36a037b3498884e64afb32d02d475af002d8533615692b7feff555b44ade5e87

General

Target

NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Size

391KB
MD5

f3ad0e3e5979266a2bb4fc34e89b9fe0
SHA1

a7a182b982d3af2c0d733d2113395ad99d284e6d
SHA256

36a037b3498884e64afb32d02d475af002d8533615692b7feff555b44ade5e87
SHA512

776c656425649f6801333d9224d046ebdd78bc36c65b284641ef50170d7535d28e836084ff059da58cfbb2d587bab23098e337be3eda57121d2177197fd898f7
SSDEEP

12288:UveXGQrosLhT9XvEhdfJkKSkU3kHyuaRB5t6k0IJogZ+SZE:UveOsLx9XvEhdfJkKSkU3kHyuaRB5t6f

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbfkceca.exe

Malware Backdoor - Berbew 6 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0006000000022ce1-6.dat	family_berbew
behavioral2/files/0x0006000000022ce1-8.dat	family_berbew
behavioral2/files/0x0006000000022ce3-16.dat	family_berbew
behavioral2/files/0x0006000000022ce3-14.dat	family_berbew
behavioral2/files/0x0006000000022ce5-22.dat	family_berbew
behavioral2/files/0x0006000000022ce5-23.dat	family_berbew

Executes dropped EXE 3 IoCs

pid	Process
768	Fbfkceca.exe
2152	Gqnejaff.exe
2376	Gbmadd32.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckfaapfi.dll	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gqnejaff.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gqnejaff.exe
File opened for modification	C:\Windows\SysWOW64\Gqnejaff.exe	Fbfkceca.exe
File opened for modification	C:\Windows\SysWOW64\Fbfkceca.exe	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
File created	C:\Windows\SysWOW64\Fpiedd32.dll	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
File created	C:\Windows\SysWOW64\Gqnejaff.exe	Fbfkceca.exe
File created	C:\Windows\SysWOW64\Fbfkceca.exe	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3148	2376	WerFault.exe	85

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpiedd32.dll"	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll"	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbfkceca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbfkceca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Gqnejaff.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 768	4696	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe	83
PID 4696 wrote to memory of 768	4696	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe	83
PID 4696 wrote to memory of 768	4696	NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe	83
PID 768 wrote to memory of 2152	768	Fbfkceca.exe	84
PID 768 wrote to memory of 2152	768	Fbfkceca.exe	84
PID 768 wrote to memory of 2152	768	Fbfkceca.exe	84
PID 2152 wrote to memory of 2376	2152	Gqnejaff.exe	85
PID 2152 wrote to memory of 2376	2152	Gqnejaff.exe	85
PID 2152 wrote to memory of 2376	2152	Gqnejaff.exe	85

C:\Users\Admin\AppData\Local\Temp\NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f3ad0e3e5979266a2bb4fc34e89b9fe0_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\SysWOW64\Fbfkceca.exe
  C:\Windows\system32\Fbfkceca.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\Gqnejaff.exe
    C:\Windows\system32\Gqnejaff.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\Gbmadd32.exe
      C:\Windows\system32\Gbmadd32.exe
      4⤵
      Executes dropped EXE
      PID:2376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 224
        5⤵
        Program crash
        
        PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2376 -ip 2376
1⤵
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbfkceca.exe

Filesize
391KB

MD5
eb6d8f3617d5ad758d3e0da32ae1be23

SHA1
cd2433274725709f21c51129679c885733709400

SHA256
4ca9fb67121b75d7baad965a5a7551c0d631abeca760d52d0a032a5f906496f6

SHA512
0d852300a8df2eb1a52594c3b1ff031720a716841830385cac0480c71e64741268affc6085dd92a504a597934e068a915c03db7969fa4fa5b646d6dcfcb1ac00

Download Submit
C:\Windows\SysWOW64\Fbfkceca.exe

Filesize
391KB

MD5
eb6d8f3617d5ad758d3e0da32ae1be23

SHA1
cd2433274725709f21c51129679c885733709400

SHA256
4ca9fb67121b75d7baad965a5a7551c0d631abeca760d52d0a032a5f906496f6

SHA512
0d852300a8df2eb1a52594c3b1ff031720a716841830385cac0480c71e64741268affc6085dd92a504a597934e068a915c03db7969fa4fa5b646d6dcfcb1ac00

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
391KB

MD5
83d6cdce0ee693b04b274e43a48d61ed

SHA1
11df317b71f634ebc6ab78edfe33b0a8169bdadd

SHA256
0b90af31f51f7dca8ca0406632c43c080a0f218d54e97449cf584b1255914046

SHA512
fd90a097ea5ee403018b6caf1da5a3309354251a831ba29926fb3a3ebe4eaaab85dd7fe948575b2c390f415951188daa54de04ee55b64e29b108eca7f9628300

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
391KB

MD5
83d6cdce0ee693b04b274e43a48d61ed

SHA1
11df317b71f634ebc6ab78edfe33b0a8169bdadd

SHA256
0b90af31f51f7dca8ca0406632c43c080a0f218d54e97449cf584b1255914046

SHA512
fd90a097ea5ee403018b6caf1da5a3309354251a831ba29926fb3a3ebe4eaaab85dd7fe948575b2c390f415951188daa54de04ee55b64e29b108eca7f9628300

Download Submit
C:\Windows\SysWOW64\Gqnejaff.exe

Filesize
391KB

MD5
832342282af2109804413c2088f3c9a7

SHA1
2223ec53623b362c7f83901d7c8b0402416057d7

SHA256
0b162dc47c410b3c17dc74482faf89c2746953a06dd3cfce09329f8a019cbcaa

SHA512
8b49dde3e1fa1e2d249aa57b480ebff15586e5e26ff310f760cb2a3e0530aa37d764ca8a647b31167e5e4614b3898dfe0e6c0ce59d0e123be3e0eb1f3b583494

Download Submit
C:\Windows\SysWOW64\Gqnejaff.exe

Filesize
391KB

MD5
832342282af2109804413c2088f3c9a7

SHA1
2223ec53623b362c7f83901d7c8b0402416057d7

SHA256
0b162dc47c410b3c17dc74482faf89c2746953a06dd3cfce09329f8a019cbcaa

SHA512
8b49dde3e1fa1e2d249aa57b480ebff15586e5e26ff310f760cb2a3e0530aa37d764ca8a647b31167e5e4614b3898dfe0e6c0ce59d0e123be3e0eb1f3b583494

Download Submit
memory/768-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-26-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4696-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads