9fab1db0a4ac894d7883bc992c467f5ea61f592f3a65969eb932cb21650c8b53

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 16:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a4b8ec5a50493fd26893d36123428c16.exe
Size

419KB
MD5

a4b8ec5a50493fd26893d36123428c16
SHA1

219c5ea03e2d5910563437fd8aef193f7b32acb4
SHA256

9fab1db0a4ac894d7883bc992c467f5ea61f592f3a65969eb932cb21650c8b53
SHA512

75f6b294718d2ed3d8e72732342955aa5db6b48b155519c7a4e45f0a5aeb0360bb44969d96b8ec2a833cb94a40a31a59cd487c11cd45301e0383fadf18e6503c
SSDEEP

12288:QGkdVUm9VunNv3vhrUluVDFs5ekwI93TkH1m1pcEtQAO:QGkdVUm9VunNv3vhrUluVDFs5ekwI93k

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 5 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/files/0x003000000001604f-5.dat	family_berbew
behavioral1/files/0x003000000001604f-11.dat	family_berbew
behavioral1/files/0x003000000001604f-8.dat	family_berbew
behavioral1/files/0x003000000001604f-7.dat	family_berbew
behavioral1/files/0x003000000001604f-15.dat	family_berbew

Executes dropped EXE 1 IoCs

pid	Process
2392	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
836	a4b8ec5a50493fd26893d36123428c16.exe
836	a4b8ec5a50493fd26893d36123428c16.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	a4b8ec5a50493fd26893d36123428c16.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	a4b8ec5a50493fd26893d36123428c16.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	a4b8ec5a50493fd26893d36123428c16.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe
2392	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2392	836	a4b8ec5a50493fd26893d36123428c16.exe	28
PID 836 wrote to memory of 2392	836	a4b8ec5a50493fd26893d36123428c16.exe	28
PID 836 wrote to memory of 2392	836	a4b8ec5a50493fd26893d36123428c16.exe	28
PID 836 wrote to memory of 2392	836	a4b8ec5a50493fd26893d36123428c16.exe	28

C:\Users\Admin\AppData\Local\Temp\a4b8ec5a50493fd26893d36123428c16.exe
"C:\Users\Admin\AppData\Local\Temp\a4b8ec5a50493fd26893d36123428c16.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:836
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
182KB

MD5
3f66a150a9aef8a4eb36667782d70dc1

SHA1
310a56fd9f3c9cde97b205b2e027826efb8fcdcb

SHA256
b850e87296848a88b6a4fcff8b9d05e9fd4d9a2dd9c93e546c046ca4fafc483a

SHA512
e372a7fb85ec8695fca9ebb1666590b7800334dae12cfe944761cb790bb2fd9153af61f41770399d5e6877179460745c61d8ac54dbf52c82c2a78f9a97bbcdd1

Download Submit
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
43KB

MD5
133bd880a2f6657be1d7c1356177d505

SHA1
c7e8095c1d6ff786b2267f450e2f64ba5fc5b27b

SHA256
05b3b11051d1372ede2c538d366efb54a77df7f9ac30d8fc51efbb1f347b0eb8

SHA512
eb9eb600c2462b7719205e05dbb4ca65e7a7bedcc0bb90eb113973653f9b6aa18668551f1b7590ff24da2d7170feea198b2e223d7bd6fcf73b092a05586ae005

Download Submit
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
132KB

MD5
105a1fe5f007d6b7b9dbed172884dcc9

SHA1
cba517095392cf83cae5e241292ec4fa79ca0256

SHA256
23ea17ea6675e9b2dba94a0f474bdf751cc0e6aa671eefdee4ed990197038696

SHA512
32b271fca9e3a0bc90937b322e5118dfd2ee82383672f2c25db578b5e996d5627dfc0614246f606af11e0973540728d25b1f750b57003a560655cef14256e57d

Download Submit
\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
75KB

MD5
53176f48952e3ee5bcf95956dc780a82

SHA1
952fbc209336a5a208ec6d451cf7350bebf4d5c2

SHA256
ef3b9953bd71d7ad88041018bfc66de101b27114e0b95184e4d782a0f188b65c

SHA512
ddd080c1bfaef30012c2c0e823d8835a0a1584746fa4f783ac38cde044156110126ef4dbfada165a15aaf0462ff5a74236d07360fd09a0152aec380807662b10

Download Submit
\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
135KB

MD5
98afb54b2551824c1028e789d13f9492

SHA1
92f58d52c4207a52e70665785f4c64222a3ba1eb

SHA256
ca7d21947ab00b3fecaa23b18835cb02182170d1acbb554189066afa083828f2

SHA512
d88591bf1abe7cd007f802a0391ddb8161772f7e554ab023b57249f65fa216a245e990183da43911fa463616a317594d67e6498a9ae2be9f512824a75fc0d340

Download Submit
memory/836-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/836-13-0x0000000004640000-0x0000000004684000-memory.dmp

Filesize
272KB

Download
memory/836-12-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2392-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download