd4c4a2c601bad28b15759e14e0ebc42968218a7aab78c58d9
-
Filesize
240KB
MD531a08457352cc4f4c5a4557d2da6c9f3
SHA1d5bc08feea944700ff85517147b8f8b68f42df07
SHA256d4fe17eb3f5fde2b899bb078ed80b071810ad1125cefc85520938ade4af248c0
SHA5120c3467bec1b6ac4384cfc2f00e5601faf3351afe72e0f9678b9e5eadf9919f2548532becd2614f42ac7f5b2c60789e67246b4961c975067029d22df68ce33b72
-
Filesize
240KB
MD5a662f420397bcc33896a8ac5d35b78a2
SHA133d6cd2f530128436397178983b1cb0d13d77868
SHA256ce4f6936623f554f2e15a12511787eb0146731278ed5939724cf2c91ddbd22eb
SHA51286b6b05fedbf407a13dee030214c02218440ad5886b83e42b59d31529aaf40d6a353d51ed07b2f300a77f745a5524363b60e8504b34e7413158c3ccbcc59ffe7
-
Filesize
240KB
MD50c587dbcff3f797edab23470fb70d3dc
SHA1ab050dc58f479aae16d7cdb0663cd683ef8f7084
SHA2560cf5ce9a8f4e4fd3d39d86e24330674ffc3303143fea8a0786e4a7be03d7599a
SHA512201179cbd3a6378c0e01f15e41118adfa3eeff6605f2713031b6ffaf192e6866292c8f5f96310217bdd6d0833ee87e43c7611b5e62c34ef6d4ae2d730c6f55f6
-
Filesize
240KB
MD53c224968cc1b5e0c263d06970b9d8e55
SHA17df0387792e434ae09e016fb9b4393b743b38015
SHA256b5ae75eaa3fdd9b922800c28cae80e95f5ed99e34e26a3dadac1a8cf1d0a1090
SHA5128e3ff0debe742c9fe788637ec4c0f7b029dee3c3eb1757b072fedf4787843e5921f89a0842f1d1e77488716df75d599ace62961381869cbe659174681a7a5075
-
Filesize
240KB
MD5d851266203b6135f86a2ef48631fbc1c
SHA1d5f2e4c462e8172bc530274c0c70994f59b1cc06
SHA25627060991b24ec4b8043f49ee04162c6f905392306c8067ad380a084487a38fce
SHA51219d6f6b5a22e8a67c7ab99153b1ee1d75077ec1f3b10ea6d9c8ef28098d03fc9cc9cf988b77c75f3a5a41438aa24c618812377c15307db216be1b3c5c3ddac77
-
Filesize
240KB
MD57ab0fbdca65a226e8f556b6c2128b3e5
SHA132f9a53cced1a0544fb7e73c343b551008bce23a
SHA256c1b6c995307614769f9149a866ffeba045345b54a997835c67de5deefd56ae94
SHA512ac70563c56effa772791aa40d786a7573c5df35b889e9343c6120b5d3872f7b049a1f1fa803453eb5a8ab385f6114ae65096874e50035f7cfa3f3de66c7b8858
-
Filesize
240KB
MD563933f971ac1cc68c2f0ef4020e84850
SHA1e47ec1a984e6427f26cc1b4dcedf6134358c4ac9
SHA25688d0b81653ecac45ea30bcf96a79e527231d417108d70e4a94070e76bfb0771c
SHA512f7a337f82d8916335f8a420faa3fd2fe4eddaaf4cffd38614c43cc7fc1c986c77aad0105420e0c4a0ae31e0df4edb1cde44408f4c42f0d31d9aa82453e19e44b
-
Filesize
240KB
MD5609a2233dd041c485fb0779e48f9bdbf
SHA10e9cd8bd5bb6b4f0f114f2fdf1e59ca67222e026
SHA256f66d60de12a42e52383d19ffc2acf4bc0ce582570c8b5ac9e9deb03c26bae31b
SHA512105ba1a7be54eb773d515749c19d404878818d562526f4507a04065d6283a4076832c0a743173e67dec9ec7d709a09f45c545933923493002f795ee6b9feb0b3
-
Filesize
240KB
MD59759d2c9b152311918d97a69bcc0174e
SHA14bfb233054f53ec0f039839d237ac8a4305ab0c4
SHA256b31f55c176836a16ee334987d18491eba6a69dfbd53c5674efa79d5fae8f9262
