Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 16:03
Behavioral task
behavioral1
Sample
26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe
Resource
win10v2004-20241007-en
General
-
Target
26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe
-
Size
362KB
-
MD5
332219a0e94c3e3ee995bac97b5fbe08
-
SHA1
880eabab811aeb9c4bc349d4b7b55118f389d1f8
-
SHA256
26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088
-
SHA512
ce1983bcc2727d925382e2ba8946ca82cf36ea25f92ba26057a1bd37edcbb711334e2a7fe240be7a5ec83b44652538783839d9376e5dbb2fa3eeadb59f38fd5e
-
SSDEEP
6144:5NAIPVbUh7x5MbCSiBXf0Rg72xfJ9aCzrwbo1pw00+qnrLYC/VuwkdbA4+D6ByqA:fRPtax+CcROhtYNY6ThtY/
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe -
Berbew family
-
Executes dropped EXE 1 IoCs
pid Process 2676 Dmllipeg.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dmllipeg.exe 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe File opened for modification C:\Windows\SysWOW64\Dmllipeg.exe 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe File created C:\Windows\SysWOW64\Kngpec32.dll 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1256 2676 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllipeg.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll" 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2676 2228 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe 82 PID 2228 wrote to memory of 2676 2228 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe 82 PID 2228 wrote to memory of 2676 2228 26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe"C:\Users\Admin\AppData\Local\Temp\26c6df51f8063818cf26e11d7da9ba2dbdd28dbbf9b38ba41ee5162cdbffc088.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Dmllipeg.exeC:\Windows\system32\Dmllipeg.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 4163⤵
- Program crash
PID:1256
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2676 -ip 26761⤵PID:4968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
362KB
MD5fd16e377c513a3f5bf9a897eeafd2eb1
SHA1e481393fb47048a717b0123cc9a3e485359bf4f7
SHA2560f59ea61d260350a96b4a0540e6cececc6597315da9a279b2dac95ced486fb23
SHA512c3c1c3f17f9a72fb0835a7bb6a295bd882d383e5992a582e1917639e61c6c7deb82fd2571a89b9a98fbe9e4e67f3f174f5fd3a1329b769c7a2b9d1e57d883018