3d05c92ef7ce1e094d59a336cfd72c07f96ab54e02435e3ff7c2864916053169

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cf4a16098a5a2159255195d0241ad900.exe
Size

123KB
MD5

cf4a16098a5a2159255195d0241ad900
SHA1

21474316094ef07473b2aee7e5f22fdb63101701
SHA256

3d05c92ef7ce1e094d59a336cfd72c07f96ab54e02435e3ff7c2864916053169
SHA512

eaa854accce1458574b0db6fdd732378a941177e137eef47e0a1d64d6a69ea77e0e6034e04bf9c1ec626d8aac0d3db189741333cced514dd78a8da4b3c5ea750
SSDEEP

3072:jRiQH4uSIrdRKtARM1nJfBbd4ounTf8yE7Dmzve:ZHQIRRKoedqnTfad

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 1 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0006000000022dea-11.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
5008	NEAS.cf4a16098a5a2159255195d0241ad900.exe

Executes dropped EXE 1 IoCs

pid	Process
5008	NEAS.cf4a16098a5a2159255195d0241ad900.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4548	NEAS.cf4a16098a5a2159255195d0241ad900.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	980	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4548	NEAS.cf4a16098a5a2159255195d0241ad900.exe
5008	NEAS.cf4a16098a5a2159255195d0241ad900.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 5008	4548	NEAS.cf4a16098a5a2159255195d0241ad900.exe	87
PID 4548 wrote to memory of 5008	4548	NEAS.cf4a16098a5a2159255195d0241ad900.exe	87
PID 4548 wrote to memory of 5008	4548	NEAS.cf4a16098a5a2159255195d0241ad900.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.cf4a16098a5a2159255195d0241ad900.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cf4a16098a5a2159255195d0241ad900.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\NEAS.cf4a16098a5a2159255195d0241ad900.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.cf4a16098a5a2159255195d0241ad900.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:5008

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.cf4a16098a5a2159255195d0241ad900.exe

Filesize
123KB

MD5
b1ee9010abe9d8a4acf01859bd648ee8

SHA1
5f925fb302565beebefaa462547a79d337b3aedc

SHA256
7577c7a0a60b7e9a053e460d4ed38d67eecce4a2fd412c71eb3be2f925189700

SHA512
37e4337b0600bea529a5f5a77b3f9fde7bc5bdc02f10da808ed60bd78518ab2ff0485410204179d95e802e05f9777c973d4912b2e21c83459584110bc712956b

Download Submit
memory/980-67-0x000001AC6EB50000-0x000001AC6EB51000-memory.dmp

Filesize
4KB

Download
memory/980-66-0x000001AC6EB50000-0x000001AC6EB51000-memory.dmp

Filesize
4KB

Download
memory/980-78-0x000001AC6E6B0000-0x000001AC6E6B1000-memory.dmp

Filesize
4KB

Download
memory/980-75-0x000001AC6E770000-0x000001AC6E771000-memory.dmp

Filesize
4KB

Download
memory/980-61-0x000001AC6EB40000-0x000001AC6EB41000-memory.dmp

Filesize
4KB

Download
memory/980-72-0x000001AC6E780000-0x000001AC6E781000-memory.dmp

Filesize
4KB

Download
memory/980-60-0x000001AC6EB40000-0x000001AC6EB41000-memory.dmp

Filesize
4KB

Download
memory/980-69-0x000001AC6E780000-0x000001AC6E781000-memory.dmp

Filesize
4KB

Download
memory/980-68-0x000001AC6EB50000-0x000001AC6EB51000-memory.dmp

Filesize
4KB

Download
memory/980-26-0x000001AC66440000-0x000001AC66450000-memory.dmp

Filesize
64KB

Download
memory/980-42-0x000001AC66540000-0x000001AC66550000-memory.dmp

Filesize
64KB

Download
memory/980-58-0x000001AC6EB30000-0x000001AC6EB31000-memory.dmp

Filesize
4KB

Download
memory/980-59-0x000001AC6EB40000-0x000001AC6EB41000-memory.dmp

Filesize
4KB

Download
memory/980-70-0x000001AC6E770000-0x000001AC6E771000-memory.dmp

Filesize
4KB

Download
memory/980-65-0x000001AC6EB40000-0x000001AC6EB41000-memory.dmp

Filesize
4KB

Download
memory/980-62-0x000001AC6EB40000-0x000001AC6EB41000-memory.dmp

Filesize
4KB

Download
memory/980-63-0x000001AC6EB40000-0x000001AC6EB41000-memory.dmp

Filesize
4KB

Download
memory/980-64-0x000001AC6EB40000-0x000001AC6EB41000-memory.dmp

Filesize
4KB

Download
memory/4548-1-0x00000000001C0000-0x00000000001CE000-memory.dmp

Filesize
56KB

Download
memory/4548-2-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4548-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4548-12-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5008-21-0x00000000001D0000-0x00000000001EB000-memory.dmp

Filesize
108KB

Download
memory/5008-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5008-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5008-14-0x00000000000C0000-0x00000000000CE000-memory.dmp

Filesize
56KB

Download
memory/5008-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5008-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download