SHA512770aa5be360c6f057739ba722e42c8598f00b13df6c667b11f6e5cbd8b989840c3b772bebed7289aae03528d1dcbc29bce30e97ffe892b61d1885556048b85d1
-
Filesize
240KB
MD58497de0fec90680abcc57919501b8d33
SHA10612e59e4767eae4fa23884cc13c14fbdb051669
SHA25674b7d8290bc5f63da1ba0bae40a80dbf400ccd61921a5f67bfb1771983e3f5d9
SHA512a8f5968067e1b137e4f58acac3a50a9baf6ae5757bfa133e38fb9cce3f4bc4693ac2ad6a02b93581a4227ae55501c1c795bbf2393f6936a9bb94835d8231b9b2
-
Filesize
240KB
MD569e4f2ab8be1504f57d884d4f2be5dd3
SHA1df89533c5d4147c957e63d48d1719244dcbda343
SHA256f21b89b7da20cfab78a2b8327bedd386c49715d391940c44338aeb25192cbf63
SHA512484c11b9f110da9f7b89af1f0965d22bd580342b6745f1e137a045fa56923bf4a0315e79834c49924f39f140d099701eccf82e1b033459fd770da6a6c3687ff0
-
Filesize
240KB
MD584f829ecaa62fd249d5136b23388dd58
SHA159036b44a135649aaf936ec36a085e0b9f100a63
SHA256e4f8156eb8f9a429527cf6a990dae1a8feb53a50b8d759b875de9c0b4d650224
SHA512b2c2e63cade30faa159050bbd7698e5895cf1cfb74a360043e7eba73cc2d6840d22efeaf752501e271f5a6668582d34b474d9b147848d0dd7d3d2cdca30ae813
-
Filesize
240KB
MD5b8a536725e61f30cc420ef1f736989ef
SHA1e543fff9e70a17ecc4694c0874cf868f7268a41e
SHA25669c4ec9a49e07d47a368610e9abb4ba0e2729cb6d36b1724ae775c341d24b43e
SHA512da47a78a6b9b08aa6a71a938cac66dc4f04ee84c5dcd63f6974b1367dea908280695aa694954ea1e152df4a9707c0f0a03cc1c1b3961ba736a737cbe82e78c51
-
Filesize
240KB
MD5e712066655f6f7094feaf3d37725b28a
SHA144ce6915ab398ffd411dcad9e16e72b588e90e3b
SHA256ab20b54da5cc073821a9bc03753bc1686aa711be88de077a47057ab5f0fe105e
SHA512553eefc92471ea203c5ed60bc204620e1f192bfe7dbea5bcaef3c208778e97536c7defcdc9031c0ef0abddd897b9c3750dbaf8c541b3410462b5c95577a71826
-
Filesize
240KB
MD5f5e07b00b641ead71fbe3022bb875b15
SHA1faa87bd0b011d6620ec9fd62031ace5c4fcaaa08
SHA256e678d9ac5bf2c2c1153ee667a92aa4b62946850ee44b4a38c4fd3fadcad364f4
SHA5121794e048bcb9000e926672dc662ba90f13bdfa77ce1d5147184413a93824b20bf76d9438bec01bedc78244f26c6246f59286418ca1b6c82072d39ce02d545e73
-
Filesize
240KB
MD5beef11723f632a075edc6ad3d40b7dea
SHA1869f35aa006f031f7dc9c36c235aa264c847a11c
SHA25652710eb56212578bc1b13135d92138a965cb9ffe0be4d77a458f15f17335a74b
SHA512dfa1cf735581d93f853c3dc5b27fea7c37d61b9fb889ea4c46aafb6cacc04355da84dd20e2af20ef3141e358e8f4d4878f25e4d8eaee1ec5502beb24e8f4ca16
-
Filesize
7KB
MD58b48fb17ffca4a2ba8293213fce07d48
SHA1dab8c9fa9f6371fd267e02f6d7a9564e5f7a8536
SHA256f5cc2cb90ed5fa2f0692adbb29c3b13fa2a06f46ee8eb5ffb95737f3bcb015a8
SHA512cc3525b0341fab55a12142ce23510d0d69c93a367b3929d53dcbf1411efcc6ff5c42fa18837adc4363babb68fb0d54ad27ecaedb4f9c4c20835739304ed3f309
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB