05f4076b6f63050f6f3caa89a1c82929463c3946147b38eb54221e9c58018452

Analysis

max time kernel
121s
max time network
131s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
02-11-2023 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe
Size

449KB
MD5

5eab858bc1d35f935ed98f853c9266f0
SHA1

fa6848ea49efeee2c357299bfbae05eecf3c4668
SHA256

05f4076b6f63050f6f3caa89a1c82929463c3946147b38eb54221e9c58018452
SHA512

bd91013f155b1258add5d3eb1fd2816d52e8d6c1f85de2f02e6da41104f4122fd8a96de6f8d2c554ef6d08620819ed925afb0e08a8c4d7010ab2e6e0aefe4eb5
SSDEEP

12288:XKn1XIeKARqf1pCA3GBAWcZAXN8I/d6xMW5KEy6YjQb0wLj/zU3k:X48C+1pCA3GBAWcZAXN8I/d6xMW5KEyU

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x0009000000012266-10.dat	family_berbew
behavioral1/files/0x0009000000012266-4.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
2772	NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1948	NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2772	NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2772	1948	NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe	29
PID 1948 wrote to memory of 2772	1948	NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe	29
PID 1948 wrote to memory of 2772	1948	NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe	29
PID 1948 wrote to memory of 2772	1948	NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe

Filesize
449KB

MD5
3007aab08de511e8103395b918c02282

SHA1
a496e5d733a4ade10d899f895d108f8b4b901b4b

SHA256
0d38c1debb10ae0c78c04a436d85c222610c99b702c690b78da082b3c3917b3a

SHA512
cd6dd9fb749c4aff9cfb6ff0ce1a6013cbd459f5ac2ecdfadcba69d0543a61f70cb912c89f8415c6ef79a0684923a70b90f9086a8b02385635c827ec500b649c

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe

Filesize
449KB

MD5
3007aab08de511e8103395b918c02282

SHA1
a496e5d733a4ade10d899f895d108f8b4b901b4b

SHA256
0d38c1debb10ae0c78c04a436d85c222610c99b702c690b78da082b3c3917b3a

SHA512
cd6dd9fb749c4aff9cfb6ff0ce1a6013cbd459f5ac2ecdfadcba69d0543a61f70cb912c89f8415c6ef79a0684923a70b90f9086a8b02385635c827ec500b649c

Download Submit
memory/1948-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1948-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1948-8-0x0000000000190000-0x00000000001C8000-memory.dmp

Filesize
224KB

Download
memory/2772-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2772-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2772-14-0x00000000002C0000-0x00000000002F8000-memory.dmp

Filesize
224KB

Download
memory/2772-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download