e030d7250dfa9501d7068d6538edf91395b8cc49e5b91ef07fcf3d8a1f11eff8

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
11-11-2023 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe
Size

320KB
MD5

54449f84bfc8efe04db5f5b5a3571a50
SHA1

a2b69020e2eb16789ad381a8576765192b5651ac
SHA256

e030d7250dfa9501d7068d6538edf91395b8cc49e5b91ef07fcf3d8a1f11eff8
SHA512

d09b0986eb8cb5f9da5b421483e2cd322b41995f0a065883d67a5d98c087ac3c204e1ecf0be85858dace2b729b7637f12ece849aa3f06ee44a59cae3a38151e9
SSDEEP

6144:VSjg8Iw5TT4OnRdudQ3TCgk5AHCEvY5BQwKSql4fejxkrAWxeOwvfwEBN+j:VSjgqdT4OnRgqGgk5AiEvoKlSql4ejAh

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x00070000000120bd-10.dat	family_berbew
behavioral1/files/0x00070000000120bd-4.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
1288	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Executes dropped EXE 1 IoCs

pid	Process
1288	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Loads dropped DLL 1 IoCs

pid	Process
2112	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2112	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1288	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1288	2112	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe	29
PID 2112 wrote to memory of 1288	2112	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe	29
PID 2112 wrote to memory of 1288	2112	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe	29
PID 2112 wrote to memory of 1288	2112	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Filesize
320KB

MD5
e2ccd719a4dcc4723cd7f483cc822372

SHA1
d3f39fc2ab5630e24bcdf481b0780926a93bd63d

SHA256
856be99c565bedb7f6bda1f48262f56cbafbcf5eef5026a7dfca9a641e21b875

SHA512
0fa0571ea969274b24b25fb770c117cff5372e462c4fb93942f81c712c5bc5ba4d9c30db5571ab56539541f8bfb91656b6cc20282a9af4e14d792204e20bb69f

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Filesize
320KB

MD5
e2ccd719a4dcc4723cd7f483cc822372

SHA1
d3f39fc2ab5630e24bcdf481b0780926a93bd63d

SHA256
856be99c565bedb7f6bda1f48262f56cbafbcf5eef5026a7dfca9a641e21b875

SHA512
0fa0571ea969274b24b25fb770c117cff5372e462c4fb93942f81c712c5bc5ba4d9c30db5571ab56539541f8bfb91656b6cc20282a9af4e14d792204e20bb69f

Download Submit
memory/1288-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1288-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1288-14-0x0000000000130000-0x0000000000170000-memory.dmp

Filesize
256KB

Download
memory/1288-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-6-0x0000000000130000-0x0000000000170000-memory.dmp

Filesize
256KB

Download
memory/2112-18-0x0000000000130000-0x0000000000170000-memory.dmp

Filesize
256KB

Download