9af16b5bf349fcc06aa012059c00194e2af7753064f11c75fa533810bd0b57c5

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
15-11-2023 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
Size

109KB
MD5

fa232e1bf03371f613ffbc83a4fb9070
SHA1

b23275290ff221d00dcc2c8cf2bdaea62084d1ae
SHA256

9af16b5bf349fcc06aa012059c00194e2af7753064f11c75fa533810bd0b57c5
SHA512

01e291b20358bb88f01a27fb54969268b245bdd1794826dd04cedd0b23e4d99d3111109f203b2f1496bfd11a9c73b5fa64395ecb073612ca65cb6dc1dbd6904e
SSDEEP

3072:x+ihUyGvJv/NJNxgaT5zJ9cLCqwzBu1DjHLMVDqqkSpR:x+iJ4JHNbxhJ9kwtu1DjrFqhz

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe

Malware Backdoor - Berbew 19 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/memory/2072-0-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral1/files/0x00070000000120ca-5.dat	family_berbew
behavioral1/memory/2072-6-0x00000000003A0000-0x00000000003E4000-memory.dmp	family_berbew
behavioral1/files/0x00070000000120ca-9.dat	family_berbew
behavioral1/files/0x00070000000120ca-14.dat	family_berbew
behavioral1/memory/2072-13-0x00000000003A0000-0x00000000003E4000-memory.dmp	family_berbew
behavioral1/files/0x00070000000120ca-12.dat	family_berbew
behavioral1/files/0x00070000000120ca-8.dat	family_berbew
behavioral1/memory/2720-27-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral1/files/0x0028000000016d01-26.dat	family_berbew
behavioral1/files/0x0028000000016d01-23.dat	family_berbew
behavioral1/memory/2584-20-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral1/files/0x0028000000016d01-19.dat	family_berbew
behavioral1/files/0x0028000000016d01-22.dat	family_berbew
behavioral1/files/0x0028000000016d01-28.dat	family_berbew
behavioral1/files/0x0028000000016d01-29.dat	family_berbew
behavioral1/files/0x0028000000016d01-30.dat	family_berbew
behavioral1/files/0x0028000000016d01-31.dat	family_berbew
behavioral1/memory/2072-32-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew

Executes dropped EXE 2 IoCs

pid	Process
2584	Baadng32.exe
2720	Cacacg32.exe

Loads dropped DLL 8 IoCs

pid	Process
2072	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
2072	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
2584	Baadng32.exe
2584	Baadng32.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe
1608	WerFault.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Baadng32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Baadng32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Baadng32.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1608	2720	WerFault.exe	29

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baadng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2584	2072	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe	28
PID 2072 wrote to memory of 2584	2072	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe	28
PID 2072 wrote to memory of 2584	2072	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe	28
PID 2072 wrote to memory of 2584	2072	NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe	28
PID 2584 wrote to memory of 2720	2584	Baadng32.exe	29
PID 2584 wrote to memory of 2720	2584	Baadng32.exe	29
PID 2584 wrote to memory of 2720	2584	Baadng32.exe	29
PID 2584 wrote to memory of 2720	2584	Baadng32.exe	29
PID 2720 wrote to memory of 1608	2720	Cacacg32.exe	30
PID 2720 wrote to memory of 1608	2720	Cacacg32.exe	30
PID 2720 wrote to memory of 1608	2720	Cacacg32.exe	30
PID 2720 wrote to memory of 1608	2720	Cacacg32.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.fa232e1bf03371f613ffbc83a4fb9070.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\Baadng32.exe
  C:\Windows\system32\Baadng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\Cacacg32.exe
    C:\Windows\system32\Cacacg32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 140
      4⤵
      Loads dropped DLL
      Program crash
      PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baadng32.exe

Filesize
109KB

MD5
dbacb65c7acde8548fd353263f5e3736

SHA1
fe5770531b5f089e6ca2fd32e610ffef4c083e42

SHA256
6d7d95cb36eb6b2240ac5eb4b32f8dc39afeceb88a05d95dd2c1f59ddfa2448f

SHA512
a9dc7654758fde74d37dd431f9f4f37ffa24bf0e8256c8db757a34f64a1b8da656c0f88cbfadacb249d236d661cb1a819d240ae8a9ba11f46535fef97048925d

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
109KB

MD5
dbacb65c7acde8548fd353263f5e3736

SHA1
fe5770531b5f089e6ca2fd32e610ffef4c083e42

SHA256
6d7d95cb36eb6b2240ac5eb4b32f8dc39afeceb88a05d95dd2c1f59ddfa2448f

SHA512
a9dc7654758fde74d37dd431f9f4f37ffa24bf0e8256c8db757a34f64a1b8da656c0f88cbfadacb249d236d661cb1a819d240ae8a9ba11f46535fef97048925d

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
109KB

MD5
dbacb65c7acde8548fd353263f5e3736

SHA1
fe5770531b5f089e6ca2fd32e610ffef4c083e42

SHA256
6d7d95cb36eb6b2240ac5eb4b32f8dc39afeceb88a05d95dd2c1f59ddfa2448f

SHA512
a9dc7654758fde74d37dd431f9f4f37ffa24bf0e8256c8db757a34f64a1b8da656c0f88cbfadacb249d236d661cb1a819d240ae8a9ba11f46535fef97048925d

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
109KB

MD5
395421d6db1d7e86737b2a89736d5af2

SHA1
94d12b22df05a5b278eef9fa7360c52e121f02e6

SHA256
d58007ca14be325ad0366678ee5e390574b51bb564fd81fa41fbbacb9ebfe018

SHA512
2881c9b09a2d72b57aca6776f489335243eafd264a6458c53e5b7b2fde80b80a5af62ed83f72b2d8e8705e23f913e76b5dc22495db83c889af77b64d5828df64

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
109KB

MD5
395421d6db1d7e86737b2a89736d5af2

SHA1
94d12b22df05a5b278eef9fa7360c52e121f02e6

SHA256
d58007ca14be325ad0366678ee5e390574b51bb564fd81fa41fbbacb9ebfe018

SHA512
2881c9b09a2d72b57aca6776f489335243eafd264a6458c53e5b7b2fde80b80a5af62ed83f72b2d8e8705e23f913e76b5dc22495db83c889af77b64d5828df64

Download Submit
\Windows\SysWOW64\Baadng32.exe

Filesize
109KB

MD5
dbacb65c7acde8548fd353263f5e3736

SHA1
fe5770531b5f089e6ca2fd32e610ffef4c083e42

SHA256
6d7d95cb36eb6b2240ac5eb4b32f8dc39afeceb88a05d95dd2c1f59ddfa2448f

SHA512
a9dc7654758fde74d37dd431f9f4f37ffa24bf0e8256c8db757a34f64a1b8da656c0f88cbfadacb249d236d661cb1a819d240ae8a9ba11f46535fef97048925d

Download Submit
\Windows\SysWOW64\Baadng32.exe

Filesize
109KB

MD5
dbacb65c7acde8548fd353263f5e3736

SHA1
fe5770531b5f089e6ca2fd32e610ffef4c083e42

SHA256
6d7d95cb36eb6b2240ac5eb4b32f8dc39afeceb88a05d95dd2c1f59ddfa2448f

SHA512
a9dc7654758fde74d37dd431f9f4f37ffa24bf0e8256c8db757a34f64a1b8da656c0f88cbfadacb249d236d661cb1a819d240ae8a9ba11f46535fef97048925d

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
109KB

MD5
395421d6db1d7e86737b2a89736d5af2

SHA1
94d12b22df05a5b278eef9fa7360c52e121f02e6

SHA256
d58007ca14be325ad0366678ee5e390574b51bb564fd81fa41fbbacb9ebfe018

SHA512
2881c9b09a2d72b57aca6776f489335243eafd264a6458c53e5b7b2fde80b80a5af62ed83f72b2d8e8705e23f913e76b5dc22495db83c889af77b64d5828df64

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
109KB

MD5
395421d6db1d7e86737b2a89736d5af2

SHA1
94d12b22df05a5b278eef9fa7360c52e121f02e6

SHA256
d58007ca14be325ad0366678ee5e390574b51bb564fd81fa41fbbacb9ebfe018

SHA512
2881c9b09a2d72b57aca6776f489335243eafd264a6458c53e5b7b2fde80b80a5af62ed83f72b2d8e8705e23f913e76b5dc22495db83c889af77b64d5828df64

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
109KB

MD5
395421d6db1d7e86737b2a89736d5af2

SHA1
94d12b22df05a5b278eef9fa7360c52e121f02e6

SHA256
d58007ca14be325ad0366678ee5e390574b51bb564fd81fa41fbbacb9ebfe018

SHA512
2881c9b09a2d72b57aca6776f489335243eafd264a6458c53e5b7b2fde80b80a5af62ed83f72b2d8e8705e23f913e76b5dc22495db83c889af77b64d5828df64

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
109KB

MD5
395421d6db1d7e86737b2a89736d5af2

SHA1
94d12b22df05a5b278eef9fa7360c52e121f02e6

SHA256
d58007ca14be325ad0366678ee5e390574b51bb564fd81fa41fbbacb9ebfe018

SHA512
2881c9b09a2d72b57aca6776f489335243eafd264a6458c53e5b7b2fde80b80a5af62ed83f72b2d8e8705e23f913e76b5dc22495db83c889af77b64d5828df64

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
109KB

MD5
395421d6db1d7e86737b2a89736d5af2

SHA1
94d12b22df05a5b278eef9fa7360c52e121f02e6

SHA256
d58007ca14be325ad0366678ee5e390574b51bb564fd81fa41fbbacb9ebfe018

SHA512
2881c9b09a2d72b57aca6776f489335243eafd264a6458c53e5b7b2fde80b80a5af62ed83f72b2d8e8705e23f913e76b5dc22495db83c889af77b64d5828df64

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
109KB

MD5
395421d6db1d7e86737b2a89736d5af2

SHA1
94d12b22df05a5b278eef9fa7360c52e121f02e6

SHA256
d58007ca14be325ad0366678ee5e390574b51bb564fd81fa41fbbacb9ebfe018

SHA512
2881c9b09a2d72b57aca6776f489335243eafd264a6458c53e5b7b2fde80b80a5af62ed83f72b2d8e8705e23f913e76b5dc22495db83c889af77b64d5828df64

Download Submit
memory/2072-13-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2072-6-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2072-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2072-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-27-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads