berbew | 1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610

General

Target

1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
Size

64KB
MD5

c573bc69bad0eb830bf721c3a52ed8fa
SHA1

8aac6a1a2bab817fd95697a41f210c234b0f209e
SHA256

1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610
SHA512

0de1ffe17c6aee0fb17ef38db0693a8d4256018f558d914759bb3af02f90d47fd0554ab187a456ba40a3779753e652f2d23f4b2bb159839c8b9853a78ec072db
SSDEEP

1536:dz4VRFQFX5zAPnouMH9t5S551TALQQwCaqn4BUXruCHcpzt/Idn:dz4VRFQ9i1TfyipFwn

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 2 IoCs

pid	Process
3060	Dknpmdfc.exe
696	Dmllipeg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
860	696	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3060	1288	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe	82
PID 1288 wrote to memory of 3060	1288	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe	82
PID 1288 wrote to memory of 3060	1288	1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe	82
PID 3060 wrote to memory of 696	3060	Dknpmdfc.exe	83
PID 3060 wrote to memory of 696	3060	Dknpmdfc.exe	83
PID 3060 wrote to memory of 696	3060	Dknpmdfc.exe	83

C:\Users\Admin\AppData\Local\Temp\1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe
"C:\Users\Admin\AppData\Local\Temp\1439c7b5007990bee35796331e2acacb4ab72a21b4cf35717dbf621776de4610.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\SysWOW64\Dknpmdfc.exe
  C:\Windows\system32\Dknpmdfc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\Dmllipeg.exe
    C:\Windows\system32\Dmllipeg.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 396
      4⤵
      Program crash
      PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 696 -ip 696
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
64KB

MD5
0618d4c970387b2e73b15bc91865b7d6

SHA1
b4d36a6eb07904a329aceb263b654cbf54434fd7

SHA256
ff4393425a5c2828326d94b272e7da485f41ff0641f13449198b4c5cfc319968

SHA512
1136b6a667da372e715aaa9d7f51947c6b660d7cf7c32e2fbf7d606f1746cfdbaedd86b01a6ea386e70265290288d80b50f703cf719bc14512bb5ea038fe8e2a

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
64KB

MD5
15ddde5bba8ea234663fab5b595ecacc

SHA1
c8a1963ba1f7eff26a49debd23454a633f960cde

SHA256
8e0db6a6594b29e8f80a1f958209022c94838afaf9ce9060d3ca266e3dbf51c9

SHA512
7cf0dfe15e1542e531fdfef4f08ffccab2b2c6f5506438a1af6c03866447ba4a968c306f61ac648f2c9afcff79a60aa7f6231dbbbedee126d1369ffafa8d0f1d

Download Submit
memory/696-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads