Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02/11/2023, 16:53
Behavioral task
behavioral1
Sample
NEAS.f905c019ac841541722fded3bb57ecf0.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.f905c019ac841541722fded3bb57ecf0.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.f905c019ac841541722fded3bb57ecf0.exe
-
Size
398KB
-
MD5
f905c019ac841541722fded3bb57ecf0
-
SHA1
d59281bc5351a377c8968eca9521c0ec536be9e9
-
SHA256
4ee19dee0a7a3abac981c8a0537c84821a7df4ea04601a95363e4e270092c48e
-
SHA512
4294407bc9f83de4cfd6abd2353424d1d77ef390514990bacb2c6c4389089b7dd1671d17514f04cf05862ee7ed66e55374a0053bfd43a7209ff9df7a0394fcbb
-
SSDEEP
12288:2wW3zp6t3XGCByvNv54B9f01ZmHByvNv5imipWf0Aq:I3zp6t3XGpvr4B9f01ZmQvrimipWf0Aq
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dahmfpap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad NEAS.f905c019ac841541722fded3bb57ecf0.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dddllkbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahmfpap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" NEAS.f905c019ac841541722fded3bb57ecf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Chkobkod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgqlcg32.exe -
Malware Backdoor - Berbew 10 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0008000000022c9c-6.dat family_berbew behavioral2/files/0x0008000000022c9c-8.dat family_berbew behavioral2/files/0x0008000000022cc4-14.dat family_berbew behavioral2/files/0x0008000000022cc4-16.dat family_berbew behavioral2/files/0x0007000000022d82-22.dat family_berbew behavioral2/files/0x0007000000022d82-24.dat family_berbew behavioral2/files/0x0007000000022d84-30.dat family_berbew behavioral2/files/0x0007000000022d84-32.dat family_berbew behavioral2/files/0x0007000000022d86-38.dat family_berbew behavioral2/files/0x0007000000022d86-39.dat family_berbew -
Executes dropped EXE 5 IoCs
pid Process 1084 Chkobkod.exe 3536 Cgqlcg32.exe 1424 Dddllkbf.exe 4584 Dahmfpap.exe 2284 Dkqaoe32.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File created C:\Windows\SysWOW64\Chkobkod.exe NEAS.f905c019ac841541722fded3bb57ecf0.exe File created C:\Windows\SysWOW64\Jhijep32.dll Chkobkod.exe File opened for modification C:\Windows\SysWOW64\Dddllkbf.exe Cgqlcg32.exe File opened for modification C:\Windows\SysWOW64\Dahmfpap.exe Dddllkbf.exe File created C:\Windows\SysWOW64\Ipjijkpg.dll Dddllkbf.exe File created C:\Windows\SysWOW64\Mbkkam32.dll NEAS.f905c019ac841541722fded3bb57ecf0.exe File created C:\Windows\SysWOW64\Cgqlcg32.exe Chkobkod.exe File created C:\Windows\SysWOW64\Dddllkbf.exe Cgqlcg32.exe File created C:\Windows\SysWOW64\Dkqaoe32.exe Dahmfpap.exe File created C:\Windows\SysWOW64\Glfdiedd.dll Dahmfpap.exe File opened for modification C:\Windows\SysWOW64\Chkobkod.exe NEAS.f905c019ac841541722fded3bb57ecf0.exe File opened for modification C:\Windows\SysWOW64\Cgqlcg32.exe Chkobkod.exe File created C:\Windows\SysWOW64\Nalhik32.dll Cgqlcg32.exe File created C:\Windows\SysWOW64\Dahmfpap.exe Dddllkbf.exe File opened for modification C:\Windows\SysWOW64\Dkqaoe32.exe Dahmfpap.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 440 2284 WerFault.exe 90 -
