Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    107s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17/01/2025, 09:50 UTC

General

  • Target

    f46ce4bc57b462b1eeb3398c37e63e43c5cf22150f02180a7c8d1fbf9d9e303aN.exe

  • Size

    96KB

  • MD5

    f0e71b2cbb4c4ed0bd30f0ff51a0c010

  • SHA1

    1053f72d081f0c9c6802794288435216bd9efc2d

  • SHA256

    f46ce4bc57b462b1eeb3398c37e63e43c5cf22150f02180a7c8d1fbf9d9e303a

  • SHA512

    8ffc581e0aae5fda6e77613334e14aa0d37de9c349ab6d37b084f6323473620278acfd0612270edceaadbcec2ab82120675ace555951238ceca6310bf090a14a

  • SSDEEP

    1536:CB395FIpFDK0gOhC+cKfivcAaGYdtdE+A2Lj47RZObZUUWaegPYAW:CTeFD9u5bUCYBj0ClUUWaeF

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs
  • Berbew

    Berbew is a backdoor written in C++.

  • Berbew family
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 19 IoCs
  • Drops file in System32 directory 26 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 27 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f46ce4bc57b462b1eeb3398c37e63e43c5cf22150f02180a7c8d1fbf9d9e303aN.exe
    "C:\Users\Admin\AppData\Local\Temp\f46ce4bc57b462b1eeb3398c37e63e43c5cf22150f02180a7c8d1fbf9d9e303aN.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:524
    • C:\Windows\SysWOW64\Boljgg32.exe
      C:\Windows\system32\Boljgg32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\SysWOW64\Bjbndpmd.exe
        C:\Windows\system32\Bjbndpmd.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Windows\SysWOW64\Bigkel32.exe
          C:\Windows\system32\Bigkel32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Windows\SysWOW64\Cepipm32.exe
            C:\Windows\system32\Cepipm32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2468
            • C:\Windows\SysWOW64\Cinafkkd.exe
              C:\Windows\system32\Cinafkkd.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2648
              • C:\Windows\SysWOW64\Cbffoabe.exe
                C:\Windows\system32\Cbffoabe.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2684
                • C:\Windows\SysWOW64\Cmpgpond.exe
                  C:\Windows\system32\Cmpgpond.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:2576
                  • C:\Windows\SysWOW64\Dpapaj32.exe
                    C:\Windows\system32\Dpapaj32.exe
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2844
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 144
                      10⤵
                      • Loads dropped DLL
                      • Program crash
                      PID:1916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Bigkel32.exe

    Filesize

    96KB

    MD5

    8d19e521fac4108a6be56f8f332d20b8

    SHA1

    0766759296655f3246987136d5d872bf5fd6b3d0

    SHA256

    441a595a4c602f127c221ef7566bf939886cb4b52b6d1f9912a9eabafdd1a906

    SHA512

    c9ee7947bf9104044ffbe66c424c991b7ac45f4f198287daeb81a9adb0960755f228812c01b98ae2863f7c88eec98ab6b23d5bfe574adb21864106ee82be772a

  • C:\Windows\SysWOW64\Bjbndpmd.exe

    Filesize

    96KB

    MD5

    93f46d79a1d62df65d275013d0f21b56

    SHA1

    01214bc9f85805c9c3737e68adee2870caa76206

    SHA256

    5ec512544c7efda1001d0ca3a5766f2bc97bb521d95a730681ff30a0452f674b

    SHA512

    5d2ee29b068bcf9e618446e5b17feba8924ba649c3e3a6f4bb5c72b070f124c5178f9a9cb07a2efe8339c02cb76ae1d01bd99e23a0ed5d59372053fc0bc94fde

  • C:\Windows\SysWOW64\Boljgg32.exe

    Filesize

    96KB

    MD5

    49ef23260a18465f420b2d9fb749f8c5

    SHA1

    3cedc6b6b224fe628838985b4d87525abde8417f

    SHA256

    f65c4482c262bc3de09c506c15ea55c99153517053712358d28a5c302d883296

    SHA512

    6d5752e11b67db10f00fd3e94214a399a91c69adc1a689f5e044d2a29e6724f878b429a5b0548fb9e72966fc6e3c65f55786b66c0b74828edf01328d0755e262

