2bae72dfed23f692ff088f685e27c19ede9186a88c805df5172f43da615b70c6

General

Target

NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
Size

89KB
MD5

0ae1d069fb32eb0d1b5f3951de4af030
SHA1

54002c4ac2459e7be4a794436ea755abf9fb02cc
SHA256

2bae72dfed23f692ff088f685e27c19ede9186a88c805df5172f43da615b70c6
SHA512

9af0ff14a47c6b0acd4e888fa6d39e4be6ef62bb5178adbe155fce6728ca97d995d3288733bfd58d5024d953c759590c58406c05b8db0cefd9b7cf80a231e297
SSDEEP

1536:fq4rtHkA/IketmNHX8scmc38VaEok7tXT1YWxcjlExkg8Fk:f7EA/VesBXHc31Eow7cjlakgwk

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe

Malware Backdoor - Berbew 11 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/memory/1164-0-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew
behavioral1/files/0x0008000000012027-5.dat	family_berbew
behavioral1/memory/1164-6-0x0000000000220000-0x0000000000260000-memory.dmp	family_berbew
behavioral1/files/0x0008000000012027-12.dat	family_berbew
behavioral1/files/0x0008000000012027-9.dat	family_berbew
behavioral1/files/0x0008000000012027-8.dat	family_berbew
behavioral1/files/0x0008000000012027-16.dat	family_berbew
behavioral1/files/0x0008000000012027-15.dat	family_berbew
behavioral1/files/0x0008000000012027-14.dat	family_berbew
behavioral1/files/0x0008000000012027-17.dat	family_berbew
behavioral1/memory/1164-18-0x0000000000400000-0x0000000000440000-memory.dmp	family_berbew

Executes dropped EXE 1 IoCs

pid	Process
1708	Fkckeh32.exe

Loads dropped DLL 6 IoCs

pid	Process
1164	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
1164	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkckeh32.exe	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3000	1708	WerFault.exe	28

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1708	1164	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe	28
PID 1164 wrote to memory of 1708	1164	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe	28
PID 1164 wrote to memory of 1708	1164	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe	28
PID 1164 wrote to memory of 1708	1164	NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe	28
PID 1708 wrote to memory of 3000	1708	Fkckeh32.exe	29
PID 1708 wrote to memory of 3000	1708	Fkckeh32.exe	29
PID 1708 wrote to memory of 3000	1708	Fkckeh32.exe	29
PID 1708 wrote to memory of 3000	1708	Fkckeh32.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0ae1d069fb32eb0d1b5f3951de4af030.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\SysWOW64\Fkckeh32.exe
  C:\Windows\system32\Fkckeh32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 140
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
89KB

MD5
93c1c8df701049256d1c47188cc88db2

SHA1
1b43a90777e5593b171f07b2cd6af224482dfabe

SHA256
0b298f5f15eef9a5808262429ace724b468cd82aaab5026050e30150c13e90aa

SHA512
4f38222d1a01bc78c74c3e61fbb1d2110a67573f50769347afe543ab4913ba9544676e827e8a586e6eb12af954bdc723a9cafb758bbd71e3160eaa8bdd1e2e4c

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
89KB

MD5
93c1c8df701049256d1c47188cc88db2

SHA1
1b43a90777e5593b171f07b2cd6af224482dfabe

SHA256
0b298f5f15eef9a5808262429ace724b468cd82aaab5026050e30150c13e90aa

SHA512
4f38222d1a01bc78c74c3e61fbb1d2110a67573f50769347afe543ab4913ba9544676e827e8a586e6eb12af954bdc723a9cafb758bbd71e3160eaa8bdd1e2e4c

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
89KB

MD5
93c1c8df701049256d1c47188cc88db2

SHA1
1b43a90777e5593b171f07b2cd6af224482dfabe

SHA256
0b298f5f15eef9a5808262429ace724b468cd82aaab5026050e30150c13e90aa

SHA512
4f38222d1a01bc78c74c3e61fbb1d2110a67573f50769347afe543ab4913ba9544676e827e8a586e6eb12af954bdc723a9cafb758bbd71e3160eaa8bdd1e2e4c

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
89KB

MD5
93c1c8df701049256d1c47188cc88db2

SHA1
1b43a90777e5593b171f07b2cd6af224482dfabe

SHA256
0b298f5f15eef9a5808262429ace724b468cd82aaab5026050e30150c13e90aa

SHA512
4f38222d1a01bc78c74c3e61fbb1d2110a67573f50769347afe543ab4913ba9544676e827e8a586e6eb12af954bdc723a9cafb758bbd71e3160eaa8bdd1e2e4c

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
89KB

MD5
93c1c8df701049256d1c47188cc88db2

SHA1
1b43a90777e5593b171f07b2cd6af224482dfabe

SHA256
0b298f5f15eef9a5808262429ace724b468cd82aaab5026050e30150c13e90aa

SHA512
4f38222d1a01bc78c74c3e61fbb1d2110a67573f50769347afe543ab4913ba9544676e827e8a586e6eb12af954bdc723a9cafb758bbd71e3160eaa8bdd1e2e4c

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
89KB

MD5
93c1c8df701049256d1c47188cc88db2

SHA1
1b43a90777e5593b171f07b2cd6af224482dfabe

SHA256
0b298f5f15eef9a5808262429ace724b468cd82aaab5026050e30150c13e90aa

SHA512
4f38222d1a01bc78c74c3e61fbb1d2110a67573f50769347afe543ab4913ba9544676e827e8a586e6eb12af954bdc723a9cafb758bbd71e3160eaa8bdd1e2e4c

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
89KB

MD5
93c1c8df701049256d1c47188cc88db2

SHA1
1b43a90777e5593b171f07b2cd6af224482dfabe

SHA256
0b298f5f15eef9a5808262429ace724b468cd82aaab5026050e30150c13e90aa

SHA512
4f38222d1a01bc78c74c3e61fbb1d2110a67573f50769347afe543ab4913ba9544676e827e8a586e6eb12af954bdc723a9cafb758bbd71e3160eaa8bdd1e2e4c

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
89KB

MD5
93c1c8df701049256d1c47188cc88db2

SHA1
1b43a90777e5593b171f07b2cd6af224482dfabe

SHA256
0b298f5f15eef9a5808262429ace724b468cd82aaab5026050e30150c13e90aa

SHA512
4f38222d1a01bc78c74c3e61fbb1d2110a67573f50769347afe543ab4913ba9544676e827e8a586e6eb12af954bdc723a9cafb758bbd71e3160eaa8bdd1e2e4c

Download Submit
memory/1164-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1164-6-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1164-13-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1164-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads