Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2023, 09:31
Behavioral task
behavioral1
Sample
NEAS.4f388aaa81838de90f9b70188a3c7c40.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.4f388aaa81838de90f9b70188a3c7c40.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.4f388aaa81838de90f9b70188a3c7c40.exe
-
Size
249KB
-
MD5
4f388aaa81838de90f9b70188a3c7c40
-
SHA1
8c0bdd8ca3d1351012c96e3b659ac68868a4f75e
-
SHA256
c33bf6dbe138bd43a16a5b01cfe548b7e893800f9d1236a262262fbe1cdc9731
-
SHA512
2ea5b271ce14d6912d58db18dd06ca5333f0bee35e95d535656e07e74316f31013775d2b02adfe8131c8a65e670ed5744c09f38e663f73b5ee6df602f7f78fad
-
SSDEEP
6144:8nOsarUet4nM8nvljgd+86ZkjVlFniTqQCSDyigAo7K+2GKOc:8nOfrUeANnvljXjWjTQYNh7K+2G1c
Malware Config
Signatures
-
Malware Backdoor - Berbew 2 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0007000000022d6a-7.dat family_berbew behavioral2/files/0x0007000000022d6a-8.dat family_berbew -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2660 wrote to memory of 4072 2660 NEAS.4f388aaa81838de90f9b70188a3c7c40.exe 85 PID 2660 wrote to memory of 4072 2660 NEAS.4f388aaa81838de90f9b70188a3c7c40.exe 85 PID 2660 wrote to memory of 4072 2660 NEAS.4f388aaa81838de90f9b70188a3c7c40.exe 85 PID 4072 wrote to memory of 1828 4072 cmd.exe 86 PID 4072 wrote to memory of 1828 4072 cmd.exe 86 PID 4072 wrote to memory of 1828 4072 cmd.exe 86 PID 1828 wrote to memory of 2532 1828 iexpress.exe 87 PID 1828 wrote to memory of 2532 1828 iexpress.exe 87 PID 1828 wrote to memory of 2532 1828 iexpress.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.4f388aaa81838de90f9b70188a3c7c40.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.4f388aaa81838de90f9b70188a3c7c40.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F194.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\NEAS.4f388aaa81838de90f9b70188a3c7c40.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\iexpress.exeiexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed3⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\makecab.exeC:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"4⤵PID:2532
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD502dba5f37067292355c6d01a57d4ef48
SHA17c67ab3f99fbf7a53018dd295d2968c525db83d9
SHA2568b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242
SHA51212201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a
-
Filesize
249KB
MD526ccb4043b69098526f3828d6de5cb17
SHA1d1f2c23959fca4e57e93bdbb85883a926cfdc2e0
SHA25628ce0ab3ffac20a4cef7d5cc9725bc544224c24660bfed3aebca5452ff99c7f0
SHA512fe31f9981ad9a721839cc55493b8541b2ed1ed8af32a1687d4b81b64330bce04a3462aa06cfa529287fce9f91c893852f463c8315c2148b887e5ad61b862eba7
-
Filesize
249KB
MD526ccb4043b69098526f3828d6de5cb17
SHA1d1f2c23959fca4e57e93bdbb85883a926cfdc2e0
SHA25628ce0ab3ffac20a4cef7d5cc9725bc544224c24660bfed3aebca5452ff99c7f0
SHA512fe31f9981ad9a721839cc55493b8541b2ed1ed8af32a1687d4b81b64330bce04a3462aa06cfa529287fce9f91c893852f463c8315c2148b887e5ad61b862eba7
-
Filesize
724B
MD5c3ca008abd6997c4b036a7e8be75cb2c
SHA105f7a3527bb04c691b08f040f562582035398829
SHA25629ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3
SHA512bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083