Overview

overview

10

Static

static

3

f46ce4bc57...aN.exe

windows7-x64

10

f46ce4bc57...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-01-2025 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f46ce4bc57b462b1eeb3398c37e63e43c5cf22150f02180a7c8d1fbf9d9e303aN.exe

  • Size

    96KB

  • MD5

    f0e71b2cbb4c4ed0bd30f0ff51a0c010

  • SHA1

    1053f72d081f0c9c6802794288435216bd9efc2d

  • SHA256

    f46ce4bc57b462b1eeb3398c37e63e43c5cf22150f02180a7c8d1fbf9d9e303a

  • SHA512

    8ffc581e0aae5fda6e77613334e14aa0d37de9c349ab6d37b084f6323473620278acfd0612270edceaadbcec2ab82120675ace555951238ceca6310bf090a14a

  • SSDEEP

    1536:CB395FIpFDK0gOhC+cKfivcAaGYdtdE+A2Lj47RZObZUUWaegPYAW:CTeFD9u5bUCYBj0ClUUWaeF

Score
10/10
berbewbackdoordiscoverypersistence

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs
    persistence
  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew
  • Berbew family
    berbew
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 19 IoCs
  • Drops file in System32 directory 26 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 27 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f46ce4bc57b462b1eeb3398c37e63e43c5cf22150f02180a7c8d1fbf9d9e303aN.exe
    "C:\Users\Admin\AppData\Local\Temp\f46ce4bc57b462b1eeb3398c37e63e43c5cf22150f02180a7c8d1fbf9d9e303aN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\SysWOW64\Boljgg32.exe
      C:\Windows\system32\Boljgg32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\Bjbndpmd.exe
        C:\Windows\system32\Bjbndpmd.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\SysWOW64\Bigkel32.exe
          C:\Windows\system32\Bigkel32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Windows\SysWOW64\Cepipm32.exe
            C:\Windows\system32\Cepipm32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2468
            • C:\Windows\SysWOW64\Cinafkkd.exe
              C:\Windows\system32\Cinafkkd.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2648
              • C:\Windows\SysWOW64\Cbffoabe.exe
                C:\Windows\system32\Cbffoabe.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2684
                • C:\Windows\SysWOW64\Cmpgpond.exe
                  C:\Windows\system32\Cmpgpond.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2576
                  • C:\Windows\SysWOW64\Dpapaj32.exe
                    C:\Windows\system32\Dpapaj32.exe
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2844
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 144
                      10⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:1916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Bigkel32.exe
    Filesize

    96KB

    MD5

    8d19e521fac4108a6be56f8f332d20b8

    SHA1

    0766759296655f3246987136d5d872bf5fd6b3d0

    SHA256

    441a595a4c602f127c221ef7566bf939886cb4b52b6d1f9912a9eabafdd1a906

    SHA512

    c9ee7947bf9104044ffbe66c424c991b7ac45f4f198287daeb81a9adb0960755f228812c01b98ae2863f7c88eec98ab6b23d5bfe574adb21864106ee82be772a

    Download Submit

  • C:\Windows\SysWOW64\Bjbndpmd.exe
    Filesize

    96KB

    MD5

    93f46d79a1d62df65d275013d0f21b56

    SHA1

    01214bc9f85805c9c3737e68adee2870caa76206

    SHA256

    5ec512544c7efda1001d0ca3a5766f2bc97bb521d95a730681ff30a0452f674b

    SHA512

    5d2ee29b068bcf9e618446e5b17feba8924ba649c3e3a6f4bb5c72b070f124c5178f9a9cb07a2efe8339c02cb76ae1d01bd99e23a0ed5d59372053fc0bc94fde

    Download Submit

  • C:\Windows\SysWOW64\Boljgg32.exe
    Filesize

    96KB

    MD5

    49ef23260a18465f420b2d9fb749f8c5

    SHA1

    3cedc6b6b224fe628838985b4d87525abde8417f

    SHA256

    f65c4482c262bc3de09c506c15ea55c99153517053712358d28a5c302d883296

    SHA512

    6d5752e11b67db10f00fd3e94214a399a91c69adc1a689f5e044d2a29e6724f878b429a5b0548fb9e72966fc6e3c65f55786b66c0b74828edf01328d0755e262

