c33bf6dbe138bd43a16a5b01cfe548b7e893800f9d1236a262262fbe1cdc9731

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4f388aaa81838de90f9b70188a3c7c40.exe
Size

249KB
MD5

4f388aaa81838de90f9b70188a3c7c40
SHA1

8c0bdd8ca3d1351012c96e3b659ac68868a4f75e
SHA256

c33bf6dbe138bd43a16a5b01cfe548b7e893800f9d1236a262262fbe1cdc9731
SHA512

2ea5b271ce14d6912d58db18dd06ca5333f0bee35e95d535656e07e74316f31013775d2b02adfe8131c8a65e670ed5744c09f38e663f73b5ee6df602f7f78fad
SSDEEP

6144:8nOsarUet4nM8nvljgd+86ZkjVlFniTqQCSDyigAo7K+2GKOc:8nOfrUeANnvljXjWjTQYNh7K+2G1c

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0007000000022d6a-7.dat	family_berbew
behavioral2/files/0x0007000000022d6a-8.dat	family_berbew

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 4072	2660	NEAS.4f388aaa81838de90f9b70188a3c7c40.exe	85
PID 2660 wrote to memory of 4072	2660	NEAS.4f388aaa81838de90f9b70188a3c7c40.exe	85
PID 2660 wrote to memory of 4072	2660	NEAS.4f388aaa81838de90f9b70188a3c7c40.exe	85
PID 4072 wrote to memory of 1828	4072	cmd.exe	86
PID 4072 wrote to memory of 1828	4072	cmd.exe	86
PID 4072 wrote to memory of 1828	4072	cmd.exe	86
PID 1828 wrote to memory of 2532	1828	iexpress.exe	87
PID 1828 wrote to memory of 2532	1828	iexpress.exe	87
PID 1828 wrote to memory of 2532	1828	iexpress.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.4f388aaa81838de90f9b70188a3c7c40.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4f388aaa81838de90f9b70188a3c7c40.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F194.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\NEAS.4f388aaa81838de90f9b70188a3c7c40.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      PID:2532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F194.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
249KB

MD5
26ccb4043b69098526f3828d6de5cb17

SHA1
d1f2c23959fca4e57e93bdbb85883a926cfdc2e0

SHA256
28ce0ab3ffac20a4cef7d5cc9725bc544224c24660bfed3aebca5452ff99c7f0

SHA512
fe31f9981ad9a721839cc55493b8541b2ed1ed8af32a1687d4b81b64330bce04a3462aa06cfa529287fce9f91c893852f463c8315c2148b887e5ad61b862eba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
249KB

MD5
26ccb4043b69098526f3828d6de5cb17

SHA1
d1f2c23959fca4e57e93bdbb85883a926cfdc2e0

SHA256
28ce0ab3ffac20a4cef7d5cc9725bc544224c24660bfed3aebca5452ff99c7f0

SHA512
fe31f9981ad9a721839cc55493b8541b2ed1ed8af32a1687d4b81b64330bce04a3462aa06cfa529287fce9f91c893852f463c8315c2148b887e5ad61b862eba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit