Overview

overview

10

Static

static

10

NEAS.4de51...42.exe

windows7-x64

10

NEAS.4de51...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2023, 14:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.4de516c725c6ad8b4efa69177efa2642.exe

  • Size

    187KB

  • MD5

    4de516c725c6ad8b4efa69177efa2642

  • SHA1

    396334d17e5411e1d832956102a7cf75e71db761

  • SHA256

    6af00548e6860b7514280275545254574aaf0a9ece94fa3d231a3700d0b19988

  • SHA512

    cc29436e9608b3999f4bee5f395228d7389feb09eb80c5622081d2986b3808eeb34ce876701b4386e29aaf4544e803ddcf4dc49b4222ab16aaa244e6f3ba3965

  • SSDEEP

    3072:Dv5Ls27BIJHluLyXuEQ00UIIIhg6XXXDzXXX13612IIIre36TAXXXhgavcXXXLIX:DBs27GluLyXxQQIIIhg6XXXDzXXX13sE

Score
10/10
dropperpersistencetrojan

Malware Config

Signatures

  • Malware Backdoor - Berbew 2 IoCs

    Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

    persistencedroppertrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.4de516c725c6ad8b4efa69177efa2642.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.4de516c725c6ad8b4efa69177efa2642.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\NEAS4D~1.EXE > nul
      2⤵
        PID:4440
    • C:\Windows\Debug\hauhost.exe
      C:\Windows\Debug\hauhost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:2888

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\Debug\hauhost.exe
            Filesize

            187KB

            MD5

            e87d0669dc3f9322459c38b66176fbf3

            SHA1

            f289623c799eac3da3e943b8ce18e33b5b7bebf9

            SHA256

            df6db9192f9e8aebb62bc8f4ebc8c44f7815d694be286c312ff62094b2ac39bb

            SHA512

            b72ff37f1dc43de897e57d23b36386d67dd1ba477ce1f14cdeb00b2b6b59ff0bc86d088bc507ec780b4984aba178140b43060304bc9c0be6e7c7e9e5bc8671d8

            Download Submit

          • C:\Windows\debug\hauhost.exe
            Filesize

            187KB

            MD5

            e87d0669dc3f9322459c38b66176fbf3

            SHA1

            f289623c799eac3da3e943b8ce18e33b5b7bebf9

            SHA256

            df6db9192f9e8aebb62bc8f4ebc8c44f7815d694be286c312ff62094b2ac39bb

            SHA512

            b72ff37f1dc43de897e57d23b36386d67dd1ba477ce1f14cdeb00b2b6b59ff0bc86d088bc507ec780b4984aba178140b43060304bc9c0be6e7c7e9e5bc8671d8

            Download Submit