Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
123s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
24/10/2023, 02:07
Behavioral task
behavioral1
Sample
NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
-
Size
391KB
-
MD5
f3ad0e3e5979266a2bb4fc34e89b9fe0
-
SHA1
a7a182b982d3af2c0d733d2113395ad99d284e6d
-
SHA256
36a037b3498884e64afb32d02d475af002d8533615692b7feff555b44ade5e87
-
SHA512
776c656425649f6801333d9224d046ebdd78bc36c65b284641ef50170d7535d28e836084ff059da58cfbb2d587bab23098e337be3eda57121d2177197fd898f7
-
SSDEEP
12288:UveXGQrosLhT9XvEhdfJkKSkU3kHyuaRB5t6k0IJogZ+SZE:UveOsLx9XvEhdfJkKSkU3kHyuaRB5t6f
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqnejaff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gqnejaff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fbfkceca.exe -
Malware Backdoor - Berbew 6 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022ce1-6.dat family_berbew behavioral2/files/0x0006000000022ce1-8.dat family_berbew behavioral2/files/0x0006000000022ce3-16.dat family_berbew behavioral2/files/0x0006000000022ce3-14.dat family_berbew behavioral2/files/0x0006000000022ce5-22.dat family_berbew behavioral2/files/0x0006000000022ce5-23.dat family_berbew -
Executes dropped EXE 3 IoCs
pid Process 768 Fbfkceca.exe 2152 Gqnejaff.exe 2376 Gbmadd32.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ckfaapfi.dll Fbfkceca.exe File created C:\Windows\SysWOW64\Gbmadd32.exe Gqnejaff.exe File opened for modification C:\Windows\SysWOW64\Gbmadd32.exe Gqnejaff.exe File created C:\Windows\SysWOW64\Hjmgbm32.dll Gqnejaff.exe File opened for modification C:\Windows\SysWOW64\Gqnejaff.exe Fbfkceca.exe File opened for modification C:\Windows\SysWOW64\Fbfkceca.exe NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe File created C:\Windows\SysWOW64\Fpiedd32.dll NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe File created C:\Windows\SysWOW64\Gqnejaff.exe Fbfkceca.exe File created C:\Windows\SysWOW64\Fbfkceca.exe NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3148 2376 WerFault.exe 85 -
Modifies registry class 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqnejaff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll" NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll" Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fbfkceca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gqnejaff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbfkceca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll" Gqnejaff.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4696 wrote to memory of 768 4696 NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe 83 PID 4696 wrote to memory of 768 4696 NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe 83 PID 4696 wrote to memory of 768 4696 NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe 83 PID 768 wrote to memory of 2152 768 Fbfkceca.exe 84 PID 768 wrote to memory of 2152 768 Fbfkceca.exe 84 PID 768 wrote to memory of 2152 768 Fbfkceca.exe 84 PID 2152 wrote to memory of 2376 2152 Gqnejaff.exe 85 PID 2152 wrote to memory of 2376 2152 Gqnejaff.exe 85 PID 2152 wrote to memory of 2376 2152 Gqnejaff.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Fbfkceca.exeC:\Windows\system32\Fbfkceca.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Gqnejaff.exeC:\Windows\system32\Gqnejaff.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Gbmadd32.exeC:\Windows\system32\Gbmadd32.exe4⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 2245⤵
- Program crash
PID:3148
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2376 -ip 23761⤵PID:2280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391KB
MD5eb6d8f3617d5ad758d3e0da32ae1be23
SHA1cd2433274725709f21c51129679c885733709400
SHA2564ca9fb67121b75d7baad965a5a7551c0d631abeca760d52d0a032a5f906496f6
SHA5120d852300a8df2eb1a52594c3b1ff031720a716841830385cac0480c71e64741268affc6085dd92a504a597934e068a915c03db7969fa4fa5b646d6dcfcb1ac00
-
Filesize
391KB
MD5eb6d8f3617d5ad758d3e0da32ae1be23
SHA1cd2433274725709f21c51129679c885733709400
SHA2564ca9fb67121b75d7baad965a5a7551c0d631abeca760d52d0a032a5f906496f6
SHA5120d852300a8df2eb1a52594c3b1ff031720a716841830385cac0480c71e64741268affc6085dd92a504a597934e068a915c03db7969fa4fa5b646d6dcfcb1ac00
-
Filesize
391KB
MD583d6cdce0ee693b04b274e43a48d61ed
SHA111df317b71f634ebc6ab78edfe33b0a8169bdadd
SHA2560b90af31f51f7dca8ca0406632c43c080a0f218d54e97449cf584b1255914046
SHA512fd90a097ea5ee403018b6caf1da5a3309354251a831ba29926fb3a3ebe4eaaab85dd7fe948575b2c390f415951188daa54de04ee55b64e29b108eca7f9628300
-
Filesize
391KB
MD583d6cdce0ee693b04b274e43a48d61ed
SHA111df317b71f634ebc6ab78edfe33b0a8169bdadd
SHA2560b90af31f51f7dca8ca0406632c43c080a0f218d54e97449cf584b1255914046
SHA512fd90a097ea5ee403018b6caf1da5a3309354251a831ba29926fb3a3ebe4eaaab85dd7fe948575b2c390f415951188daa54de04ee55b64e29b108eca7f9628300
-
Filesize
391KB
MD5832342282af2109804413c2088f3c9a7
SHA12223ec53623b362c7f83901d7c8b0402416057d7
SHA2560b162dc47c410b3c17dc74482faf89c2746953a06dd3cfce09329f8a019cbcaa
SHA5128b49dde3e1fa1e2d249aa57b480ebff15586e5e26ff310f760cb2a3e0530aa37d764ca8a647b31167e5e4614b3898dfe0e6c0ce59d0e123be3e0eb1f3b583494
-
Filesize
391KB
MD5832342282af2109804413c2088f3c9a7
SHA12223ec53623b362c7f83901d7c8b0402416057d7
SHA2560b162dc47c410b3c17dc74482faf89c2746953a06dd3cfce09329f8a019cbcaa
SHA5128b49dde3e1fa1e2d249aa57b480ebff15586e5e26ff310f760cb2a3e0530aa37d764ca8a647b31167e5e4614b3898dfe0e6c0ce59d0e123be3e0eb1f3b583494