Modifies registry class 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 NEAS.f905c019ac841541722fded3bb57ecf0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID NEAS.f905c019ac841541722fded3bb57ecf0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cgqlcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dddllkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dahmfpap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dahmfpap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node NEAS.f905c019ac841541722fded3bb57ecf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll" NEAS.f905c019ac841541722fded3bb57ecf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" NEAS.f905c019ac841541722fded3bb57ecf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhijep32.dll" Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chkobkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll" Cgqlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjijkpg.dll" Dddllkbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831} NEAS.f905c019ac841541722fded3bb57ecf0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll" Dahmfpap.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3252 wrote to memory of 1084 3252 NEAS.f905c019ac841541722fded3bb57ecf0.exe 86 PID 3252 wrote to memory of 1084 3252 NEAS.f905c019ac841541722fded3bb57ecf0.exe 86 PID 3252 wrote to memory of 1084 3252 NEAS.f905c019ac841541722fded3bb57ecf0.exe 86 PID 1084 wrote to memory of 3536 1084 Chkobkod.exe 87 PID 1084 wrote to memory of 3536 1084 Chkobkod.exe 87 PID 1084 wrote to memory of 3536 1084 Chkobkod.exe 87 PID 3536 wrote to memory of 1424 3536 Cgqlcg32.exe 88 PID 3536 wrote to memory of 1424 3536 Cgqlcg32.exe 88 PID 3536 wrote to memory of 1424 3536 Cgqlcg32.exe 88 PID 1424 wrote to memory of 4584 1424 Dddllkbf.exe 89 PID 1424 wrote to memory of 4584 1424 Dddllkbf.exe 89 PID 1424 wrote to memory of 4584 1424 Dddllkbf.exe 89 PID 4584 wrote to memory of 2284 4584 Dahmfpap.exe 90 PID 4584 wrote to memory of 2284 4584 Dahmfpap.exe 90 PID 4584 wrote to memory of 2284 4584 Dahmfpap.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.f905c019ac841541722fded3bb57ecf0.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.f905c019ac841541722fded3bb57ecf0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\Chkobkod.exeC:\Windows\system32\Chkobkod.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Cgqlcg32.exeC:\Windows\system32\Cgqlcg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Dahmfpap.exeC:\Windows\system32\Dahmfpap.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Dkqaoe32.exeC:\Windows\system32\Dkqaoe32.exe6⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 4127⤵
- Program crash
PID:440
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 22841⤵PID:3132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
398KB
MD5c9177cf70b985bfa33926c085d9b39d4
SHA19c0967edd03b8b24f88ecde108a8d4fb84e98056
SHA25653dde8ca22434c8e88b8c1698bf44c7a9a7ac06f3cb704884da6fec1225d3d48
