xmrig | 59e337458cf7211c45e6722f965566c82c27cae77076aeac48ce4b5654101e56

General

Target

NEAS.9a4c0010e379efa00fb0298bbb29c180.exe
Size

1.7MB
MD5

9a4c0010e379efa00fb0298bbb29c180
SHA1

6d6ecb4756ad978dc934a741bb0c49028c8b0154
SHA256

59e337458cf7211c45e6722f965566c82c27cae77076aeac48ce4b5654101e56
SHA512

3b53432431140130b0df0aa702069717fe967fda3a048966bd402f33b415400e8af3425edd0a4e0d845808596b00cda12a1ec43162b071f9684e07b24571cc22
SSDEEP

49152:eXPQAL9lMZKTRVyONopKhP+5VxiDDUnZT01hXFfQCT8Aw:eXPQAP73yPGP+5VxiPUZTWVfQCT8Aw

Score

10^/10

Malware Config

Signatures

Malware Backdoor - Berbew 3 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x00060000000120b7-17.dat	family_berbew
behavioral1/files/0x00060000000120b7-13.dat	family_berbew
behavioral1/files/0x00060000000120b7-11.dat	family_berbew

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/108-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/108-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3056-21-0x0000000000400000-0x0000000000A7A000-memory.dmp	xmrig
behavioral1/memory/3056-26-0x0000000000400000-0x0000000000582000-memory.dmp	xmrig
behavioral1/memory/3056-27-0x00000000008D0000-0x0000000000A63000-memory.dmp	xmrig
behavioral1/memory/3056-32-0x0000000023870000-0x00000000239F2000-memory.dmp	xmrig
behavioral1/memory/3056-33-0x0000000000400000-0x000000000057C000-memory.dmp	xmrig
behavioral1/memory/3056-42-0x0000000000400000-0x000000000057C000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3056	NEAS.9a4c0010e379efa00fb0298bbb29c180.exe

Executes dropped EXE 1 IoCs

pid	Process
3056	NEAS.9a4c0010e379efa00fb0298bbb29c180.exe

Loads dropped DLL 1 IoCs

pid	Process
108	NEAS.9a4c0010e379efa00fb0298bbb29c180.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
108	NEAS.9a4c0010e379efa00fb0298bbb29c180.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
108	NEAS.9a4c0010e379efa00fb0298bbb29c180.exe
3056	NEAS.9a4c0010e379efa00fb0298bbb29c180.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 3056	108	NEAS.9a4c0010e379efa00fb0298bbb29c180.exe	29
PID 108 wrote to memory of 3056	108	NEAS.9a4c0010e379efa00fb0298bbb29c180.exe	29
PID 108 wrote to memory of 3056	108	NEAS.9a4c0010e379efa00fb0298bbb29c180.exe	29
PID 108 wrote to memory of 3056	108	NEAS.9a4c0010e379efa00fb0298bbb29c180.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.9a4c0010e379efa00fb0298bbb29c180.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9a4c0010e379efa00fb0298bbb29c180.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\NEAS.9a4c0010e379efa00fb0298bbb29c180.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.9a4c0010e379efa00fb0298bbb29c180.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.9a4c0010e379efa00fb0298bbb29c180.exe

Filesize
1.7MB

MD5
013f30f4dccf5292199d45181e55bb78

SHA1
5819062c14cf6ec40ac812115b85f1f87539d0cb

SHA256
58c16bce223286d14ea4dd8068e94167ca2f8246a3f3e7bdd53c54dee90b28d4

SHA512
c2da32ad01f4d84f902e101f9b69e01b422d570790213cb72c3e715d042f169a9c530d807a1d74184cb9c3d2111c2e755d441a6a53325eb73ca28515a62f4ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.9a4c0010e379efa00fb0298bbb29c180.exe

Filesize
1.7MB

MD5
013f30f4dccf5292199d45181e55bb78

SHA1
5819062c14cf6ec40ac812115b85f1f87539d0cb

SHA256
58c16bce223286d14ea4dd8068e94167ca2f8246a3f3e7bdd53c54dee90b28d4

SHA512
c2da32ad01f4d84f902e101f9b69e01b422d570790213cb72c3e715d042f169a9c530d807a1d74184cb9c3d2111c2e755d441a6a53325eb73ca28515a62f4ebe

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.9a4c0010e379efa00fb0298bbb29c180.exe

Filesize
1.7MB

MD5
013f30f4dccf5292199d45181e55bb78

SHA1
5819062c14cf6ec40ac812115b85f1f87539d0cb

SHA256
58c16bce223286d14ea4dd8068e94167ca2f8246a3f3e7bdd53c54dee90b28d4

SHA512
c2da32ad01f4d84f902e101f9b69e01b422d570790213cb72c3e715d042f169a9c530d807a1d74184cb9c3d2111c2e755d441a6a53325eb73ca28515a62f4ebe

Download Submit
memory/108-0-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/108-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/108-16-0x0000000023380000-0x00000000239FA000-memory.dmp

Filesize
6.5MB

Download
memory/108-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/108-3-0x0000000021C20000-0x0000000021DBE000-memory.dmp

Filesize
1.6MB

Download
memory/3056-21-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/3056-24-0x0000000021C20000-0x0000000021DBE000-memory.dmp

Filesize
1.6MB

Download
memory/3056-26-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/3056-27-0x00000000008D0000-0x0000000000A63000-memory.dmp

Filesize
1.6MB

Download
memory/3056-32-0x0000000023870000-0x00000000239F2000-memory.dmp

Filesize
1.5MB

Download
memory/3056-33-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/3056-42-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing