ab7b9386d45ae071955e0c9077f9b67c839c24478d945d741f45a300f31d1f7b

General

Target

NEAS.35ca961ac26220d21fdd627a75230f50.exe
Size

82KB
MD5

35ca961ac26220d21fdd627a75230f50
SHA1

dd71f191ef93989e413d9a0599fdd7abd2b23f3a
SHA256

ab7b9386d45ae071955e0c9077f9b67c839c24478d945d741f45a300f31d1f7b
SHA512

536d6fb637da47ec5a66d5b04a5c38b9e5834593beb7361f19d5e32f77a8e2f9d2080a231b8d48e6084242dc322474f0e96aa948ee8af757ab6272d938fe5699
SSDEEP

1536:wPZWdlCHehfhtx38eERUMVgRGz/Ffcq2L7opm6+wDSmQFN6TiN1sJtvQu:wPZAlC+hfhv38eE+MVg+Bc3spm6tm7NU

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.35ca961ac26220d21fdd627a75230f50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.35ca961ac26220d21fdd627a75230f50.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkemfl32.exe

Malware Backdoor - Berbew 11 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/2336-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2336-1-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022cce-7.dat	family_berbew
behavioral2/files/0x0008000000022cce-8.dat	family_berbew
behavioral2/memory/1208-9-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022cd0-15.dat	family_berbew
behavioral2/memory/2336-17-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4768-18-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0008000000022cd0-16.dat	family_berbew
behavioral2/memory/1208-19-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4768-20-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew

Executes dropped EXE 2 IoCs

pid	Process
1208	Fkemfl32.exe
4768	Gbmadd32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fkemfl32.exe	NEAS.35ca961ac26220d21fdd627a75230f50.exe
File opened for modification	C:\Windows\SysWOW64\Fkemfl32.exe	NEAS.35ca961ac26220d21fdd627a75230f50.exe
File created	C:\Windows\SysWOW64\Nailkcbb.dll	NEAS.35ca961ac26220d21fdd627a75230f50.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Fkemfl32.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Fkemfl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4780	4768	WerFault.exe	94

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.35ca961ac26220d21fdd627a75230f50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmgbm32.dll"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.35ca961ac26220d21fdd627a75230f50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.35ca961ac26220d21fdd627a75230f50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.35ca961ac26220d21fdd627a75230f50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.35ca961ac26220d21fdd627a75230f50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	NEAS.35ca961ac26220d21fdd627a75230f50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1208	2336	NEAS.35ca961ac26220d21fdd627a75230f50.exe	93
PID 2336 wrote to memory of 1208	2336	NEAS.35ca961ac26220d21fdd627a75230f50.exe	93
PID 2336 wrote to memory of 1208	2336	NEAS.35ca961ac26220d21fdd627a75230f50.exe	93
PID 1208 wrote to memory of 4768	1208	Fkemfl32.exe	94
PID 1208 wrote to memory of 4768	1208	Fkemfl32.exe	94
PID 1208 wrote to memory of 4768	1208	Fkemfl32.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.35ca961ac26220d21fdd627a75230f50.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.35ca961ac26220d21fdd627a75230f50.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\Fkemfl32.exe
  C:\Windows\system32\Fkemfl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\SysWOW64\Gbmadd32.exe
    C:\Windows\system32\Gbmadd32.exe
    3⤵
    - Executes dropped EXE
    PID:4768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 408
      4⤵
      Program crash
      PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4768 -ip 4768
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
82KB

MD5
4c826224bbb437139bf87b5dbed0bf92

SHA1
ca59d905be2fcf2cb077018d33abdebfcc6add55

SHA256
9186a35f760e03e1c27ff8f6ae2d9668b30e69971071fed4069c072b98666f3f

SHA512
c285d762263b712fc47a02b28c92815765d8c5b7531f4feef01d9c8dd7f8b05aa60d5254b7b80183544989ce22121698f8158b45b13585638c91eb20844f90de

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
82KB

MD5
4c826224bbb437139bf87b5dbed0bf92

SHA1
ca59d905be2fcf2cb077018d33abdebfcc6add55

SHA256
9186a35f760e03e1c27ff8f6ae2d9668b30e69971071fed4069c072b98666f3f

SHA512
c285d762263b712fc47a02b28c92815765d8c5b7531f4feef01d9c8dd7f8b05aa60d5254b7b80183544989ce22121698f8158b45b13585638c91eb20844f90de

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
82KB

MD5
a56a40e4e2ecc89c47137f4454c18d8d

SHA1
9e899cdd3790808ec491403e9d3dc10248cf325a

SHA256
179fc01688daa531227b1c19b88181248822665491452f53df26137b83151880

SHA512
806566591c6a67c31d9cbaa171002e8160b33807ad72eb76215e135a4059235e94bdb39c7640f48f9c33d0406496485c81391761698757663bd45715996e0cd9

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
82KB

MD5
a56a40e4e2ecc89c47137f4454c18d8d

SHA1
9e899cdd3790808ec491403e9d3dc10248cf325a

SHA256
179fc01688daa531227b1c19b88181248822665491452f53df26137b83151880

SHA512
806566591c6a67c31d9cbaa171002e8160b33807ad72eb76215e135a4059235e94bdb39c7640f48f9c33d0406496485c81391761698757663bd45715996e0cd9

Download Submit
memory/1208-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1208-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2336-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2336-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2336-17-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4768-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads