e030d7250dfa9501d7068d6538edf91395b8cc49e5b91ef07fcf3d8a1f11eff8

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 05:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe
Size

320KB
MD5

54449f84bfc8efe04db5f5b5a3571a50
SHA1

a2b69020e2eb16789ad381a8576765192b5651ac
SHA256

e030d7250dfa9501d7068d6538edf91395b8cc49e5b91ef07fcf3d8a1f11eff8
SHA512

d09b0986eb8cb5f9da5b421483e2cd322b41995f0a065883d67a5d98c087ac3c204e1ecf0be85858dace2b729b7637f12ece849aa3f06ee44a59cae3a38151e9
SSDEEP

6144:VSjg8Iw5TT4OnRdudQ3TCgk5AHCEvY5BQwKSql4fejxkrAWxeOwvfwEBN+j:VSjgqdT4OnRgqGgk5AiEvoKlSql4ejAh

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 1 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0007000000022df8-5.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
4080	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Executes dropped EXE 1 IoCs

pid	Process
4080	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2084	4080	WerFault.exe	93

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2016	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4080	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 4080	2016	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe	93
PID 2016 wrote to memory of 4080	2016	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe	93
PID 2016 wrote to memory of 4080	2016	NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe	93

C:\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 364
    3⤵
    - Program crash
    PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2016 -ip 2016
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4080 -ip 4080
1⤵
PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.54449f84bfc8efe04db5f5b5a3571a50.exe

Filesize
320KB

MD5
c469a0be73cdce2143288be58fd8b402

SHA1
44bbedcb7def64f2da05d2c5dbf5a239d1d4c511

SHA256
e97f573ee61f42efa5e626c6a536cbd3dbf6ab01509f2769c003099ca6fae88c

SHA512
e79071554fb17bf233888d308b262e36522b381dd7f851946eaa55cb7a1370910df1c3e1cb36aa1c41ffa9f29f584fe7f95456f7548bd82c0fbe8fc4dbe3e8f2

Download Submit
memory/2016-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-6-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4080-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4080-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4080-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4080-14-0x0000000001460000-0x00000000014A0000-memory.dmp

Filesize
256KB

Download