Overview

overview

10

Static

static

10

NEAS.dc8b3...80.exe

windows7-x64

10

NEAS.dc8b3...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/11/2023, 10:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.dc8b3214a48245897f0e5247dbeeba80.exe

  • Size

    407KB

  • MD5

    dc8b3214a48245897f0e5247dbeeba80

  • SHA1

    589efde8edc7b8dce07effd7ff1e19fa74e32b3d

  • SHA256

    34ef025da929c87c0a040ee186f2f70ce6659d61481bdfd579d87957e6bb5bd0

  • SHA512

    deba7ebf4e237ddc6ffdff0d5d5a240fba13a455b871ef82bbf7c5cb3acd47c6383340d855f677955d179516fea9252caa454a747d7e8f2e4c576faefb063d21

  • SSDEEP

    12288:J4aJO/awrSmfyiPFg8prNdw+C7797TnPtLU8deJUP//zk9FGB:JDJO/awrSmfyiPFg8prNdw+C7797TnP/

Score
10/10
dropperpersistencetrojan

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs
    persistence
  • Malware Backdoor - Berbew 17 IoCs

    Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

    persistencedroppertrojan
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 12 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.dc8b3214a48245897f0e5247dbeeba80.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.dc8b3214a48245897f0e5247dbeeba80.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\SysWOW64\Mbibfm32.exe
      C:\Windows\system32\Mbibfm32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\Njbgmjgl.exe
        C:\Windows\system32\Njbgmjgl.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4236
        • C:\Windows\SysWOW64\Nckkfp32.exe
          C:\Windows\system32\Nckkfp32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3696
          • C:\Windows\SysWOW64\Pififb32.exe
            C:\Windows\system32\Pififb32.exe
            5⤵
            • Executes dropped EXE
            PID:2392
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 412
              6⤵
              • Program crash
              PID:1952
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2392 -ip 2392
    1⤵
      PID:5000

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Mbibfm32.exe
            Filesize

            407KB

            MD5

            33e989341885d71d81eb7d3819d74456

            SHA1

            f451c48f5bc394e644e7a925c0ec32cd811c2195

            SHA256

            5e954f146bd74dd8214285fecbcbcdea4b73c5db1ceeee5e5e3f996a8c176ef8

            SHA512

            d65dd8863e513fd31cf9dfd49d9d538c0df8d9d9d44a455997b8ec61f347cda2cd5873d57ddf7ba705df70576f9359e084116a00753ef7345ee8ccb7e08eabe8

            Download Submit

          • C:\Windows\SysWOW64\Mbibfm32.exe
            Filesize

            407KB

            MD5

            33e989341885d71d81eb7d3819d74456

            SHA1

            f451c48f5bc394e644e7a925c0ec32cd811c2195

            SHA256

            5e954f146bd74dd8214285fecbcbcdea4b73c5db1ceeee5e5e3f996a8c176ef8

            SHA512

            d65dd8863e513fd31cf9dfd49d9d538c0df8d9d9d44a455997b8ec61f347cda2cd5873d57ddf7ba705df70576f9359e084116a00753ef7345ee8ccb7e08eabe8

            Download Submit

          • C:\Windows\SysWOW64\Nckkfp32.exe
            Filesize

            407KB

            MD5

            a03f171bd36eca64073819f8a3d9c77b

            SHA1

            20d93aeeb9ba4220dbc8b3cb6621f574b50a3454

            SHA256

            4a10eec225b072806ad1f36de48c116ebb5737acf377c27a665fcd1bf86c12ef

            SHA512

            abbf50cb2966bcf6d7d96922010a8bb16ca8437d84f3f9728012e534623850add05a8454fb852f02fcb1409b535b96d1f01a941912218fa613d47df93754a320

            Download Submit

          • C:\Windows\SysWOW64\Nckkfp32.exe
            Filesize

            407KB

            MD5

            a03f171bd36eca64073819f8a3d9c77b

            SHA1

            20d93aeeb9ba4220dbc8b3cb6621f574b50a3454

            SHA256

            4a10eec225b072806ad1f36de48c116ebb5737acf377c27a665fcd1bf86c12ef

            SHA512

            abbf50cb2966bcf6d7d96922010a8bb16ca8437d84f3f9728012e534623850add05a8454fb852f02fcb1409b535b96d1f01a941912218fa613d47df93754a320

            Download Submit

          • C:\Windows\SysWOW64\Njbgmjgl.exe
            Filesize

            407KB

            MD5

            8efc275d1f2c2d93cdb2c520cabc14d1

            SHA1

            878e7438e88c0b581e7fcfc58b3c7c2c979e8f98

            SHA256

            3527d5718d93cfc906af802552c8c4147f1a800e741f5200611cf9372aa2772d

            SHA512

            c9228b2ddea81c94b360142b049b6de762826d8304f1b8c076aa41474411f483e58792193b5632d83e2b456e4a4300afcc697b055627f6896c4317aecbaca5bb

            Download Submit

          • C:\Windows\SysWOW64\Njbgmjgl.exe
            Filesize

            407KB

            MD5

            8efc275d1f2c2d93cdb2c520cabc14d1

            SHA1

            878e7438e88c0b581e7fcfc58b3c7c2c979e8f98

            SHA256

            3527d5718d93cfc906af802552c8c4147f1a800e741f5200611cf9372aa2772d

            SHA512

            c9228b2ddea81c94b360142b049b6de762826d8304f1b8c076aa41474411f483e58792193b5632d83e2b456e4a4300afcc697b055627f6896c4317aecbaca5bb

            Download Submit

          • C:\Windows\SysWOW64\Njbgmjgl.exe
            Filesize

            407KB

            MD5

            33e989341885d71d81eb7d3819d74456

            SHA1

            f451c48f5bc394e644e7a925c0ec32cd811c2195

            SHA256

            5e954f146bd74dd8214285fecbcbcdea4b73c5db1ceeee5e5e3f996a8c176ef8

            SHA512

            d65dd8863e513fd31cf9dfd49d9d538c0df8d9d9d44a455997b8ec61f347cda2cd5873d57ddf7ba705df70576f9359e084116a00753ef7345ee8ccb7e08eabe8

            Download Submit

          • C:\Windows\SysWOW64\Pififb32.exe
            Filesize

            407KB

            MD5

            9b61459d187c9839d479e1434f418158

            SHA1

            db7b948afb5f4cb979c24ab78efb1d61ad8c77da

            SHA256

            8df677da8b2554ae7189bf06d3e15cb38cf6634c39ff8c660ae0815f4867bfea

            SHA512

            d1dc6eb7e464adf3e20b0673b53a0dbe3c41e8cc69c62ff16b702a08b9d97aa2d9ff904a705183333a8995defd0d9d714645cf589aae0318099d46edfe6006ba

            Download Submit

          • C:\Windows\SysWOW64\Pififb32.exe
            Filesize

            407KB

            MD5

            9b61459d187c9839d479e1434f418158

            SHA1

            db7b948afb5f4cb979c24ab78efb1d61ad8c77da

            SHA256

            8df677da8b2554ae7189bf06d3e15cb38cf6634c39ff8c660ae0815f4867bfea

            SHA512

            d1dc6eb7e464adf3e20b0673b53a0dbe3c41e8cc69c62ff16b702a08b9d97aa2d9ff904a705183333a8995defd0d9d714645cf589aae0318099d46edfe6006ba

            Download Submit

          • memory/752-0-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/752-33-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1420-7-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1420-34-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/2392-32-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/3696-29-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/4236-16-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download

          • memory/4236-35-0x0000000000400000-0x0000000000446000-memory.dmp

            Filesize

            280KB

            Download