  • \Windows\SysWOW64\Cbffoabe.exe

    Filesize

    96KB

    MD5

    e30e538d502768d54879deb7cbf2e7ef

    SHA1

    986573d8d7379e399a6ef9066a36fb12241326af

    SHA256

    6bb24e9be4341e75f8bdcb7d7b8bf874eb136210ad66f2d66376bafcf4092b3d

    SHA512

    4ffa0ed1b52de8ddc2e3624958564ca609a3a04545d0491d9787607f1b1752c16c7b4b23d14efc60a62a0684adbd667b14d2ec48a7a335f97dbb857c2df55b5b

  • \Windows\SysWOW64\Cepipm32.exe

    Filesize

    96KB

    MD5

    707d87239c0e7351360ca20fba6c28bb

    SHA1

    ba9f78a15d1f18b271a4b1d35e870e45913d3b9f

    SHA256

    df1e74e2bcacc21963e3515fab402f8ff0aad97d74463bf3fcfd067d386f9499

    SHA512

    055b3732c6f705b0249c5775d96a245cc2c3937a9afc30f99b6590989d029fd3846cb5afa6d2765caf6b0ccc64d38d87e2cb114ca66c742a6d06e3ac72b63396

  • \Windows\SysWOW64\Cinafkkd.exe

    Filesize

    96KB

    MD5

    9993f3118280f3de8b4536795be82b4b

    SHA1

    b29e8a0c516b6f525eddb6025d06534357ec76d3

    SHA256

    9e16a008bd9f3595e9c8e15dd908f1fff00f36fc4b8a5dfef9343cdd93b9883f

    SHA512

    affd8ab300aba8f132975089e1e4accc2d3ff1e34ac16ff9be12e9bc8f717abe96625a9c59707c811b91f17d9f720295b570a864b2cfeba6f1f8763e2d3ce779

  • \Windows\SysWOW64\Cmpgpond.exe

    Filesize

    96KB

    MD5

    a62e0e621333643dd15f8259b0df0721

    SHA1

    e3f4326a4cd7c93c6dd536f0231dccbce1b4ddd2

    SHA256

    ac088d5434b7a44d0e7770fe6f8c4c71f7e4bdf8866d1844927d451427a3a450

    SHA512

    cb516039ba1287b0009d62e920399b477ad269691f566f26962c14cb07bf1e6c38a89a787ecc8c77158f94009a8bbbb8e609db365f9121a421a0dfe8c5a0c5ea

  • \Windows\SysWOW64\Dpapaj32.exe

    Filesize

    96KB

    MD5

    569547ade099141eed4d8fcd94d4b185

    SHA1

    7944844bab10bbaabdb3f4b67e6bd368e4271cde

    SHA256

    6179c1433a9f971855c838ea4b37741c87faa1e8d3f402a277ddd98f9e05bada

    SHA512

    1ca49f5879f198dc39ef78ea2ce36a77a5e01819cfbadcce53b40a4901e5d11335867f32200c5a30ed334088854731d2a95bbeaae5dca5f359e9c10d8ecd9175

  • memory/524-13-0x00000000003C0000-0x00000000003F3000-memory.dmp

    Filesize

    204KB

  • memory/524-12-0x00000000003C0000-0x00000000003F3000-memory.dmp

    Filesize

    204KB

  • memory/524-120-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/524-0-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2448-33-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2468-63-0x0000000000280000-0x00000000002B3000-memory.dmp

    Filesize

    204KB

  • memory/2468-127-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2552-119-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2552-32-0x0000000000230000-0x0000000000263000-memory.dmp

    Filesize

    204KB

  • memory/2552-14-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2576-94-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2576-124-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2576-103-0x00000000001B0000-0x00000000001E3000-memory.dmp

    Filesize

    204KB

  • memory/2648-76-0x00000000005D0000-0x0000000000603000-memory.dmp

    Filesize

    204KB

  • memory/2648-129-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2684-123-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2844-109-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2844-121-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2904-41-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

  • memory/2904-49-0x0000000000220000-0x0000000000253000-memory.dmp

    Filesize

    204KB

  • memory/2904-55-0x0000000000220000-0x0000000000253000-memory.dmp

    Filesize

    204KB

  • memory/2904-131-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.