b7f6e3184a779d6c03d9a18976e4de18792b86b718ccc3b4bb40e7118a699c49

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.22c12de99ec5a84a931ebab31fdfe190.exe
Size

566KB
MD5

22c12de99ec5a84a931ebab31fdfe190
SHA1

1c6d939c9a6ea1c5d64c765f8faa0ab44326a86c
SHA256

b7f6e3184a779d6c03d9a18976e4de18792b86b718ccc3b4bb40e7118a699c49
SHA512

356b9df170f086b5aa49e5e0814de732f69d84c2121f4a23d996265f37c673c8fa1914f87b8d4d6bc08e36d49adddab9a3f8950f892626234934732e96831861
SSDEEP

12288:IWBm+95nHfF2mgewFm5b+r5M+xL+LyYvssy61kfgjdkA7YdfPgvF:IWBz95ndbgfm5yrbxLqZapgjT7YdfYvF

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0002000000022612-3.dat	family_berbew
behavioral2/files/0x0002000000022612-4.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
2256	9059.tmp

Executes dropped EXE 1 IoCs

pid	Process
2256	9059.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2256	780	NEAS.22c12de99ec5a84a931ebab31fdfe190.exe	86
PID 780 wrote to memory of 2256	780	NEAS.22c12de99ec5a84a931ebab31fdfe190.exe	86
PID 780 wrote to memory of 2256	780	NEAS.22c12de99ec5a84a931ebab31fdfe190.exe	86

C:\Users\Admin\AppData\Local\Temp\NEAS.22c12de99ec5a84a931ebab31fdfe190.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.22c12de99ec5a84a931ebab31fdfe190.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\9059.tmp
  "C:\Users\Admin\AppData\Local\Temp\9059.tmp" --pingC:\Users\Admin\AppData\Local\Temp\NEAS.22c12de99ec5a84a931ebab31fdfe190.exe 55500C36D3A3A786806AAD4AF1619CCFFC8CBC9C20582F6A3D21FB480E8CC1C91E5F3287B7EC07459A02CF601C79F320C449B5854C5EB8CD4F59EBFE727970F9
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9059.tmp

Filesize
566KB

MD5
9c61a4c870a9a492822df26a11ddcffd

SHA1
b5a75e0056023dd302f465570b2495b83611f843

SHA256
d50e3553d7f2c5770c9fd9c37c0e21bd3b033ceef8de5d4ed62de1aa9ae598de

SHA512
4174f6d44de82f86a396ab562899f665644524675dbce18b7ed912bd646ec7a87375ae533cf6e1a2b0d87c5d3dbe581cef059decc42a0a2d1a49a525be13869b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9059.tmp

Filesize
566KB

MD5
9c61a4c870a9a492822df26a11ddcffd

SHA1
b5a75e0056023dd302f465570b2495b83611f843

SHA256
d50e3553d7f2c5770c9fd9c37c0e21bd3b033ceef8de5d4ed62de1aa9ae598de

SHA512
4174f6d44de82f86a396ab562899f665644524675dbce18b7ed912bd646ec7a87375ae533cf6e1a2b0d87c5d3dbe581cef059decc42a0a2d1a49a525be13869b

Download Submit
memory/780-0-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/780-6-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2256-5-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2256-7-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download