berbew | 952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818ba

General

Target

952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Size

385KB
MD5

bc7aed3bd7f514c6e42cbe5fe4fdd880
SHA1

6e6e0bead274f321028383d7f19a650642b89d17
SHA256

952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818ba
SHA512

d8f6490d632059d11fbc59e26454d98f67b944d713d46b0e7335e42431efc7d5b60d3719a03457b9a9b52a3a05754197c793b8420a9b046c79c21a71ecbe4c97
SSDEEP

12288:vkQrEPy59SLWy5jy59SL3y59Ey59SLAy59SLZy5iy59SLv:vkm4y7oWypy7o3y7Ey7oAy7oZyUy7ov

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmpcca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 4 IoCs

pid	Process
2728	Lmpcca32.exe
2164	Lpnopm32.exe
2888	Lghgmg32.exe
1748	Lepaccmo.exe

Loads dropped DLL 12 IoCs

pid	Process
2412	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
2412	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
2728	Lmpcca32.exe
2728	Lmpcca32.exe
2164	Lpnopm32.exe
2164	Lpnopm32.exe
2888	Lghgmg32.exe
2888	Lghgmg32.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Agpdah32.dll	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
File opened for modification	C:\Windows\SysWOW64\Lpnopm32.exe	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Dllqqh32.dll	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lghgmg32.exe
File created	C:\Windows\SysWOW64\Lmpcca32.exe	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
File opened for modification	C:\Windows\SysWOW64\Lmpcca32.exe	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
File created	C:\Windows\SysWOW64\Lpnopm32.exe	Lmpcca32.exe
File created	C:\Windows\SysWOW64\Lghgmg32.exe	Lpnopm32.exe
File opened for modification	C:\Windows\SysWOW64\Lghgmg32.exe	Lpnopm32.exe
File created	C:\Windows\SysWOW64\Ogegmkqk.dll	Lpnopm32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lghgmg32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lghgmg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2588	1748	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmpcca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lghgmg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogegmkqk.dll"	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmpcca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lghgmg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll"	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllqqh32.dll"	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmpcca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lghgmg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lghgmg32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2728	2412	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe	30
PID 2412 wrote to memory of 2728	2412	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe	30
PID 2412 wrote to memory of 2728	2412	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe	30
PID 2412 wrote to memory of 2728	2412	952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe	30
PID 2728 wrote to memory of 2164	2728	Lmpcca32.exe	31
PID 2728 wrote to memory of 2164	2728	Lmpcca32.exe	31
PID 2728 wrote to memory of 2164	2728	Lmpcca32.exe	31
PID 2728 wrote to memory of 2164	2728	Lmpcca32.exe	31
PID 2164 wrote to memory of 2888	2164	Lpnopm32.exe	32
PID 2164 wrote to memory of 2888	2164	Lpnopm32.exe	32
PID 2164 wrote to memory of 2888	2164	Lpnopm32.exe	32
PID 2164 wrote to memory of 2888	2164	Lpnopm32.exe	32
PID 2888 wrote to memory of 1748	2888	Lghgmg32.exe	33
PID 2888 wrote to memory of 1748	2888	Lghgmg32.exe	33
PID 2888 wrote to memory of 1748	2888	Lghgmg32.exe	33
PID 2888 wrote to memory of 1748	2888	Lghgmg32.exe	33
PID 1748 wrote to memory of 2588	1748	Lepaccmo.exe	34
PID 1748 wrote to memory of 2588	1748	Lepaccmo.exe	34
PID 1748 wrote to memory of 2588	1748	Lepaccmo.exe	34
PID 1748 wrote to memory of 2588	1748	Lepaccmo.exe	34

C:\Users\Admin\AppData\Local\Temp\952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe
"C:\Users\Admin\AppData\Local\Temp\952963db2361d6544429535c624defd8bfaa6bfec35bc2427c1c8b5d835818baN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\Lmpcca32.exe
  C:\Windows\system32\Lmpcca32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\Lpnopm32.exe
    C:\Windows\system32\Lpnopm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\Lghgmg32.exe
      C:\Windows\system32\Lghgmg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lghgmg32.exe

Filesize
385KB

MD5
79d3348de235874b15926ee9dc425436

SHA1
d6256e38a4da50bf185d2c75409c4963127566ff

SHA256
12aa6638f3d3fa3284235c00f1ef8dc49ac4a9cb660be120f3f2673b0605623e

SHA512
d396b83de5f7013f48a2b20235405c1be061ebca7a0e3e8c08ed9a45ceb9241185e1c9d975368f4f0306cef4caca07a42cd89b1821bedf43c2725c425839cb8e

Download Submit
C:\Windows\SysWOW64\Lmpcca32.exe

Filesize
385KB

MD5
cea4f0c96a242178de9fe681f5709e1f

SHA1
d5dc79311d781e12a1a08f59a1e7609f13c8c5e2

SHA256
2bd7c2d81e89bffe689e7a059f61cfc5b6af22f3d4d2fea68d3b0304515da403

SHA512
9c2a2da070c0dac790a79fb45f4acaf3662a1db2f4020b8c6c5bfec75775eec2aa4ec09167b8f186c4879c36fc0ce7e3d66363ccef6cf38760c982c4aff35ac9

Download Submit
\Windows\SysWOW64\Lepaccmo.exe

Filesize
385KB

MD5
ba56b05381ca410974e72c5f52c9806a

SHA1
dcc33158fd16c53534f9779ce83aa0a641752278

SHA256
85a684c2cdc744790a065923d782e50ad45a77017cf4316e98a0ee5704b7c412

SHA512
35faedea19078894e9e3aa255e7ca4961294419fb041120291dc3845afa34eb53a0d2218edee789f5a0fa483cd72d94bf49ab0409bb79402f3c656fdf036bd23

Download Submit
\Windows\SysWOW64\Lpnopm32.exe

Filesize
385KB

MD5
d4206a2976de3f8d8845a63fa05d2409

SHA1
e5086e96417e04599c9cf43bb01a4d67fbf7770b

SHA256
2096ae465635dbc966472a87c4e54a570558e239abcc69adc516edc9a13398f7

SHA512
ae380c565b9196071e9a5177d6de7a0c969d285363f4499c0fc0c0e53e24e2572cfda767dd0f24908c780eb6f04b317bf566e4947e7d95b3ff1dacb2f78c22e7

Download Submit
memory/1748-68-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1748-54-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2164-66-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2412-17-0x0000000000290000-0x000000000031B000-memory.dmp

Filesize
556KB

Download
memory/2412-18-0x0000000000290000-0x000000000031B000-memory.dmp

Filesize
556KB

Download
memory/2412-4-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2412-64-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2728-65-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2728-19-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2888-39-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/2888-53-0x00000000002C0000-0x000000000034B000-memory.dmp

Filesize
556KB

Download
memory/2888-52-0x00000000002C0000-0x000000000034B000-memory.dmp

Filesize
556KB

Download
memory/2888-63-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads