Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
179s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:49
Behavioral task
behavioral1
Sample
NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe
-
Size
269KB
-
MD5
c58c6b433692a6ce0ffe2dc2a2961610
-
SHA1
6a28d255cc647039a409c9b78ede46da8e1fbcda
-
SHA256
7c70ab6bf0015e221166e74ded4a8135ce839d2a309d7c3e30de7bbc758d75c1
-
SHA512
b7794098dad22af35b98c1380cc146a72a8c14e42d83fa8ee55df7b97ceb90deef85c04d178ba6ae30fbf1664d04e1cee367be63ba77d1cada32220bdc0eac9d
-
SSDEEP
6144:uj7C7HCiooDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55Kmj50GXoCcmASBTw2AX4:uj7+QChtMtkM71r1MSXqPix55KI5fX/Z
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmokpglb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmokpglb.exe -
Malware Backdoor - Berbew 4 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022dee-7.dat family_berbew behavioral2/files/0x0006000000022dee-6.dat family_berbew behavioral2/files/0x0006000000022df0-14.dat family_berbew behavioral2/files/0x0006000000022df0-16.dat family_berbew -
Executes dropped EXE 2 IoCs
pid Process 2784 Mmokpglb.exe 4544 Mbldhn32.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mmokpglb.exe NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe File opened for modification C:\Windows\SysWOW64\Mmokpglb.exe NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe File created C:\Windows\SysWOW64\Ibgfkq32.dll NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe File created C:\Windows\SysWOW64\Mbldhn32.exe Mmokpglb.exe File opened for modification C:\Windows\SysWOW64\Mbldhn32.exe Mmokpglb.exe File created C:\Windows\SysWOW64\Kigmon32.dll Mmokpglb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3476 4544 WerFault.exe 91 -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibgfkq32.dll" NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mmokpglb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigmon32.dll" Mmokpglb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mmokpglb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1332 wrote to memory of 2784 1332 NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe 89 PID 1332 wrote to memory of 2784 1332 NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe 89 PID 1332 wrote to memory of 2784 1332 NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe 89 PID 2784 wrote to memory of 4544 2784 Mmokpglb.exe 91 PID 2784 wrote to memory of 4544 2784 Mmokpglb.exe 91 PID 2784 wrote to memory of 4544 2784 Mmokpglb.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.c58c6b433692a6ce0ffe2dc2a2961610.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Mmokpglb.exeC:\Windows\system32\Mmokpglb.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Mbldhn32.exeC:\Windows\system32\Mbldhn32.exe3⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 4124⤵
- Program crash
PID:3476
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4544 -ip 45441⤵PID:3232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
269KB
MD5ded612e08410b4d68030276a0b1b4abe
SHA1d397b729e979e7c01ff188ed18bd57846e5a6f89
SHA2569aaa265fd62d6ee72126a61f2c3ffedae9cfd379161790d1810b92e68c78de0c
SHA512d3a87913e6707747c12bb93010329953e5400a44fdc69295aebe0a61ae5fa51b84a3d331e49e86036c5b27fa9bcf8aeb0789d4a930079b802dd2e442e44aa490
-
Filesize
269KB
MD5ded612e08410b4d68030276a0b1b4abe
SHA1d397b729e979e7c01ff188ed18bd57846e5a6f89
SHA2569aaa265fd62d6ee72126a61f2c3ffedae9cfd379161790d1810b92e68c78de0c
SHA512d3a87913e6707747c12bb93010329953e5400a44fdc69295aebe0a61ae5fa51b84a3d331e49e86036c5b27fa9bcf8aeb0789d4a930079b802dd2e442e44aa490
-
Filesize
269KB
MD512689014ba94bdc851e59558e9af9776
SHA1e998e08064993a48a5c2d5861a6acb0d8dc29ca8
SHA2561ed296d447dbf154648d3f58ad0b8c5d2bd377b1e09a015442f5f7663b84791c
SHA512b7a912ec76bce042489618d83b8ae41fece9d0578539938d4effbd5c24d1205ba4d56bd14842f600bb6de9d2f745cba34977340647d1755c8f629f223aed0116
-
Filesize
269KB
MD512689014ba94bdc851e59558e9af9776
SHA1e998e08064993a48a5c2d5861a6acb0d8dc29ca8
SHA2561ed296d447dbf154648d3f58ad0b8c5d2bd377b1e09a015442f5f7663b84791c
SHA512b7a912ec76bce042489618d83b8ae41fece9d0578539938d4effbd5c24d1205ba4d56bd14842f600bb6de9d2f745cba34977340647d1755c8f629f223aed0116