Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
25-10-2023 21:26
Behavioral task
behavioral1
Sample
NEAS.e872eebe730aed4990806f41ec939540.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.e872eebe730aed4990806f41ec939540.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.e872eebe730aed4990806f41ec939540.exe
-
Size
258KB
-
MD5
e872eebe730aed4990806f41ec939540
-
SHA1
55df6987e6b9d010430b483d943786ffe342c284
-
SHA256
80ead4c740dedd840224a6daf53eaf88f8bb1c05bbd666f13d878785290fafc6
-
SHA512
47d0dd1816f49079b821f57b250341bfc2375faba262162a41b81794b01b99873dade548daa89a743dfb7e0957789624b373c1557853f1b45c8bf32aa16c2360
-
SSDEEP
3072:Uatm4hoyngIVmp4RLicH0Xd6GqUB6Cbet8sqHtW4VEHYpQHjPGDS1DM56:HyIC4EX6C0qHY8EHlS
Malware Config
Signatures
-
Malware Backdoor - Berbew 2 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/1928-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral1/memory/1928-1-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\651B9928 = "C:\\Users\\Admin\\AppData\\Roaming\\651B9928\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe 2848 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1268 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2848 winver.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1268 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2848 1928 NEAS.e872eebe730aed4990806f41ec939540.exe 28 PID 1928 wrote to memory of 2848 1928 NEAS.e872eebe730aed4990806f41ec939540.exe 28 PID 1928 wrote to memory of 2848 1928 NEAS.e872eebe730aed4990806f41ec939540.exe 28 PID 1928 wrote to memory of 2848 1928 NEAS.e872eebe730aed4990806f41ec939540.exe 28 PID 1928 wrote to memory of 2848 1928 NEAS.e872eebe730aed4990806f41ec939540.exe 28 PID 2848 wrote to memory of 1268 2848 winver.exe 10 PID 2848 wrote to memory of 1120 2848 winver.exe 4 PID 2848 wrote to memory of 1180 2848 winver.exe 11 PID 2848 wrote to memory of 1268 2848 winver.exe 10
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1120
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\NEAS.e872eebe730aed4990806f41ec939540.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e872eebe730aed4990806f41ec939540.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2848
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1180