e2149b893b02c75d2948ca5063c1b43adfea0e0e68d1f2014de8c8a70658b25d

Analysis

max time kernel
162s
max time network
154s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.504d17a12979a4b9de5d58f6074d5d30.exe
Size

116KB
MD5

504d17a12979a4b9de5d58f6074d5d30
SHA1

8f469972a2ead49b23766e207427d0ae75ba06e5
SHA256

e2149b893b02c75d2948ca5063c1b43adfea0e0e68d1f2014de8c8a70658b25d
SHA512

46642fe8dd1e7c11b2bc52dd7a278c7288cf6a6a4af3465f3cb098d1acc2e47cb18430660d65bca8a0ef9f7aa4a204e312a076ad877d5eeff446f88927e8a42b
SSDEEP

3072:bvWK5CiTVUqSZnIh5MgJY6R6vpK0HYAQBiiZhZzazTF:TN5xVUxZnIXMgJY6UeAQBishZzazp

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x0003000000004ed5-10.dat	family_berbew
behavioral1/files/0x0003000000004ed5-16.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
1732	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Executes dropped EXE 1 IoCs

pid	Process
1732	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Loads dropped DLL 1 IoCs

pid	Process
2620	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2620	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2620	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe
1732	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1732	2620	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe	30
PID 2620 wrote to memory of 1732	2620	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe	30
PID 2620 wrote to memory of 1732	2620	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe	30
PID 2620 wrote to memory of 1732	2620	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Filesize
116KB

MD5
c2b570c71304ba8376cffaeced8b9b08

SHA1
4d71ab1872b0217957237cc32dc1c994a97f3acb

SHA256
9123e9b60ee9936d38247dab7cd9aba32397d4aa2da5f05662303c5f71e6ffce

SHA512
067d8076b526e59a4cef61863f0e849b5e179937525705be38c161381a8a7e3432ba2d1623f98e6f2be776e5fc7e1e0d6170eef7a1fae6aec67e48ad0c51207b

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Filesize
116KB

MD5
c2b570c71304ba8376cffaeced8b9b08

SHA1
4d71ab1872b0217957237cc32dc1c994a97f3acb

SHA256
9123e9b60ee9936d38247dab7cd9aba32397d4aa2da5f05662303c5f71e6ffce

SHA512
067d8076b526e59a4cef61863f0e849b5e179937525705be38c161381a8a7e3432ba2d1623f98e6f2be776e5fc7e1e0d6170eef7a1fae6aec67e48ad0c51207b

Download Submit
memory/1732-17-0x00000000002E0000-0x000000000031D000-memory.dmp

Filesize
244KB

Download
memory/1732-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1732-24-0x0000000000340000-0x000000000035B000-memory.dmp

Filesize
108KB

Download
memory/1732-29-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2620-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2620-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2620-1-0x00000000002E0000-0x000000000031D000-memory.dmp

Filesize
244KB

Download
memory/2620-12-0x0000000000320000-0x000000000035D000-memory.dmp

Filesize
244KB

Download
memory/2620-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download