    Download Submit

  • \Windows\SysWOW64\Cbffoabe.exe
    Filesize

    96KB

    MD5

    e30e538d502768d54879deb7cbf2e7ef

    SHA1

    986573d8d7379e399a6ef9066a36fb12241326af

    SHA256

    6bb24e9be4341e75f8bdcb7d7b8bf874eb136210ad66f2d66376bafcf4092b3d

    SHA512

    4ffa0ed1b52de8ddc2e3624958564ca609a3a04545d0491d9787607f1b1752c16c7b4b23d14efc60a62a0684adbd667b14d2ec48a7a335f97dbb857c2df55b5b

    Download Submit

  • \Windows\SysWOW64\Cepipm32.exe
    Filesize

    96KB

    MD5

    707d87239c0e7351360ca20fba6c28bb

    SHA1

    ba9f78a15d1f18b271a4b1d35e870e45913d3b9f

    SHA256

    df1e74e2bcacc21963e3515fab402f8ff0aad97d74463bf3fcfd067d386f9499

    SHA512

    055b3732c6f705b0249c5775d96a245cc2c3937a9afc30f99b6590989d029fd3846cb5afa6d2765caf6b0ccc64d38d87e2cb114ca66c742a6d06e3ac72b63396

    Download Submit

  • \Windows\SysWOW64\Cinafkkd.exe
    Filesize

    96KB

    MD5

    9993f3118280f3de8b4536795be82b4b

    SHA1

    b29e8a0c516b6f525eddb6025d06534357ec76d3

    SHA256

    9e16a008bd9f3595e9c8e15dd908f1fff00f36fc4b8a5dfef9343cdd93b9883f

    SHA512

    affd8ab300aba8f132975089e1e4accc2d3ff1e34ac16ff9be12e9bc8f717abe96625a9c59707c811b91f17d9f720295b570a864b2cfeba6f1f8763e2d3ce779

    Download Submit

  • \Windows\SysWOW64\Cmpgpond.exe
    Filesize

    96KB

    MD5

    a62e0e621333643dd15f8259b0df0721

    SHA1

    e3f4326a4cd7c93c6dd536f0231dccbce1b4ddd2

    SHA256

    ac088d5434b7a44d0e7770fe6f8c4c71f7e4bdf8866d1844927d451427a3a450

    SHA512

    cb516039ba1287b0009d62e920399b477ad269691f566f26962c14cb07bf1e6c38a89a787ecc8c77158f94009a8bbbb8e609db365f9121a421a0dfe8c5a0c5ea

    Download Submit

  • \Windows\SysWOW64\Dpapaj32.exe
    Filesize

    96KB

    MD5

    569547ade099141eed4d8fcd94d4b185

    SHA1

    7944844bab10bbaabdb3f4b67e6bd368e4271cde

    SHA256

    6179c1433a9f971855c838ea4b37741c87faa1e8d3f402a277ddd98f9e05bada

    SHA512

    1ca49f5879f198dc39ef78ea2ce36a77a5e01819cfbadcce53b40a4901e5d11335867f32200c5a30ed334088854731d2a95bbeaae5dca5f359e9c10d8ecd9175

    Download Submit

  • memory/524-13-0x00000000003C0000-0x00000000003F3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/524-12-0x00000000003C0000-0x00000000003F3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/524-120-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/524-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2448-33-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2468-63-0x0000000000280000-0x00000000002B3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2468-127-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2552-119-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2552-32-0x0000000000230000-0x0000000000263000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2552-14-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2576-124-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2576-94-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2576-103-0x00000000001B0000-0x00000000001E3000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2648-129-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2648-76-0x00000000005D0000-0x0000000000603000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2684-123-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2844-109-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2844-121-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2904-131-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2904-55-0x0000000000220000-0x0000000000253000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2904-49-0x0000000000220000-0x0000000000253000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2904-41-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download