a4b2f5fb4b8f67b065132aafb4d0e7ad50503cc0fcc58d1a9fd8252693ef519a

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a041b2c3b560ed2f165ce689b1a7b09.exe
Size

909KB
MD5

0a041b2c3b560ed2f165ce689b1a7b09
SHA1

1a1d0f890a792aaab6d7fc667f1aa7694f0f81fb
SHA256

a4b2f5fb4b8f67b065132aafb4d0e7ad50503cc0fcc58d1a9fd8252693ef519a
SHA512

0ea003d8fc15e171f81663597950fedca32f0ab8b98b0ea7e7d2490cceb3d128444afe31014ed440a628437a1b52a16e3f95c7f806ba53c465e6fccfd8cce0c3
SSDEEP

24576:9rtTGoSpY4Jro3TpBypjhqWgstIA5qlLZu5MO4we2G9CEzlpd68EW:f+r2TpBypjhqWgstIA0ZZu5MO4p2cCEZ

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Malware Backdoor - Berbew 2 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0009000000022dff-6.dat	family_berbew
behavioral2/files/0x0009000000022dff-7.dat	family_berbew

Executes dropped EXE 1 IoCs

pid	Process
1372	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mMCilRHk\UPhhQON.dll	svchost.exe
File created	C:\Windows\Yeyvnb.dll	0a041b2c3b560ed2f165ce689b1a7b09.exe
File created	C:\Windows\IUIkIJT.dll	svchost.exe
File created	C:\Windows\mMCilRHk\UPhhQON.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4576	1372	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe
1372	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 1372	376	0a041b2c3b560ed2f165ce689b1a7b09.exe	85
PID 376 wrote to memory of 1372	376	0a041b2c3b560ed2f165ce689b1a7b09.exe	85
PID 376 wrote to memory of 1372	376	0a041b2c3b560ed2f165ce689b1a7b09.exe	85

C:\Users\Admin\AppData\Local\Temp\0a041b2c3b560ed2f165ce689b1a7b09.exe
"C:\Users\Admin\AppData\Local\Temp\0a041b2c3b560ed2f165ce689b1a7b09.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:376
- C:\ProgramData\xnyWQR\svchost.exe
  "C:\ProgramData\xnyWQR\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1232
    3⤵
    - Program crash
    PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1372 -ip 1372
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xnyWQR\svchost.exe

Filesize
916KB

MD5
e289377e09600d75547cfa4874f2bde7

SHA1
dd80a7fab2732ae430ce86db787febb7025dbdb8

SHA256
e86ac3f3e26f29111a4425479870ef2fcb4bb829a5bf47beb0cdaba1020055f5

SHA512
4e871c23ffbb6db1d8e5644563bb86eeca568ebf0141a0cc76cc3a1565ad407c13e8c1d8dd2b59ab4f092da5431371a794e994fcf9860ea48c5c7d72bc66f6d3

Download Submit
C:\ProgramData\xnyWQR\svchost.exe

Filesize
916KB

MD5
e289377e09600d75547cfa4874f2bde7

SHA1
dd80a7fab2732ae430ce86db787febb7025dbdb8

SHA256
e86ac3f3e26f29111a4425479870ef2fcb4bb829a5bf47beb0cdaba1020055f5

SHA512
4e871c23ffbb6db1d8e5644563bb86eeca568ebf0141a0cc76cc3a1565ad407c13e8c1d8dd2b59ab4f092da5431371a794e994fcf9860ea48c5c7d72bc66f6d3

Download Submit
memory/376-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/376-8-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1372-9-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1372-21-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1372-22-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download