berbew | 753015ed5955366dc9adaeb7bc6172df3057fb6c86482d379105f235e35a16ec

Analysis

max time kernel
22s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

753015ed5955366dc9adaeb7bc6172df3057fb6c86482d379105f235e35a16ec.exe
Size

472KB
MD5

f723225abc967e4693f9aa2d1666b225
SHA1

b8ba9e79ed5db06348527ca58d377ae19d230beb
SHA256

753015ed5955366dc9adaeb7bc6172df3057fb6c86482d379105f235e35a16ec
SHA512

df05e6c6b10550946af51203af786a90a588330ef35f69cff7c93eeccbe1d9e0b0279c49ed243147079315eb1e3690ab0ef113715bcc03c86a22941eff5f0822
SSDEEP

3072:iF8RinudiP52xx67lLd1iHDo05HKpjUekJ+0wpEo:LkgiPA6R7PIKP0wpEo

Score

10^/10

berbew backdoor discovery

Malware Config

Signatures

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2448	2132	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	753015ed5955366dc9adaeb7bc6172df3057fb6c86482d379105f235e35a16ec.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2448	2132	753015ed5955366dc9adaeb7bc6172df3057fb6c86482d379105f235e35a16ec.exe	30
PID 2132 wrote to memory of 2448	2132	753015ed5955366dc9adaeb7bc6172df3057fb6c86482d379105f235e35a16ec.exe	30
PID 2132 wrote to memory of 2448	2132	753015ed5955366dc9adaeb7bc6172df3057fb6c86482d379105f235e35a16ec.exe	30
PID 2132 wrote to memory of 2448	2132	753015ed5955366dc9adaeb7bc6172df3057fb6c86482d379105f235e35a16ec.exe	30

C:\Users\Admin\AppData\Local\Temp\753015ed5955366dc9adaeb7bc6172df3057fb6c86482d379105f235e35a16ec.exe
"C:\Users\Admin\AppData\Local\Temp\753015ed5955366dc9adaeb7bc6172df3057fb6c86482d379105f235e35a16ec.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 36
  2⤵
  - Program crash
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2132-1-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download