berbew | 46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2

General

Target

46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Size

64KB
MD5

aaa4f437c6368827a915650a2e9c7787
SHA1

373d207859275b49733de9032b6ede0e7a41ebcf
SHA256

46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2
SHA512

b7dd5cbd8d373496fdac81d92bd0365876386becaf1a0e1fd8303917473571c3c36696f30ae248742aca7edf67df51f3f7512ae88cb8e6004d0433583f95404a
SSDEEP

1536:ZiI+u7Gh4LHcG1jrfVwm7/PkpaSftWy2rPFW2iwTbW:ZiIk4L8GTwmIpawtXiFW2VTbW

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chkmkacq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 4 IoCs

pid	Process
2808	Bejdiffp.exe
2696	Bfkpqn32.exe
2716	Chkmkacq.exe
2732	Cacacg32.exe

Loads dropped DLL 12 IoCs

pid	Process
2908	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
2908	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
2808	Bejdiffp.exe
2808	Bejdiffp.exe
2696	Bfkpqn32.exe
2696	Bfkpqn32.exe
2716	Chkmkacq.exe
2716	Chkmkacq.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Chkmkacq.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Chkmkacq.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Chkmkacq.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
File opened for modification	C:\Windows\SysWOW64\Chkmkacq.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Kgfkcnlb.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2196	2732	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chkmkacq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkcnlb.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chkmkacq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Chkmkacq.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2808	2908	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe	30
PID 2908 wrote to memory of 2808	2908	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe	30
PID 2908 wrote to memory of 2808	2908	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe	30
PID 2908 wrote to memory of 2808	2908	46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe	30
PID 2808 wrote to memory of 2696	2808	Bejdiffp.exe	31
PID 2808 wrote to memory of 2696	2808	Bejdiffp.exe	31
PID 2808 wrote to memory of 2696	2808	Bejdiffp.exe	31
PID 2808 wrote to memory of 2696	2808	Bejdiffp.exe	31
PID 2696 wrote to memory of 2716	2696	Bfkpqn32.exe	32
PID 2696 wrote to memory of 2716	2696	Bfkpqn32.exe	32
PID 2696 wrote to memory of 2716	2696	Bfkpqn32.exe	32
PID 2696 wrote to memory of 2716	2696	Bfkpqn32.exe	32
PID 2716 wrote to memory of 2732	2716	Chkmkacq.exe	33
PID 2716 wrote to memory of 2732	2716	Chkmkacq.exe	33
PID 2716 wrote to memory of 2732	2716	Chkmkacq.exe	33
PID 2716 wrote to memory of 2732	2716	Chkmkacq.exe	33
PID 2732 wrote to memory of 2196	2732	Cacacg32.exe	34
PID 2732 wrote to memory of 2196	2732	Cacacg32.exe	34
PID 2732 wrote to memory of 2196	2732	Cacacg32.exe	34
PID 2732 wrote to memory of 2196	2732	Cacacg32.exe	34

C:\Users\Admin\AppData\Local\Temp\46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe
"C:\Users\Admin\AppData\Local\Temp\46e368c82770ea1c01d2a4817d264134f64d348dc777bbb33cb36f41208246f2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\Bejdiffp.exe
  C:\Windows\system32\Bejdiffp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\Bfkpqn32.exe
    C:\Windows\system32\Bfkpqn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Chkmkacq.exe
      C:\Windows\system32\Chkmkacq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 140
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
64KB

MD5
956c2a0fff55b703e790a6694c486719

SHA1
0729a494f512f9061ab9e7614ac7f786e82cccb8

SHA256
7ec3babbaa32fce28598446a749c005a3cfeececaa00fc13b877c1822301a32a

SHA512
1efa37bef71c10f38956799589b1c7b453ddc3cbc6ee1a64d0cd2a5e53cb518f739b52227c6c6bdbb783306343b17e4590e9d4ab76e06d17c0e88b2ff08e1740

Download Submit
\Windows\SysWOW64\Bfkpqn32.exe

Filesize
64KB

MD5
f073ed9abe0436f7d345c116b29d3c57

SHA1
6697093ccea916c6d7f82fdd9811b69ca39bee65

SHA256
fa04f950c92633f1434a80555299cca31f19c743d78876ea25d2aa925d5e27b6

SHA512
d0daba2bedf2fe05908c5d91f95688012b0468ee712234797e915ed64bbafbae02355daa99f2e290c5ead2c95380f3cf3ca061a2ff3fd6b60fce90d69f5a960d

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
d19d04e4c318f26e4df08c55d0de626d

SHA1
08c1291731abc4adb8bded7f30ecb8e19524857a

SHA256
2d4f84231a29a7a47907d0c1e436b1b378ebbcfba4803dc43010e0a8c085f0ba

SHA512
aa31cbeef170aa4f217632888ef4f3ac4b24ea5cc0f13ae4907a350d88379cf7c59cd507b1d55c679a4dd3d1ffed7dc1b4689eae4d1a84a12d20002c8de6f859

Download Submit
\Windows\SysWOW64\Chkmkacq.exe

Filesize
64KB

MD5
c646067c48c7667670b097523342aa2e

SHA1
6a77aa47978f9d78349272bd074ad07098d57dec

SHA256
d1ee0c7704bd95963093a3d385346832fb814c53e9bfe3a309d8db1e7e518cf1

SHA512
5f9c46ffa8194e601106aa888aa7a5db948608f2938f47c78256af4368c294de712847a0291970571d76fd2c172c0ac87cf733c0048a9e502487f36c820001a6

Download Submit
memory/2696-34-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2696-62-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2696-27-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2696-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2716-43-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2716-63-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2732-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2732-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2808-25-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2908-17-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2908-60-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2908-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2908-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2908-18-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads