Overview

overview

10

Static

static

10

NEAS.db6e1...90.exe

windows7-x64

10

NEAS.db6e1...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    175s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2023 06:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.db6e1ea8d3838342c0250e4fb6dd8890.exe

  • Size

    203KB

  • MD5

    db6e1ea8d3838342c0250e4fb6dd8890

  • SHA1

    2f7d1558049692299e2f1c0ca6bdd4773a68fb31

  • SHA256

    3d3a22a846413a1abd25d0304dbe63734f817ede5e2f5a6b055941dd0c518619

  • SHA512

    195d23db6720fb031eed68b87d6085247ef21625769d5f5881992037dfa04629b0e4b98dbd695f9bb898f95f931361b8b4d7293d12724586fea7bbc2935fc8dd

  • SSDEEP

    6144:gZqmrnoSEW+pEkyMeQxqqF4jiZaCXojcKredsIgWsZ:gFoSEZLeQXg

Score
10/10
dropperpersistencetrojan

Malware Config

Signatures

  • Malware Backdoor - Berbew 5 IoCs

    Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

    persistencedroppertrojan
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.db6e1ea8d3838342c0250e4fb6dd8890.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.db6e1ea8d3838342c0250e4fb6dd8890.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 384
      2⤵
      • Program crash
      PID:2892
    • C:\Users\Admin\AppData\Local\Temp\NEAS.db6e1ea8d3838342c0250e4fb6dd8890.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.db6e1ea8d3838342c0250e4fb6dd8890.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 364
        3⤵
        • Program crash
        PID:4488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 768
        3⤵
        • Program crash
        PID:992
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 788
        3⤵
        • Program crash
        PID:2244
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 776
        3⤵
        • Program crash
        PID:2820
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2772 -ip 2772
    1⤵
      PID:2908
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2964 -ip 2964
      1⤵
        PID:1992
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2964 -ip 2964
        1⤵
          PID:1876
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2964 -ip 2964
          1⤵
            PID:2476
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2964 -ip 2964
            1⤵
              PID:2840

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\NEAS.db6e1ea8d3838342c0250e4fb6dd8890.exe
              Filesize

              203KB

              MD5

              55e82afe889adf13a17b91674544eff3

              SHA1

              4edbaffc54252341474e4cddcb5dce0c0f6dbc36

              SHA256

              fb1d8abdc122548d95d9227b2d31caf8f047c440809c224a88130d11591c11e1

              SHA512

              6d0c64704243188615fe92ddbbae7d7b8e2ecf2bc8667b4cfd775cca412550a042c25f79a2db6f30f4378e95d62cd20c81681c3faf3c5f9870765b35507d715e

              Download Submit

            • memory/2772-0-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/2772-7-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/2964-6-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

              Download

            • memory/2964-8-0x0000000004D90000-0x0000000004DCE000-memory.dmp

              Filesize

              248KB

              Download

            • memory/2964-9-0x0000000000400000-0x0000000000415000-memory.dmp

              Filesize

              84KB

              Download