Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2023 21:26
Behavioral task
behavioral1
Sample
NEAS.e872eebe730aed4990806f41ec939540.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.e872eebe730aed4990806f41ec939540.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.e872eebe730aed4990806f41ec939540.exe
-
Size
258KB
-
MD5
e872eebe730aed4990806f41ec939540
-
SHA1
55df6987e6b9d010430b483d943786ffe342c284
-
SHA256
80ead4c740dedd840224a6daf53eaf88f8bb1c05bbd666f13d878785290fafc6
-
SHA512
47d0dd1816f49079b821f57b250341bfc2375faba262162a41b81794b01b99873dade548daa89a743dfb7e0957789624b373c1557853f1b45c8bf32aa16c2360
-
SSDEEP
3072:Uatm4hoyngIVmp4RLicH0Xd6GqUB6Cbet8sqHtW4VEHYpQHjPGDS1DM56:HyIC4EX6C0qHY8EHlS
Malware Config
Signatures
-
Malware Backdoor - Berbew 3 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/memory/4800-0-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/4800-1-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew behavioral2/memory/4800-2-0x0000000000400000-0x0000000000440000-memory.dmp family_berbew -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CDF3DC72 = "C:\\Users\\Admin\\AppData\\Roaming\\CDF3DC72\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe 3396 winver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3132 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3132 Explorer.EXE Token: SeCreatePagefilePrivilege 3132 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3396 winver.exe -
Suspicious use of UnmapMainImage 3 IoCs
pid Process 5072 RuntimeBroker.exe 4864 RuntimeBroker.exe 3132 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4800 wrote to memory of 3396 4800 NEAS.e872eebe730aed4990806f41ec939540.exe 89 PID 4800 wrote to memory of 3396 4800 NEAS.e872eebe730aed4990806f41ec939540.exe 89 PID 4800 wrote to memory of 3396 4800 NEAS.e872eebe730aed4990806f41ec939540.exe 89 PID 4800 wrote to memory of 3396 4800 NEAS.e872eebe730aed4990806f41ec939540.exe 89 PID 3396 wrote to memory of 3132 3396 winver.exe 25 PID 3396 wrote to memory of 2320 3396 winver.exe 64 PID 3396 wrote to memory of 2332 3396 winver.exe 63 PID 3396 wrote to memory of 2456 3396 winver.exe 19 PID 3396 wrote to memory of 3132 3396 winver.exe 25 PID 3396 wrote to memory of 3428 3396 winver.exe 21 PID 3396 wrote to memory of 3664 3396 winver.exe 24 PID 3396 wrote to memory of 3756 3396 winver.exe 23 PID 3396 wrote to memory of 3868 3396 winver.exe 22 PID 3396 wrote to memory of 4044 3396 winver.exe 59 PID 3396 wrote to memory of 3908 3396 winver.exe 58 PID 3396 wrote to memory of 448 3396 winver.exe 56 PID 3396 wrote to memory of 4796 3396 winver.exe 47 PID 3396 wrote to memory of 5072 3396 winver.exe 35 PID 3396 wrote to memory of 4864 3396 winver.exe 44 PID 3396 wrote to memory of 1812 3396 winver.exe 36 PID 3396 wrote to memory of 1744 3396 winver.exe 40 PID 3396 wrote to memory of 1800 3396 winver.exe 39 PID 3396 wrote to memory of 1328 3396 winver.exe 90 PID 3396 wrote to memory of 2596 3396 winver.exe 93 PID 3396 wrote to memory of 1012 3396 winver.exe 96
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3428
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3868
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3756
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3664
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3664 -s 10002⤵PID:2596
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\NEAS.e872eebe730aed4990806f41ec939540.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.e872eebe730aed4990806f41ec939540.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3396
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:5072
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵PID:1812
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1800
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1744
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:4864
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4796
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:448
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2320
-
C:\Windows\System32\wuapihost.exeC:\Windows\System32\wuapihost.exe -Embedding1⤵PID:1328
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1012