a3629f081ed90fb2c18cbfb4c708d459fe8b2f4e381792381acc8f85852dddbd

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2023 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0d2ba1326266aa983877b285877a4c02.exe
Size

227KB
MD5

0d2ba1326266aa983877b285877a4c02
SHA1

8b041452e8f4a4ddc7c4edbc6b0b73e7a5844fdc
SHA256

a3629f081ed90fb2c18cbfb4c708d459fe8b2f4e381792381acc8f85852dddbd
SHA512

582abf4ffe65c72501c1935fca805f531ada77442e346ba28645c77044dbdacbe2cec5a01291caf44fa397359be6ad35422ae12ae543ffbcf50a951c34bebe69
SSDEEP

3072:N1j1klt51m2nn8NYP/4WZeyjpwoTRBmDRGGurhUXvBj2QE2HegPelTeIdI7jFHu:N1pkvmWJqVm7U5j2QE2+g24Id2jFHu

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.0d2ba1326266aa983877b285877a4c02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.0d2ba1326266aa983877b285877a4c02.exe

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x00090000000222f4-6.dat	family_berbew
behavioral2/files/0x00090000000222f4-7.dat	family_berbew

Executes dropped EXE 1 IoCs

pid	Process
4756	Dmllipeg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	NEAS.0d2ba1326266aa983877b285877a4c02.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	NEAS.0d2ba1326266aa983877b285877a4c02.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	NEAS.0d2ba1326266aa983877b285877a4c02.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
764	4756	WerFault.exe	89

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.0d2ba1326266aa983877b285877a4c02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.0d2ba1326266aa983877b285877a4c02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.0d2ba1326266aa983877b285877a4c02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	NEAS.0d2ba1326266aa983877b285877a4c02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.0d2ba1326266aa983877b285877a4c02.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.0d2ba1326266aa983877b285877a4c02.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 4756	4904	NEAS.0d2ba1326266aa983877b285877a4c02.exe	89
PID 4904 wrote to memory of 4756	4904	NEAS.0d2ba1326266aa983877b285877a4c02.exe	89
PID 4904 wrote to memory of 4756	4904	NEAS.0d2ba1326266aa983877b285877a4c02.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.0d2ba1326266aa983877b285877a4c02.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0d2ba1326266aa983877b285877a4c02.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\Dmllipeg.exe
  C:\Windows\system32\Dmllipeg.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 228
    3⤵
    - Program crash
    PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4756 -ip 4756
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
227KB

MD5
4a34aa18af6ef6828f6a2605b10dc986

SHA1
5c08b165895a21e177ad0218843c354158661cce

SHA256
7589eb9ce4a1d07f3f0fac7ab2d60f51de088b0f0406a610334a5686d0047d63

SHA512
a9cca744c14a828332850efbebd5d2587dc2442c71415c7d83f6f258c816578278c322ccaa6500142c962486718ded2b7912f0e2736e1b01bde372708c3aefee

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
227KB

MD5
4a34aa18af6ef6828f6a2605b10dc986

SHA1
5c08b165895a21e177ad0218843c354158661cce

SHA256
7589eb9ce4a1d07f3f0fac7ab2d60f51de088b0f0406a610334a5686d0047d63

SHA512
a9cca744c14a828332850efbebd5d2587dc2442c71415c7d83f6f258c816578278c322ccaa6500142c962486718ded2b7912f0e2736e1b01bde372708c3aefee

Download Submit
memory/4756-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-10-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4904-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads