b6770f04e92e3f14594dc11b0d24ad3f4e63f54ecfc96dedef44a4d598ee8c55

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12/11/2023, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe
Size

175KB
MD5

d5f7ae9b4afd9024fbc1475835f9d2b0
SHA1

857b7e3bfc68d61893152887b53a87fc10996c3e
SHA256

b6770f04e92e3f14594dc11b0d24ad3f4e63f54ecfc96dedef44a4d598ee8c55
SHA512

c43cd6796a5039a4cb91cc9a18105f79f295d97f88509434673169e9937322f436f4c4fda089ba8a0e7a8bf3017ab93dfdcb473087f135522207cabb329bce9b
SSDEEP

3072:SVeP+Lpp88jcGuGE8GaTismCGCYt05XWnS0FdCCJuedjQK:FCp88PuGE8GjeGCYtkiS0fCCJuYjT

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 6 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/memory/1404-0-0x0000000000400000-0x000000000043B000-memory.dmp	family_berbew
behavioral1/memory/1404-2-0x0000000000140000-0x000000000017B000-memory.dmp	family_berbew
behavioral1/files/0x00060000000120b7-10.dat	family_berbew
behavioral1/memory/1404-11-0x00000000001A0000-0x00000000001DB000-memory.dmp	family_berbew
behavioral1/files/0x00060000000120b7-16.dat	family_berbew
behavioral1/memory/2104-18-0x00000000002E0000-0x000000000031B000-memory.dmp	family_berbew

Deletes itself 1 IoCs

pid	Process
2104	NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe

Executes dropped EXE 1 IoCs

pid	Process
2104	NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe

Loads dropped DLL 1 IoCs

pid	Process
1404	NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1404	NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1404	NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe
2104	NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 2104	1404	NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe	29
PID 1404 wrote to memory of 2104	1404	NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe	29
PID 1404 wrote to memory of 2104	1404	NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe	29
PID 1404 wrote to memory of 2104	1404	NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe

Filesize
175KB

MD5
3f61fc6d5f92c71eacd276f3ccf87ade

SHA1
a1456d89748565fca18c5fb4e5169d3b6d497c54

SHA256
f216d78cc1788ea1c659f89847fa29ae602afbd7a38485088d12fd465be92580

SHA512
ff271da1282d77408102a95832d3beb192fb06ca1895158608e529ad7939cc2f6aec2757e90942184d6bd5e45cf8b863e2f826790221cf7fdd5e70273bbe3bb3

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.d5f7ae9b4afd9024fbc1475835f9d2b0.exe

Filesize
175KB

MD5
3f61fc6d5f92c71eacd276f3ccf87ade

SHA1
a1456d89748565fca18c5fb4e5169d3b6d497c54

SHA256
f216d78cc1788ea1c659f89847fa29ae602afbd7a38485088d12fd465be92580

SHA512
ff271da1282d77408102a95832d3beb192fb06ca1895158608e529ad7939cc2f6aec2757e90942184d6bd5e45cf8b863e2f826790221cf7fdd5e70273bbe3bb3

Download Submit
memory/1404-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1404-2-0x0000000000140000-0x000000000017B000-memory.dmp

Filesize
236KB

Download
memory/1404-1-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1404-11-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1404-15-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2104-18-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2104-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2104-28-0x0000000000330000-0x000000000034B000-memory.dmp

Filesize
108KB

Download