ef0e43df8ca9af4380ae7c5d6ccde89728e65ce69911a365585a80b9303ae134

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe
Size

1.1MB
MD5

2ca8001185ebc06685ffbc5bd4eb4020
SHA1

c4640ba3f7d3cfd376d01279bb9f10e9a452c2da
SHA256

ef0e43df8ca9af4380ae7c5d6ccde89728e65ce69911a365585a80b9303ae134
SHA512

ef2447283b97110f9201edeaa1811d534c46f9d988bbc3cf37c22ec281628da8e208bf11071feb68ddf5124128adb5b77ec8ece6b85bd8ebb7e7787a8bd8e2c3
SSDEEP

24576:MxBBcsEM4dmv5vOwZr21TEM4dmv5vOJ6YGC3DUnhF14xRsqDclamL1NqD0YJC6aE:MnBvj425vOd1Tj425vOJ6YGAUnhn4XBb

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x0008000000012027-4.dat	family_berbew
behavioral1/files/0x0008000000012027-9.dat	family_berbew

Executes dropped EXE 1 IoCs

pid	Process
2220	NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2220	NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1948	NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2220	NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2220	1948	NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe	28
PID 1948 wrote to memory of 2220	1948	NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe	28
PID 1948 wrote to memory of 2220	1948	NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe	28
PID 1948 wrote to memory of 2220	1948	NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of UnmapMainImage
  PID:2220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe

Filesize
1.1MB

MD5
37b253a3278f27f2b056856dfc9ae3b4

SHA1
2eeee54eba685914522295b382e4cc73a6f01287

SHA256
84a8d15019f6dccd4003a3efa4cf339ef8fd116cc7ae219f908c17f3fa3f259a

SHA512
891bb244f8a596944573da4c49eda616aa9af720b08215ecde20effae3358e97bdb4cfaeb6a13fadf42fffd890b9c0dff55e1e39fd081f0f637abab94a13f801

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.2ca8001185ebc06685ffbc5bd4eb4020.exe

Filesize
1.1MB

MD5
37b253a3278f27f2b056856dfc9ae3b4

SHA1
2eeee54eba685914522295b382e4cc73a6f01287

SHA256
84a8d15019f6dccd4003a3efa4cf339ef8fd116cc7ae219f908c17f3fa3f259a

SHA512
891bb244f8a596944573da4c49eda616aa9af720b08215ecde20effae3358e97bdb4cfaeb6a13fadf42fffd890b9c0dff55e1e39fd081f0f637abab94a13f801

Download Submit
memory/1948-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1948-6-0x0000000000130000-0x0000000000165000-memory.dmp

Filesize
212KB

Download
memory/1948-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2220-13-0x00000000000C0000-0x00000000000F5000-memory.dmp

Filesize
212KB

Download
memory/2220-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download