5bc452996a98908f8dd16aadbad76a224beca9ec27a81b6cc7a337ccb63f8ed0

Analysis

max time kernel
118s
max time network
134s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05/11/2023, 18:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.41123bb1bf33c7a9caa26bc79e472180_JC.exe
Size

955KB
MD5

41123bb1bf33c7a9caa26bc79e472180
SHA1

0b187d823f406d23ce09f3c08365e37f17bd0b84
SHA256

5bc452996a98908f8dd16aadbad76a224beca9ec27a81b6cc7a337ccb63f8ed0
SHA512

ec96c33c22250cc402e673cb920ace8cb97929fdbd1b840a44fba83b408bbde53604f8484d04ff39c6149ee7da39160fe7b98af7b46111c8c35905be05471b0b
SSDEEP

24576:oTE1+4MKZIKCka4tRLZmX1+RnM3L2N9Y3G3wSK6JE4t6FGerrthf:oTE1xIKCfAdZmF+RnM3L2N9YWgSK6JEb

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x00060000000120b7-1.dat	family_berbew
behavioral1/files/0x00060000000120b7-4.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
1736	75EB.tmp

Executes dropped EXE 1 IoCs

pid	Process
1736	75EB.tmp

Loads dropped DLL 1 IoCs

pid	Process
1732	NEAS.41123bb1bf33c7a9caa26bc79e472180_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1736	1732	NEAS.41123bb1bf33c7a9caa26bc79e472180_JC.exe	28
PID 1732 wrote to memory of 1736	1732	NEAS.41123bb1bf33c7a9caa26bc79e472180_JC.exe	28
PID 1732 wrote to memory of 1736	1732	NEAS.41123bb1bf33c7a9caa26bc79e472180_JC.exe	28
PID 1732 wrote to memory of 1736	1732	NEAS.41123bb1bf33c7a9caa26bc79e472180_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.41123bb1bf33c7a9caa26bc79e472180_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.41123bb1bf33c7a9caa26bc79e472180_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\75EB.tmp
  "C:\Users\Admin\AppData\Local\Temp\75EB.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\75EB.tmp

Filesize
955KB

MD5
877f67454a1a78f818a12be8d26d0f39

SHA1
8547293a56be300c81e8f05baee31a1ed94e1be6

SHA256
63b8ee4adac0a1149b4a3242aba2dd82db97704da6411397d660fa1ed881deed

SHA512
81b596d4108bddba9f9316fa4ca645e85ae12811d29ecc2952ba2170dd4d8f4752fa5f6b8cbb8f92c0ec14dd53fcd884b769844d7900daf5090fe6e9168850c6

Download Submit
\Users\Admin\AppData\Local\Temp\75EB.tmp

Filesize
955KB

MD5
877f67454a1a78f818a12be8d26d0f39

SHA1
8547293a56be300c81e8f05baee31a1ed94e1be6

SHA256
63b8ee4adac0a1149b4a3242aba2dd82db97704da6411397d660fa1ed881deed

SHA512
81b596d4108bddba9f9316fa4ca645e85ae12811d29ecc2952ba2170dd4d8f4752fa5f6b8cbb8f92c0ec14dd53fcd884b769844d7900daf5090fe6e9168850c6

Download Submit