a8c62489d943378c07c8847aeb4b7db07244be52b3ec855eb84efbef229a86bf

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b542050f861f44d11be2dadfe6128980.exe
Size

436KB
MD5

b542050f861f44d11be2dadfe6128980
SHA1

81002ff5f0cfcbbc6141373f8078457d202f49c4
SHA256

a8c62489d943378c07c8847aeb4b7db07244be52b3ec855eb84efbef229a86bf
SHA512

0fb9bcaab1de710bae09a1885a06e91b62e376b48c7604d3742282c43daa77cc46946a3fb5fb99f08c71ff3e050e50ce240ab8a77fb01842662134ab2922f146
SSDEEP

12288:kftOFEca6WClS/WFSnV8nI1R+iKfz9cbzmkIE4SXRSRMN:RVhP03nV8nI1R+iKfz9cbzmkIE4SXRSI

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x00070000000120ca-9.dat	family_berbew
behavioral1/files/0x00070000000120ca-4.dat	family_berbew

Executes dropped EXE 1 IoCs

pid	Process
2616	NEAS.b542050f861f44d11be2dadfe6128980.exe

Loads dropped DLL 1 IoCs

pid	Process
1320	NEAS.b542050f861f44d11be2dadfe6128980.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1320	NEAS.b542050f861f44d11be2dadfe6128980.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2616	NEAS.b542050f861f44d11be2dadfe6128980.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2616	1320	NEAS.b542050f861f44d11be2dadfe6128980.exe	29
PID 1320 wrote to memory of 2616	1320	NEAS.b542050f861f44d11be2dadfe6128980.exe	29
PID 1320 wrote to memory of 2616	1320	NEAS.b542050f861f44d11be2dadfe6128980.exe	29
PID 1320 wrote to memory of 2616	1320	NEAS.b542050f861f44d11be2dadfe6128980.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.b542050f861f44d11be2dadfe6128980.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b542050f861f44d11be2dadfe6128980.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\NEAS.b542050f861f44d11be2dadfe6128980.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.b542050f861f44d11be2dadfe6128980.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.b542050f861f44d11be2dadfe6128980.exe

Filesize
436KB

MD5
7bc94c1cf1756d7dc65c99b01ba6508e

SHA1
c1bd7a6f0bda8c21ec23ac31ec5d8c49bd06089e

SHA256
39eceb2e20d8943bd03cbd001a12d6e2bb8af03a2e3bce653b51aaeebf206472

SHA512
322e8091abef82967a7efd304737b3c55fd9db8629d195e750d2503d7da265f452e36652ad4cfa7983b0d5051a711001778b753e0b194f22bc7c8ccda53f997e

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.b542050f861f44d11be2dadfe6128980.exe

Filesize
436KB

MD5
7bc94c1cf1756d7dc65c99b01ba6508e

SHA1
c1bd7a6f0bda8c21ec23ac31ec5d8c49bd06089e

SHA256
39eceb2e20d8943bd03cbd001a12d6e2bb8af03a2e3bce653b51aaeebf206472

SHA512
322e8091abef82967a7efd304737b3c55fd9db8629d195e750d2503d7da265f452e36652ad4cfa7983b0d5051a711001778b753e0b194f22bc7c8ccda53f997e

Download Submit
memory/1320-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1320-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2616-12-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2616-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2616-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download