Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2024, 16:03

General

  • Target

    26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe

  • Size

    362KB

  • MD5

    332219a0e94c3e3ee995bac97b5fbe08

  • SHA1

    880eabab811aeb9c4bc349d4b7b55118f389d1f8

  • SHA256

    26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088

  • SHA512

    ce1983bcc2727d925382e2ba8946ca82cf36ea25f92ba26057a1bd37edcbb711334e2a7fe240be7a5ec83b44652538783839d9376e5dbb2fa3eeadb59f38fd5e

  • SSDEEP

    6144:5NAIPVbUh7x5MbCSiBXf0Rg72xfJ9aCzrwbo1pw00+qnrLYC/VuwkdbA4+D6ByqA:fRPtax+CcROhtYNY6ThtY/

Malware Config

Extracted

Family

berbew

C2

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe
    "C:\Users\Admin\AppData\Local\Temp\26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Windows\SysWOW64\Dmllipeg.exe
      C:\Windows\system32\Dmllipeg.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2676
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 416
        3⤵
        • Program crash
        PID:1256
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2676 -ip 2676
    1⤵
      PID:4968

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Dmllipeg.exe

      Filesize

      362KB

      MD5

      fd16e377c513a3f5bf9a897eeafd2eb1

      SHA1

      e481393fb47048a717b0123cc9a3e485359bf4f7

      SHA256

      0f59ea61d260350a96b4a0540e6cececc6597315da9a279b2dac95ced486fb23

      SHA512

      c3c1c3f17f9a72fb0835a7bb6a295bd882d383e5992a582e1917639e61c6c7deb82fd2571a89b9a98fbe9e4e67f3f174f5fd3a1329b769c7a2b9d1e57d883018

    • memory/2228-0-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2228-12-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2676-7-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

    • memory/2676-11-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB