0b3758cc0044e34865446d1eab0b8a00a37a7d16949b16a2630bab01fc77eb82

General

Target

NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
Size

236KB
MD5

c4f3326abeeb4219a8b517153f0ccde0
SHA1

c86f35db61b9b5423799dd98753c86bd6709700c
SHA256

0b3758cc0044e34865446d1eab0b8a00a37a7d16949b16a2630bab01fc77eb82
SHA512

516c872ce32b16065c0d6351a7cd07f58280645ebb11b368bfdec4f0641cead07c9a9b29cc6a86bbf010ec0c79b19e7344fd6eca5d3ae931f0828f099b515f13
SSDEEP

3072:dZW3BPGzxmN4J9IDlRxyhTbhgu+tAcrbFAJc+RsUi1aVDkOvhJjvJUp:dIBPUx04sDshsrtMsQB4

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcgk32.exe

Malware Backdoor - Berbew 4 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0007000000022e66-7.dat	family_berbew
behavioral2/files/0x0007000000022e66-8.dat	family_berbew
behavioral2/files/0x0006000000022e6d-15.dat	family_berbew
behavioral2/files/0x0006000000022e6d-17.dat	family_berbew

Executes dropped EXE 2 IoCs

pid	Process
3536	Fklcgk32.exe
1724	Gddgpqbe.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fklcgk32.exe	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fklcgk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3472	1724	WerFault.exe	86

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 3536	4168	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe	85
PID 4168 wrote to memory of 3536	4168	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe	85
PID 4168 wrote to memory of 3536	4168	NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe	85
PID 3536 wrote to memory of 1724	3536	Fklcgk32.exe	86
PID 3536 wrote to memory of 1724	3536	Fklcgk32.exe	86
PID 3536 wrote to memory of 1724	3536	Fklcgk32.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c4f3326abeeb4219a8b517153f0ccde0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\SysWOW64\Fklcgk32.exe
  C:\Windows\system32\Fklcgk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\SysWOW64\Gddgpqbe.exe
    C:\Windows\system32\Gddgpqbe.exe
    3⤵
    - Executes dropped EXE
    PID:1724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 400
      4⤵
      Program crash
      PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1724 -ip 1724
1⤵
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fklcgk32.exe

Filesize
236KB

MD5
f677f6107b95d1241c668b3521e0e35b

SHA1
53522dc5031b7ba139a9b9b7027f8ed2400365ec

SHA256
86d02c63b8331d9cf2cb19c21e9aeb2e57caa3c4afc88a5d56bcf9be4d57fbde

SHA512
0522d427284d3573aa87204e4e161ec7a4144b8b37a14275ed37e4c2f26d9da9acd7e291c135cfbab711dbc1a75737856da76328651c9b23eaa511eb9bc98fc0

Download Submit
C:\Windows\SysWOW64\Fklcgk32.exe

Filesize
236KB

MD5
f677f6107b95d1241c668b3521e0e35b

SHA1
53522dc5031b7ba139a9b9b7027f8ed2400365ec

SHA256
86d02c63b8331d9cf2cb19c21e9aeb2e57caa3c4afc88a5d56bcf9be4d57fbde

SHA512
0522d427284d3573aa87204e4e161ec7a4144b8b37a14275ed37e4c2f26d9da9acd7e291c135cfbab711dbc1a75737856da76328651c9b23eaa511eb9bc98fc0

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
236KB

MD5
c66815b8fed62d961b62853fab28c819

SHA1
308238b948a8d30edea34d09a60cfb5785817742

SHA256
90abade5fd0b5e7c993c4e8be7a30979069b8134493c4096fa51e00f65c186e3

SHA512
10ae83d467f88bb1e036cbcbf3776a1df09d849ca0ca4606924fbf7eff0cdfedf1a0dbc3b323848d74797df666411c4874f069c324ffbfaf89a5319d80c9a4f1

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
236KB

MD5
c66815b8fed62d961b62853fab28c819

SHA1
308238b948a8d30edea34d09a60cfb5785817742

SHA256
90abade5fd0b5e7c993c4e8be7a30979069b8134493c4096fa51e00f65c186e3

SHA512
10ae83d467f88bb1e036cbcbf3776a1df09d849ca0ca4606924fbf7eff0cdfedf1a0dbc3b323848d74797df666411c4874f069c324ffbfaf89a5319d80c9a4f1

Download Submit
memory/1724-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3536-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-1-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4168-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads