Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    179s
  • max time network
    204s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2023, 16:49

General

  • Target

    NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe

  • Size

    269KB

  • MD5

    c58c6b433692a6ce0ffe2dc2a2961610

  • SHA1

    6a28d255cc647039a409c9b78ede46da8e1fbcda

  • SHA256

    7c70ab6bf0015e221166e74ded4a8135ce839d2a309d7c3e30de7bbc758d75c1

  • SHA512

    b7794098dad22af35b98c1380cc146a72a8c14e42d83fa8ee55df7b97ceb90deef85c04d178ba6ae30fbf1664d04e1cee367be63ba77d1cada32220bdc0eac9d

  • SSDEEP

    6144:uj7C7HCiooDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55Kmj50GXoCcmASBTw2AX4:uj7+QChtMtkM71r1MSXqPix55KI5fX/Z

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
  • Malware Backdoor - Berbew 4 IoCs

    Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\SysWOW64\Mmokpglb.exe
      C:\Windows\system32\Mmokpglb.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\Mbldhn32.exe
        C:\Windows\system32\Mbldhn32.exe
        3⤵
        • Executes dropped EXE
        PID:4544
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 412
          4⤵
          • Program crash
          PID:3476
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4544 -ip 4544
    1⤵
      PID:3232

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Mbldhn32.exe

      Filesize

      269KB

      MD5

      ded612e08410b4d68030276a0b1b4abe

      SHA1

      d397b729e979e7c01ff188ed18bd57846e5a6f89

      SHA256

      9aaa265fd62d6ee72126a61f2c3ffedae9cfd379161790d1810b92e68c78de0c

      SHA512

      d3a87913e6707747c12bb93010329953e5400a44fdc69295aebe0a61ae5fa51b84a3d331e49e86036c5b27fa9bcf8aeb0789d4a930079b802dd2e442e44aa490

    • C:\Windows\SysWOW64\Mbldhn32.exe

      Filesize

      269KB

      MD5

      ded612e08410b4d68030276a0b1b4abe

      SHA1

      d397b729e979e7c01ff188ed18bd57846e5a6f89

      SHA256

      9aaa265fd62d6ee72126a61f2c3ffedae9cfd379161790d1810b92e68c78de0c

      SHA512

      d3a87913e6707747c12bb93010329953e5400a44fdc69295aebe0a61ae5fa51b84a3d331e49e86036c5b27fa9bcf8aeb0789d4a930079b802dd2e442e44aa490

    • C:\Windows\SysWOW64\Mmokpglb.exe

      Filesize

      269KB

      MD5

      12689014ba94bdc851e59558e9af9776

      SHA1

      e998e08064993a48a5c2d5861a6acb0d8dc29ca8

      SHA256

      1ed296d447dbf154648d3f58ad0b8c5d2bd377b1e09a015442f5f7663b84791c

      SHA512

      b7a912ec76bce042489618d83b8ae41fece9d0578539938d4effbd5c24d1205ba4d56bd14842f600bb6de9d2f745cba34977340647d1755c8f629f223aed0116

    • C:\Windows\SysWOW64\Mmokpglb.exe

      Filesize

      269KB

      MD5

      12689014ba94bdc851e59558e9af9776

      SHA1

      e998e08064993a48a5c2d5861a6acb0d8dc29ca8

      SHA256

      1ed296d447dbf154648d3f58ad0b8c5d2bd377b1e09a015442f5f7663b84791c

      SHA512

      b7a912ec76bce042489618d83b8ae41fece9d0578539938d4effbd5c24d1205ba4d56bd14842f600bb6de9d2f745cba34977340647d1755c8f629f223aed0116

    • memory/1332-0-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/1332-19-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2784-8-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/2784-18-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4544-15-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB

    • memory/4544-17-0x0000000000400000-0x0000000000436000-memory.dmp

      Filesize

      216KB