b7f6e3184a779d6c03d9a18976e4de18792b86b718ccc3b4bb40e7118a699c49

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
17/11/2023, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.22c12de99ec5a84a931ebab31fdfe190.exe
Size

566KB
MD5

22c12de99ec5a84a931ebab31fdfe190
SHA1

1c6d939c9a6ea1c5d64c765f8faa0ab44326a86c
SHA256

b7f6e3184a779d6c03d9a18976e4de18792b86b718ccc3b4bb40e7118a699c49
SHA512

356b9df170f086b5aa49e5e0814de732f69d84c2121f4a23d996265f37c673c8fa1914f87b8d4d6bc08e36d49adddab9a3f8950f892626234934732e96831861
SSDEEP

12288:IWBm+95nHfF2mgewFm5b+r5M+xL+LyYvssy61kfgjdkA7YdfPgvF:IWBz95ndbgfm5yrbxLqZapgjT7YdfYvF

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x0009000000012024-2.dat	family_berbew
behavioral1/files/0x0009000000012024-7.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
1696	280A.tmp

Executes dropped EXE 1 IoCs

pid	Process
1696	280A.tmp

Loads dropped DLL 1 IoCs

pid	Process
2356	NEAS.22c12de99ec5a84a931ebab31fdfe190.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1696	2356	NEAS.22c12de99ec5a84a931ebab31fdfe190.exe	28
PID 2356 wrote to memory of 1696	2356	NEAS.22c12de99ec5a84a931ebab31fdfe190.exe	28
PID 2356 wrote to memory of 1696	2356	NEAS.22c12de99ec5a84a931ebab31fdfe190.exe	28
PID 2356 wrote to memory of 1696	2356	NEAS.22c12de99ec5a84a931ebab31fdfe190.exe	28

C:\Users\Admin\AppData\Local\Temp\NEAS.22c12de99ec5a84a931ebab31fdfe190.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.22c12de99ec5a84a931ebab31fdfe190.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\280A.tmp
  "C:\Users\Admin\AppData\Local\Temp\280A.tmp" --pingC:\Users\Admin\AppData\Local\Temp\NEAS.22c12de99ec5a84a931ebab31fdfe190.exe D1D5680CD0EB65B98DC1CB74A0700EE45757B1719801064223FF1E26C77110F6B05E249DE18C045D6304C80E22BC4CED98115A53E3D88EED7AD79DC3FCC6F541
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\280A.tmp

Filesize
566KB

MD5
67b3149a20a9a7bba24fed18e1d0c2da

SHA1
07add1232992ba89adbab60ef6eb8e9bee37e486

SHA256
0aa8050efc5d5bfc26800ea78e8a03873046907a2d2c80557f436bad5da9c441

SHA512
2303b9ef4c43c8757cbd35f19135a85569ff57a9337d36e8687e24a0a9b207b90c63428b41928a67783fc86933809226856b0753a86cb8af71e712d931fd7fac

Download Submit
\Users\Admin\AppData\Local\Temp\280A.tmp

Filesize
566KB

MD5
67b3149a20a9a7bba24fed18e1d0c2da

SHA1
07add1232992ba89adbab60ef6eb8e9bee37e486

SHA256
0aa8050efc5d5bfc26800ea78e8a03873046907a2d2c80557f436bad5da9c441

SHA512
2303b9ef4c43c8757cbd35f19135a85569ff57a9337d36e8687e24a0a9b207b90c63428b41928a67783fc86933809226856b0753a86cb8af71e712d931fd7fac

Download Submit
memory/1696-8-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/1696-9-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2356-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2356-6-0x0000000002220000-0x00000000022B1000-memory.dmp

Filesize
580KB

Download
memory/2356-5-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2356-10-0x0000000002220000-0x00000000022B1000-memory.dmp

Filesize
580KB

Download