Overview

overview

10

Static

static

10

NEAS.ab124...JC.exe

windows7-x64

10

NEAS.ab124...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2023 04:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.ab1241c98a10c7e1432d824222a94f70_JC.exe

  • Size

    991KB

  • MD5

    ab1241c98a10c7e1432d824222a94f70

  • SHA1

    d36e2417d05487cf911c5d7cfbcb363951311963

  • SHA256

    33f96e1fe0bbf69004649e12a119af872c0d8bbcfd7a4af310216bdfcf2fc18b

  • SHA512

    a5d11029e9e9f8b85559f23417edef3e27712339ba468c085f8d6db091d42e8c7263e654fc57097cd5402735c5b224a0631ef6eda19394383696e2a5f40ae701

  • SSDEEP

    24576:m4yVOhC+4OAz6hCy0rq2Znkw+a/ZSMQugi8ndZ5G:m4yVOpXA+wZnwg1Qugi8ndZ5G

Score
10/10
dropperpersistencetrojan

Malware Config

Signatures

  • Malware Backdoor - Berbew 6 IoCs

    Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

    persistencedroppertrojan
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Program crash 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.ab1241c98a10c7e1432d824222a94f70_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.ab1241c98a10c7e1432d824222a94f70_JC.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 344
      2⤵
      • Program crash
      PID:2192
    • C:\Users\Admin\AppData\Local\Temp\NEAS.ab1241c98a10c7e1432d824222a94f70_JC.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.ab1241c98a10c7e1432d824222a94f70_JC.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:3900
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 344
        3⤵
        • Program crash
        PID:5028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 616
        3⤵
        • Program crash
        PID:1736
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 616
        3⤵
        • Program crash
        PID:4980
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 728
        3⤵
        • Program crash
        PID:3628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 748
        3⤵
        • Program crash
        PID:3912
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 900
        3⤵
        • Program crash
        PID:4100
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1396
        3⤵
        • Program crash
        PID:4532
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1392
        3⤵
        • Program crash
        PID:2496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1464
        3⤵
        • Program crash
        PID:1696
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1496
        3⤵
        • Program crash
        PID:2024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1524
        3⤵
        • Program crash
        PID:2304
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1648
        3⤵
        • Program crash
        PID:840
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4572 -ip 4572
    1⤵
      PID:1676
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3900 -ip 3900
      1⤵
        PID:2088
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3900 -ip 3900
        1⤵
          PID:1684
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3900 -ip 3900
          1⤵
            PID:1264
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3900 -ip 3900
            1⤵
              PID:3472
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3900 -ip 3900
              1⤵
                PID:2548
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3900 -ip 3900
                1⤵
                  PID:3548
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3900 -ip 3900
                  1⤵
                    PID:2612
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3900 -ip 3900
                    1⤵
                      PID:3068
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3900 -ip 3900
                      1⤵
                        PID:2036
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3900 -ip 3900
                        1⤵
                          PID:3460
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3900 -ip 3900
                          1⤵
                            PID:1480
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3900 -ip 3900
                            1⤵
                              PID:2244

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\NEAS.ab1241c98a10c7e1432d824222a94f70_JC.exe
                              Filesize

                              991KB

                              MD5

                              c7f11f881e5bc73d34151b52bc211540

                              SHA1

                              a57f8a086436223bb098043eeb60d50975df3dea

                              SHA256

                              959d80534fd0d992fc5b3ec7573848e1bc254c869e1342682cba7f9fe2b82b6f

                              SHA512

                              81554786239fba246850d5315573fbc3ff52963f99fa2c040aee0df22d5149f821dfe3b655f8ce1bf995c9d793e3ab8b5e2df85dabf6b3c4802b2cea463a2cd8

                              Download Submit

                            • memory/3900-7-0x0000000000400000-0x00000000004F5000-memory.dmp

                              Filesize

                              980KB

                              Download

                            • memory/3900-8-0x0000000005020000-0x0000000005115000-memory.dmp

                              Filesize

                              980KB

                              Download

                            • memory/3900-9-0x0000000000400000-0x00000000004A3000-memory.dmp

                              Filesize

                              652KB

                              Download

                            • memory/3900-19-0x000000000B980000-0x000000000BA23000-memory.dmp

                              Filesize

                              652KB

                              Download

                            • memory/3900-18-0x0000000000400000-0x0000000000443000-memory.dmp

                              Filesize

                              268KB

                              Download

                            • memory/3900-25-0x0000000000400000-0x00000000004F5000-memory.dmp

                              Filesize

                              980KB

                              Download

                            • memory/4572-0-0x0000000000400000-0x00000000004F5000-memory.dmp

                              Filesize

                              980KB

                              Download

                            • memory/4572-5-0x0000000000400000-0x00000000004F5000-memory.dmp

                              Filesize

                              980KB

                              Download