SHA512a1a97dbc053730ce9cbfdf9af37937838edc48412ec975fda8e549f22b1b344d51dcd0c5feebce7014e2d5a988a9729359e6a307b5618b9440e8e647f37efefe
-
Filesize
398KB
MD5c9177cf70b985bfa33926c085d9b39d4
SHA19c0967edd03b8b24f88ecde108a8d4fb84e98056
SHA25653dde8ca22434c8e88b8c1698bf44c7a9a7ac06f3cb704884da6fec1225d3d48
SHA512a1a97dbc053730ce9cbfdf9af37937838edc48412ec975fda8e549f22b1b344d51dcd0c5feebce7014e2d5a988a9729359e6a307b5618b9440e8e647f37efefe
-
Filesize
398KB
MD5bf025ea56d9322773cfd0cef2b1087ab
SHA1b8f583f50c52c8a1fe8f42ff1940dc1374577fa4
SHA2560e988a84c23df196671ce77ebc11da4935477b39626f4736b3e2c54a065ed7cf
SHA5123bce8549f6bfbaa993cf125cf4ba1e9a5eb63951bf68505034d4f9fb7c4ebbd752337d901f75f826ca728ff5d066692cd72778b9edc12fd9cf60a06c7a4cea93
-
Filesize
398KB
MD5bf025ea56d9322773cfd0cef2b1087ab
SHA1b8f583f50c52c8a1fe8f42ff1940dc1374577fa4
SHA2560e988a84c23df196671ce77ebc11da4935477b39626f4736b3e2c54a065ed7cf
SHA5123bce8549f6bfbaa993cf125cf4ba1e9a5eb63951bf68505034d4f9fb7c4ebbd752337d901f75f826ca728ff5d066692cd72778b9edc12fd9cf60a06c7a4cea93
-
Filesize
398KB
MD50916d4a2592b96f33f80937effdc20ec
SHA12bd5642e129587d75200ed65e487f287b6f92afd
SHA256737dd5c7264f620b0d9f7ce0fbb626f8491e60fec4cffec4ab8a638a651b1aad
SHA5121f96758fe49b963b44aa3cfbfa281db00228e5a04fd1246e4d02f39fe50084f083eaf718db6dc6fe64e00882a073b5d312fb197f48ed97ad9f12dd0581d8899f
-
Filesize
398KB
MD50916d4a2592b96f33f80937effdc20ec
SHA12bd5642e129587d75200ed65e487f287b6f92afd
SHA256737dd5c7264f620b0d9f7ce0fbb626f8491e60fec4cffec4ab8a638a651b1aad
SHA5121f96758fe49b963b44aa3cfbfa281db00228e5a04fd1246e4d02f39fe50084f083eaf718db6dc6fe64e00882a073b5d312fb197f48ed97ad9f12dd0581d8899f
-
Filesize
398KB
MD5e36979ad7fa0149c80f01ad81c97add4
SHA1af2184fb0c96426708f3d68df9d2e3546e9d4c57
SHA2562075abccabbf05fafa3590014b70e997f9355f97ebfdb1056e54438e347c16b8
SHA5120790255ad6835e80403b1662bd94d0322d4793fc7d8d401d0b96ce93a881f8ec864e803622e0dc0e9f4ad837fd850c25988d703ee7936df10d371bcc465cf986
-
Filesize
398KB
MD5e36979ad7fa0149c80f01ad81c97add4
SHA1af2184fb0c96426708f3d68df9d2e3546e9d4c57
SHA2562075abccabbf05fafa3590014b70e997f9355f97ebfdb1056e54438e347c16b8
SHA5120790255ad6835e80403b1662bd94d0322d4793fc7d8d401d0b96ce93a881f8ec864e803622e0dc0e9f4ad837fd850c25988d703ee7936df10d371bcc465cf986
-
Filesize
398KB
MD5fc15b9cd6fc1a5f76ef6170c8725793c
SHA15f5e9aac6e799d0ae39dda0fd415dd7feeb20c03
SHA25624278ec300dc053af72d4bb3df1c88947567695ff66cc41705370e0a2431ff4a
SHA512cdbee595a304612a43e2bfd4b27849c9939d7a8293beffafff55bcf8baf7db11d7decf3e42fd4d2fb731cdd309652f7eb8fe12e9c4b80af251e2efca2ec0023b
-
Filesize
398KB
MD5fc15b9cd6fc1a5f76ef6170c8725793c
SHA15f5e9aac6e799d0ae39dda0fd415dd7feeb20c03
SHA25624278ec300dc053af72d4bb3df1c88947567695ff66cc41705370e0a2431ff4a
SHA512cdbee595a304612a43e2bfd4b27849c9939d7a8293beffafff55bcf8baf7db11d7decf3e42fd4d2fb731cdd309652f7eb8fe12e9c4b80af251e2efca2ec0023b
-
Filesize
7KB
MD5ce9d9bdc9a371081ab93b864b31e44a5
SHA15255b61f4e328d54ef8bb83274133a0df0761043
SHA2565cfaab5dac577e8918e520149172af80b468d3c68a64dd6bd982384e57b20d66
SHA512f675bf75fb56c54a1fa8e86204c1ab65cdb00b6b73aa74733e8b3c31697a9d7f002dffed4158f847320bd4eca22208fb428d4c6acb2a2e826e84f4530c9ab98a