d240953db1fbc5367c14ca1fb50f6a4e3c7a2bab36c0edf3b7d57cc0d19921ae

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.205effa3767eee4e25dc2cc69e5012f0.exe
Size

970KB
MD5

205effa3767eee4e25dc2cc69e5012f0
SHA1

bafa0d236baed0a54a8609001affb123e66090fd
SHA256

d240953db1fbc5367c14ca1fb50f6a4e3c7a2bab36c0edf3b7d57cc0d19921ae
SHA512

5bc2510727ce2ca3f3e31f4c00dc967fe2bf909a1d8c8fa9aa2e1ca918d581b255f19563b78cb1652a5be333401d29ecb466e6803bf3f5ef54f96367e0297669
SSDEEP

24576:P5YYMetw8GU3SCC7Ay3GhXodGHHuxDNwaArSkHcOdb9H0v3qpWZM:PGYNtQAWqtodGHOxRwaArSkHcOdbZ0vU

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x0009000000012024-4.dat	family_berbew
behavioral1/files/0x0009000000012024-10.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
1940	NEAS.205effa3767eee4e25dc2cc69e5012f0.exe

Executes dropped EXE 1 IoCs

pid	Process
1940	NEAS.205effa3767eee4e25dc2cc69e5012f0.exe

Loads dropped DLL 1 IoCs

pid	Process
2112	NEAS.205effa3767eee4e25dc2cc69e5012f0.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2112	NEAS.205effa3767eee4e25dc2cc69e5012f0.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1940	NEAS.205effa3767eee4e25dc2cc69e5012f0.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1940	2112	NEAS.205effa3767eee4e25dc2cc69e5012f0.exe	29
PID 2112 wrote to memory of 1940	2112	NEAS.205effa3767eee4e25dc2cc69e5012f0.exe	29
PID 2112 wrote to memory of 1940	2112	NEAS.205effa3767eee4e25dc2cc69e5012f0.exe	29
PID 2112 wrote to memory of 1940	2112	NEAS.205effa3767eee4e25dc2cc69e5012f0.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.205effa3767eee4e25dc2cc69e5012f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.205effa3767eee4e25dc2cc69e5012f0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\NEAS.205effa3767eee4e25dc2cc69e5012f0.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.205effa3767eee4e25dc2cc69e5012f0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.205effa3767eee4e25dc2cc69e5012f0.exe

Filesize
970KB

MD5
580c70634c05c62dc67ed2d8e77baab5

SHA1
2d571582735c407f048a54776f8d11f33b0e653b

SHA256
90f3fd26e6d473029adfef4721fa6c8e105738b6b7cc511306f9c54f9d39cfd3

SHA512
7b9cff14cad93e8b130169b295c0c4db5cb797842acdf41531dc850093ba93b09688ab4cc81e72219139d30a32e4db0939fb6ffcbf715090cc53125ee949d149

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.205effa3767eee4e25dc2cc69e5012f0.exe

Filesize
970KB

MD5
580c70634c05c62dc67ed2d8e77baab5

SHA1
2d571582735c407f048a54776f8d11f33b0e653b

SHA256
90f3fd26e6d473029adfef4721fa6c8e105738b6b7cc511306f9c54f9d39cfd3

SHA512
7b9cff14cad93e8b130169b295c0c4db5cb797842acdf41531dc850093ba93b09688ab4cc81e72219139d30a32e4db0939fb6ffcbf715090cc53125ee949d149

Download Submit
memory/1940-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1940-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1940-13-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2112-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2112-6-0x0000000000130000-0x0000000000169000-memory.dmp

Filesize
228KB

Download