0fc3a19bc7f2d89f79ecf35997caa1ea804ea8a3c7091e628b46be954b0d23a3

Analysis

max time kernel
140s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe
Size

320KB
MD5

23a002c8d301b9a4bffc3d90a846b700
SHA1

3969a07eec0773022ea51ece47e7aed7e58b0ab0
SHA256

0fc3a19bc7f2d89f79ecf35997caa1ea804ea8a3c7091e628b46be954b0d23a3
SHA512

e74a97c90d9c04b0c9f13905d3851eebfbc6de6f0c8efca8ba0b7a9f2aac667a299ebd785af0c99451a6dc3c3747b661aaa80fa0e08601d68681c82a4c5e2381
SSDEEP

6144:RoLVc5spJLBNlM6OX3JtMa9mxDImf8oWcYYkiKQtZ3hUtypQCdtp0Lk8gCEvY5BF:U/Xu6WSOEvoKlSql4ejAAWxe1X7BMj

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000b000000023415-5.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
5012	23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe

Executes dropped EXE 1 IoCs

pid	Process
5012	23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3456	740	WerFault.exe	81
2104	5012	WerFault.exe	88

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
740	23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
5012	23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 5012	740	23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe	88
PID 740 wrote to memory of 5012	740	23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe	88
PID 740 wrote to memory of 5012	740	23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe	88

C:\Users\Admin\AppData\Local\Temp\23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 396
  2⤵
  - Program crash
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe
  C:\Users\Admin\AppData\Local\Temp\23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:5012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 368
    3⤵
    - Program crash
    PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 740 -ip 740
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5012 -ip 5012
1⤵
PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\23a002c8d301b9a4bffc3d90a846b700_NEIKI.exe

Filesize
320KB

MD5
fafd88d17feb8ceb6e2221998d3710a6

SHA1
58f4b8425ad0ed4f1a1b89ca5a74eb30762d8667

SHA256
6c57e0e3c6939a218975b511dc430f1f622039c22b321544d124d2684dcd7173

SHA512
f5df8256192d1191316846f46736bcbef9a8fb4e3643a97322af6cbf6ff20c7f1a8961d14c94e942b6f5f4f3c42d9b71fe8b48dcac53e471a8475fd4424871b9

Download Submit
memory/740-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-6-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5012-13-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/5012-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download