2fed08282ba14e8a1c1d1162be7babef35710926516b48435fa7bb37412a2b03

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
28-10-2023 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d208a6eb6ddf3f3e78547dd6a3ea3e30.exe
Size

896KB
MD5

d208a6eb6ddf3f3e78547dd6a3ea3e30
SHA1

7449ac20c466dfa6220945d071e77f72663fe189
SHA256

2fed08282ba14e8a1c1d1162be7babef35710926516b48435fa7bb37412a2b03
SHA512

f1b318e84f5b5966efa97fdda4168176d49f19f7f17b05de403b3b4a77c264ed64eab98c9e19ba2c8925561a63ed8beec9af7a0012c327a0687be29d22a340f9
SSDEEP

24576:uaOiQScChlRnlNozcaBmEIp9pjsDyLZmN1VUZmSo2aI7:uaOiQWlRnlM19Iv2DeZmXiZmSonI7

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x0009000000012024-4.dat	family_berbew
behavioral1/files/0x0009000000012024-1.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
2276	4366.tmp

Executes dropped EXE 1 IoCs

pid	Process
2276	4366.tmp

Loads dropped DLL 1 IoCs

pid	Process
1620	NEAS.d208a6eb6ddf3f3e78547dd6a3ea3e30.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2276	1620	NEAS.d208a6eb6ddf3f3e78547dd6a3ea3e30.exe	28
PID 1620 wrote to memory of 2276	1620	NEAS.d208a6eb6ddf3f3e78547dd6a3ea3e30.exe	28
PID 1620 wrote to memory of 2276	1620	NEAS.d208a6eb6ddf3f3e78547dd6a3ea3e30.exe	28
PID 1620 wrote to memory of 2276	1620	NEAS.d208a6eb6ddf3f3e78547dd6a3ea3e30.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.d208a6eb6ddf3f3e78547dd6a3ea3e30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d208a6eb6ddf3f3e78547dd6a3ea3e30.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\4366.tmp
  "C:\Users\Admin\AppData\Local\Temp\4366.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4366.tmp

Filesize
896KB

MD5
656ac52a28a092b6daeae0f8c8f81f3e

SHA1
af82e57f0f2abc45595b9239ada420814c8bfd0e

SHA256
9ba3d48491f45680ed89dea1d7ba5657a9db52ecc40cf06c5ed1ea6c977071a4

SHA512
ec5b0006f9e522302f8bffd9ff95177b7c5bd6319c976ab5f6abac6ca714c5e1fd95a868de84886530dd2f52df9dce853ff37a1b6adb3de672c7e4db2d630434

Download Submit
\Users\Admin\AppData\Local\Temp\4366.tmp

Filesize
896KB

MD5
656ac52a28a092b6daeae0f8c8f81f3e

SHA1
af82e57f0f2abc45595b9239ada420814c8bfd0e

SHA256
9ba3d48491f45680ed89dea1d7ba5657a9db52ecc40cf06c5ed1ea6c977071a4

SHA512
ec5b0006f9e522302f8bffd9ff95177b7c5bd6319c976ab5f6abac6ca714c5e1fd95a868de84886530dd2f52df9dce853ff37a1b6adb3de672c7e4db2d630434

Download Submit