Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2024, 00:20

General

  • Target

    8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe

  • Size

    88KB

  • MD5

    3c6faeb5eff8e0f84ab3cc4560ad6c3d

  • SHA1

    63ade206a14f574b8f3fdddc86480dc676ac0a0d

  • SHA256

    8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9

  • SHA512

    1b6521aec56c995d38983f030e8bc77795c2d6fd115592ed7ecda97fbf966b7086d05f851e2004d337f8663a7dadc84f11d4f7906c9d5d6e93f755446e1c3308

  • SSDEEP

    1536:fAhAxpMpiXXbABLJIB99XSZS6muXZ9DwFL8QOVXtE1ukVd71rFZO7+90vT:YhLpiXXbAB43OZWLi9EIIJ15ZO7Vr

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe
    "C:\Users\Admin\AppData\Local\Temp\8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\SysWOW64\Dknpmdfc.exe
      C:\Windows\system32\Dknpmdfc.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\SysWOW64\Dmllipeg.exe
        C:\Windows\system32\Dmllipeg.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4068
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 396
          4⤵
          • Program crash
          PID:3512
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4068 -ip 4068
    1⤵
      PID:2028

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Dknpmdfc.exe

      Filesize

      88KB

      MD5

      2f28fb0d8717f18c565916b1f97c818d

      SHA1

      b64576228e72d3a6571404ca3c3d422d04638bf4

      SHA256

      3f22ac66267421f5ca9317f4aa33d219685263db44a4e3fab5467f309d29416c

      SHA512

      c6a849d2284ddae821d5c2df384b01841c4c4183eb9f757a8214e62945844fe3d836f333298f249553016dda216135e1ecace08ab8eab3aae9671b5e52e4e9de

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      88KB

      MD5

      18b7cfd6cea4a9a00a574ca668a3b785

      SHA1

      3caa7d2b5f23062f71f1102f6040ab190a9a1d63

      SHA256

      508e5af9227f4718d717c21975003f1f1950a82d15fd95fc9239ab7d38b1ad21

      SHA512

      fac4621e15faf34e994f0b3c94dbff6e25a102bc7aa94a830c5707ee20fca7307e93c9b1bcdb1d73d8ab94b10b29e8ea78b073c325bdc6adfefd615ad3239f2d

    • memory/856-0-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/856-19-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4068-15-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4068-17-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4080-8-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

    • memory/4080-18-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB