berbew | d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a

General

Target

d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
Size

95KB
MD5

9306c16b2494ff9fdf48bcce01e9681a
SHA1

f397576069d74b7486b55fca446e0953667ede44
SHA256

d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a
SHA512

53dccbb38168ea65fc40e30416da259a10a2a19d66c5031ba15476e1bd8732dfce41ec754970559653acc58fa407a2ede56a2f1f8c1b159671e40b35fb5364aa
SSDEEP

1536:ThO6RzN6ElEO4snMWJeoWeutNRdlWHC3y4oTfOM6bOLXi8PmCofGV:IYkEmsn70NReHC3gTfDrLXfzoeV

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 5 IoCs

pid	Process
5084	Dkkcge32.exe
1404	Daekdooc.exe
2728	Dddhpjof.exe
4752	Dgbdlf32.exe
316	Dmllipeg.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4884	316	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 5084	4736	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe	83
PID 4736 wrote to memory of 5084	4736	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe	83
PID 4736 wrote to memory of 5084	4736	d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe	83
PID 5084 wrote to memory of 1404	5084	Dkkcge32.exe	84
PID 5084 wrote to memory of 1404	5084	Dkkcge32.exe	84
PID 5084 wrote to memory of 1404	5084	Dkkcge32.exe	84
PID 1404 wrote to memory of 2728	1404	Daekdooc.exe	85
PID 1404 wrote to memory of 2728	1404	Daekdooc.exe	85
PID 1404 wrote to memory of 2728	1404	Daekdooc.exe	85
PID 2728 wrote to memory of 4752	2728	Dddhpjof.exe	86
PID 2728 wrote to memory of 4752	2728	Dddhpjof.exe	86
PID 2728 wrote to memory of 4752	2728	Dddhpjof.exe	86
PID 4752 wrote to memory of 316	4752	Dgbdlf32.exe	87
PID 4752 wrote to memory of 316	4752	Dgbdlf32.exe	87
PID 4752 wrote to memory of 316	4752	Dgbdlf32.exe	87

C:\Users\Admin\AppData\Local\Temp\d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe
"C:\Users\Admin\AppData\Local\Temp\d3ca8dd5861f490a1522280a16a04b9dd8aa9026f69f1ddb898d3f5df9e17b6a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\Dkkcge32.exe
  C:\Windows\system32\Dkkcge32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\Daekdooc.exe
    C:\Windows\system32\Daekdooc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\SysWOW64\Dddhpjof.exe
      C:\Windows\system32\Dddhpjof.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 408
        7⤵
        Program crash
        
        PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 316 -ip 316
1⤵
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Daekdooc.exe

Filesize
95KB

MD5
ff12bbc2850d92bf8beeda8d10f2192f

SHA1
a76ea2ba23e500dacf0094d098fa7279594d8d6c

SHA256
85ecb5f15cec66d844a0bfa78948820e727db45675d2f628e9ed5eec1bb48f78

SHA512
b3b59b734a1d674a66ee7e3637d9f20e7abe10c8e38d4ef30de7b536fdd39d79dec14f77bc292668e73f64f7e4aff06aa3c59da9ff1fda436999803902aeb5a9

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
95KB

MD5
32b435c0e2ff401b3a0c2a08aa84a55a

SHA1
75a450ca6c5e123b0b2242bd601b867e5568ee80

SHA256
52c655f953da17036535bc04cfd6783ff575e001a0a47a566dd36c3f640363a9

SHA512
831c8233c9b67f159a9bc0d01ef78edf77964096583bd3b264aa501ad641ef9738e8a23f5afd8033c3553bfbb80e6e83fcff933060e5f5dacccd0b2b22284007

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
95KB

MD5
9ddecf6e49d4aef95ab277e390c69f4b

SHA1
7a633159d4c5f0927e04ffad8f42abeadc21184c

SHA256
94120edbc8dd16e75f50acccb0bfe0dc8fe5fa7f07dfed66008c0274128db3c0

SHA512
8241137af089d1935167d1dbb643b4d191063f4cf92df5db8493638405733885d1959f91d283c753122adda7f1077e4b715ffc09b388b232a8dfe51d7d3f887e

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
95KB

MD5
32c2d3f3eec3f72927d3c9173420ae08

SHA1
504e4c3d310800634b3f3a53af4e28a4aa0a9a82

SHA256
1e5dcd7932a9e879cf4258806c44167419832780e43e8ed33fe5c0994cf3cc90

SHA512
828fb0a258e947192d4e9df6028dd737f8dc083c37bcce41dba9b680285af76d975704eae6500f398781872193b657a7e08ece72f8c14c17793b2dd3c8ca50d6

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
95KB

MD5
2dd4e9f817638b32906fc37c09080546

SHA1
891f3c312a8209954f4b115d720b3ae37f596fc3

SHA256
6c144d1778722c3047e5599237951c2d20ff97820768a8b9f7468eb1aeb07855

SHA512
f4b7d8fe9bb60eb73b9a721456625faaf350c64da780d093aee5d44f92680aee10248dc9f798f25a835ffe31015b8437f3aa133fe8f84c5c5c414df0e9c96444

Download Submit
C:\Windows\SysWOW64\Kngpec32.dll

Filesize
7KB

MD5
da4b16385aaa6bfd11d3e70bcd5b713b

SHA1
de27af28748580c1194da39830eb2701e8e6bcb8

SHA256
771c2b98fc607b5ceb9bc70f4e90ae9703d5febbf56c0ac2ef5b34afbe1b8c31

SHA512
2723cbae26eeae35f8e664ec480f78392d82e66a8c17eab3ae32e8c7208b14fc5536ae999b9e15e61a004c90914d84f56b384632a224a7cb053cc08af3438cbe

Download Submit
memory/316-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/316-39-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1404-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1404-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2728-43-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4752-42-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5084-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads