Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 00:20
Static task
static1
Behavioral task
behavioral1
Sample
8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe
Resource
win10v2004-20241007-en
General
-
Target
8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe
-
Size
88KB
-
MD5
3c6faeb5eff8e0f84ab3cc4560ad6c3d
-
SHA1
63ade206a14f574b8f3fdddc86480dc676ac0a0d
-
SHA256
8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9
-
SHA512
1b6521aec56c995d38983f030e8bc77795c2d6fd115592ed7ecda97fbf966b7086d05f851e2004d337f8663a7dadc84f11d4f7906c9d5d6e93f755446e1c3308
-
SSDEEP
1536:fAhAxpMpiXXbABLJIB99XSZS6muXZ9DwFL8QOVXtE1ukVd71rFZO7+90vT:YhLpiXXbAB43OZWLi9EIIJ15ZO7Vr
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknpmdfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknpmdfc.exe -
Berbew family
-
Executes dropped EXE 2 IoCs
pid Process 4080 Dknpmdfc.exe 4068 Dmllipeg.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kngpec32.dll Dknpmdfc.exe File created C:\Windows\SysWOW64\Dknpmdfc.exe 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe File opened for modification C:\Windows\SysWOW64\Dknpmdfc.exe 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe File created C:\Windows\SysWOW64\Nokpao32.dll 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe File created C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe Dknpmdfc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3512 4068 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknpmdfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknpmdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll" 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" Dknpmdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknpmdfc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 856 wrote to memory of 4080 856 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe 83 PID 856 wrote to memory of 4080 856 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe 83 PID 856 wrote to memory of 4080 856 8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe 83 PID 4080 wrote to memory of 4068 4080 Dknpmdfc.exe 84 PID 4080 wrote to memory of 4068 4080 Dknpmdfc.exe 84 PID 4080 wrote to memory of 4068 4080 Dknpmdfc.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe"C:\Users\Admin\AppData\Local\Temp\8ae7fe07285d43c2d4d973f6ad98ac7b4eb49cc708a0618bec3be3d0567621b9.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\Dknpmdfc.exeC:\Windows\system32\Dknpmdfc.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 3964⤵
- Program crash
PID:3512
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4068 -ip 40681⤵PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD52f28fb0d8717f18c565916b1f97c818d
SHA1b64576228e72d3a6571404ca3c3d422d04638bf4
SHA2563f22ac66267421f5ca9317f4aa33d219685263db44a4e3fab5467f309d29416c
SHA512c6a849d2284ddae821d5c2df384b01841c4c4183eb9f757a8214e62945844fe3d836f333298f249553016dda216135e1ecace08ab8eab3aae9671b5e52e4e9de
-
Filesize
88KB
MD518b7cfd6cea4a9a00a574ca668a3b785
SHA13caa7d2b5f23062f71f1102f6040ab190a9a1d63
SHA256508e5af9227f4718d717c21975003f1f1950a82d15fd95fc9239ab7d38b1ad21
SHA512fac4621e15faf34e994f0b3c94dbff6e25a102bc7aa94a830c5707ee20fca7307e93c9b1bcdb1d73d8ab94b10b29e8ea78b073c325bdc6adfefd615ad3239f2d