Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

NEAS.5eab8...JC.exe

windows7-x64

10

NEAS.5eab8...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2023, 02:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe

  • Size

    449KB

  • MD5

    5eab858bc1d35f935ed98f853c9266f0

  • SHA1

    fa6848ea49efeee2c357299bfbae05eecf3c4668

  • SHA256

    05f4076b6f63050f6f3caa89a1c82929463c3946147b38eb54221e9c58018452

  • SHA512

    bd91013f155b1258add5d3eb1fd2816d52e8d6c1f85de2f02e6da41104f4122fd8a96de6f8d2c554ef6d08620819ed925afb0e08a8c4d7010ab2e6e0aefe4eb5

  • SSDEEP

    12288:XKn1XIeKARqf1pCA3GBAWcZAXN8I/d6xMW5KEy6YjQb0wLj/zU3k:X48C+1pCA3GBAWcZAXN8I/d6xMW5KEyU

Score
10/10
dropperpersistencetrojan

Malware Config

Signatures

  • Malware Backdoor - Berbew 1 IoCs

    Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

    persistencedroppertrojan
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 396
      2⤵
      • Program crash
      PID:2244
    • C:\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:4884
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 364
        3⤵
        • Program crash
        PID:3172
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3092 -ip 3092
    1⤵
      PID:3668
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4884 -ip 4884
      1⤵
        PID:1752
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
        1⤵
          PID:4528
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k UnistackSvcGroup
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2944

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\NEAS.5eab858bc1d35f935ed98f853c9266f0_JC.exe
          Filesize

          449KB

          MD5

          5f801716356c073bab27ee3413f8266f

          SHA1

          db36c2407c2bb56e6a87f3539746bc7d625c908b

          SHA256

          1b542ae1a5a6b10100ab0d5ff149b8c89f8ff8037d9e2ba8b8758ed933b397f0

          SHA512

          ecbac794f991c9a6883c2dbe8feb9a0d9066c12f4e8f70ba16ead1f61b5946131100829a0671504666db7cd26704571b003ae0016d7673e5a0536cda4bfe41ce

          Download Submit

        • memory/2944-14-0x00000228D3040000-0x00000228D3050000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2944-30-0x00000228D3140000-0x00000228D3150000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2944-46-0x00000228DB470000-0x00000228DB471000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2944-49-0x00000228DB4A0000-0x00000228DB4A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2944-48-0x00000228DB4A0000-0x00000228DB4A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2944-50-0x00000228DB5B0000-0x00000228DB5B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3092-6-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/3092-0-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4884-7-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4884-8-0x0000000000400000-0x000000000041A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4884-9-0x0000000004D80000-0x0000000004DB8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/4884-51-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download