e2149b893b02c75d2948ca5063c1b43adfea0e0e68d1f2014de8c8a70658b25d

Analysis

max time kernel
139s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.504d17a12979a4b9de5d58f6074d5d30.exe
Size

116KB
MD5

504d17a12979a4b9de5d58f6074d5d30
SHA1

8f469972a2ead49b23766e207427d0ae75ba06e5
SHA256

e2149b893b02c75d2948ca5063c1b43adfea0e0e68d1f2014de8c8a70658b25d
SHA512

46642fe8dd1e7c11b2bc52dd7a278c7288cf6a6a4af3465f3cb098d1acc2e47cb18430660d65bca8a0ef9f7aa4a204e312a076ad877d5eeff446f88927e8a42b
SSDEEP

3072:bvWK5CiTVUqSZnIh5MgJY6R6vpK0HYAQBiiZhZzazTF:TN5xVUxZnIXMgJY6UeAQBishZzazp

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 1 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0007000000022e0d-12.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
232	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Executes dropped EXE 1 IoCs

pid	Process
232	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1908	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1908	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe
232	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 232	1908	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe	94
PID 1908 wrote to memory of 232	1908	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe	94
PID 1908 wrote to memory of 232	1908	NEAS.504d17a12979a4b9de5d58f6074d5d30.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.504d17a12979a4b9de5d58f6074d5d30.exe

Filesize
116KB

MD5
b87364153b07e03859648952b39a68e7

SHA1
00dfb0159c7b70cc9f92749d2fb1a1f2d89806cf

SHA256
90dfae63157038f4da73c7f0891af011551525afa30651763f556f0a87c35a0b

SHA512
061a7827c8ebe6f9c09c260682d050373472c25db148108ebb6f16db4170c763acc8d182aa570ae845be1313b14e04dee247162722d7bd1f0e61691c1df254aa

Download Submit
memory/232-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/232-14-0x0000000001440000-0x000000000147D000-memory.dmp

Filesize
244KB

Download
memory/232-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/232-21-0x0000000001480000-0x000000000149B000-memory.dmp

Filesize
108KB

Download
memory/232-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1908-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1908-1-0x00000000001C0000-0x00000000001FD000-memory.dmp

Filesize
244KB

Download
memory/1908-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1908-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download