Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

NEAS.d9a43...30.exe

windows7-x64

10

NEAS.d9a43...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 23:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.d9a43961c899fc2947ec5a26cd263c30.exe

  • Size

    341KB

  • MD5

    d9a43961c899fc2947ec5a26cd263c30

  • SHA1

    0770410f5e9e3c1a58afbf8211ada5df36894236

  • SHA256

    35cf3ad040e370ea6febd200318776837ece71f06fc7e46392f2f6e55e860851

  • SHA512

    b65acb18ce381c9fd6976205d3802b49063e173e7f620b328a8d89317056b378eb2db328fcd52c652bb44ed13cbcee6b066d5efb2de71b62baf39cba6a2b22e1

  • SSDEEP

    6144:grnkP+6bB0H9rj3fMMICM4kfBbSVtxzcdNg/SOPOoUkZUuOsOjbSMu6l3bS64u5U:gQ+Qu9yus9exo/iSuU8OsitH5og+

Score
10/10
adwaredropperpersistencestealertrojan

Malware Config

Signatures

  • Malware Backdoor - Berbew 3 IoCs

    Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

    persistencedroppertrojan
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Drops file in Drivers directory 4 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 38 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
      2⤵
      • Installs/modifies Browser Helper Object
      PID:3200
    • C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      PID:3540
      • C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        3⤵
          PID:1936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Local Settings\Application Data\cftmon.exe
      Filesize

      355KB

      MD5

      ed0ada789da7478b777584027890a619

      SHA1

      b08830d89e033e920fe4f9843408fb5ac3662671

      SHA256

      fc2506840a0b95f998dc686de04706399b7500a300543acfea5181caaf622af9

      SHA512

      3a7e3145b0cda20a1201f0398cfac28df19096d5b379a73133486f137d3a3ecfeac2c59dc381b7c3fdb9bc28712d762e0834ec1838f32701ad70a458bdfdbb13

      Download Submit

    • C:\Windows\SysWOW64\drivers\spools.exe
      Filesize

      355KB

      MD5

      83e93b09ec01a3b5b5f5a1e19d029d81

      SHA1

      8f91854505dd2d88bd6cab944cb7d3e51ed92597

      SHA256

      71754a2982098de1d9756b6735768ebee7163f40106da784e330694cc94eddf1

      SHA512

      de721985a04b513941d0c3194f6dfffdb5a10b37b5ef3fec6acd6e8eea8ccbadc4ce7cf06d9f5de954e1650cbaf9a489131871686a31331efd1e9dd0dfa002cb

      Download Submit

    • C:\Windows\SysWOW64\drivers\spools.exe
      Filesize

      348KB

      MD5

      7de2ced4b24a0b8fb00b31954535fac3

      SHA1

      110489fb72f86d54c8794433d82a0aac6a155e9d

      SHA256

      ae2cb134fb88b003be8ee77cec35d8b329678c2ad26cd84765ffc32f13774d27

      SHA512

      113339a7af8e91a01f0024bf15d1c99293e8536a9a21d6d1b9288781abdce122f077d44c8e84e86eedf63aaf383ae9a6fbc84c5989e5ce8fd620d110f442d312

      Download Submit

    • \??\c:\stop
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • memory/1512-0-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/1512-8-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3540-17-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download