Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
06/11/2023, 19:43
Behavioral task
behavioral1
Sample
NEAS.1f3ed2ae1deda3ad1cb6aa7e076b3f80.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.1f3ed2ae1deda3ad1cb6aa7e076b3f80.exe
Resource
win10v2004-20231023-en
General
-
Target
NEAS.1f3ed2ae1deda3ad1cb6aa7e076b3f80.exe
-
Size
109KB
-
MD5
1f3ed2ae1deda3ad1cb6aa7e076b3f80
-
SHA1
c176c01170e3314b0a9fd5508f7df220d82fb6da
-
SHA256
28440a81782a02146cc9a76188c169a04962dd280ed88c20ec8958d2652738f6
-
SHA512
451b5a7b5dda6f8de0afe0224081c56f40fb68b440ee3b897ac4f49874aef046f0b61b6ce7f92361614b138b873696c4d095027373b436779d9b743df9ca673c
-
SSDEEP
3072:lePSUwlQjwL88HDv9fovKJ9yLCqwzBu1DjHLMVDqqkSpR:l2jr8HhJJ9Gwtu1DjrFqhz
Malware Config
Signatures
-
Malware Backdoor - Berbew 2 IoCs
Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/memory/2668-0-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew behavioral1/memory/2668-1-0x0000000000400000-0x0000000000444000-memory.dmp family_berbew -
Program crash 1 IoCs
pid pid_target Process procid_target 2064 2668 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2668 wrote to memory of 2064 2668 NEAS.1f3ed2ae1deda3ad1cb6aa7e076b3f80.exe 28 PID 2668 wrote to memory of 2064 2668 NEAS.1f3ed2ae1deda3ad1cb6aa7e076b3f80.exe 28 PID 2668 wrote to memory of 2064 2668 NEAS.1f3ed2ae1deda3ad1cb6aa7e076b3f80.exe 28 PID 2668 wrote to memory of 2064 2668 NEAS.1f3ed2ae1deda3ad1cb6aa7e076b3f80.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.1f3ed2ae1deda3ad1cb6aa7e076b3f80.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.1f3ed2ae1deda3ad1cb6aa7e076b3f80.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1402⤵
- Program crash
PID:2064
-