Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 03:40

General

  • Target

    e246a89db78ff29e0188ed1624561060_NEIKI.exe

  • Size

    391KB

  • MD5

    e246a89db78ff29e0188ed1624561060

  • SHA1

    c392ce8d73000351004d3bc89a72896b746eabff

  • SHA256

    25ccf1d2c3b7fce3f7467df49b3b5572cf816682dd025cb5842a005de23f9eb0

  • SHA512

    a1d5f665aeaea7bb93d1bc19e1f653b6daa49f3ac29ab96c648fa5c45c4619ef0e5f61488983c21d156ed3f485c14aeba2c3f52b6a0de0d5d09f1247e882f26f

  • SSDEEP

    12288:2BgT9XvEhdfJkKSkU3kHyuaRB5t6k0IJogZ+SZE:2S9XvEhdfJkKSkU3kHyuaRB5t6k0IJon

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs
  • Malware Dropper & Backdoor - Berbew 11 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 10 IoCs
  • Drops file in System32 directory 30 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 33 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e246a89db78ff29e0188ed1624561060_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\e246a89db78ff29e0188ed1624561060_NEIKI.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\Nafokcol.exe
      C:\Windows\system32\Nafokcol.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:32
      • C:\Windows\SysWOW64\Nddkgonp.exe
        C:\Windows\system32\Nddkgonp.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\SysWOW64\Ngcgcjnc.exe
          C:\Windows\system32\Ngcgcjnc.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Windows\SysWOW64\Njacpf32.exe
            C:\Windows\system32\Njacpf32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4496
            • C:\Windows\SysWOW64\Nbhkac32.exe
              C:\Windows\system32\Nbhkac32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:1504
              • C:\Windows\SysWOW64\Ndghmo32.exe
                C:\Windows\system32\Ndghmo32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:3024
                • C:\Windows\SysWOW64\Ngedij32.exe
                  C:\Windows\system32\Ngedij32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:4272
                  • C:\Windows\SysWOW64\Nbkhfc32.exe
                    C:\Windows\system32\Nbkhfc32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4548
                    • C:\Windows\SysWOW64\Ndidbn32.exe
                      C:\Windows\system32\Ndidbn32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:376
                      • C:\Windows\SysWOW64\Nkcmohbg.exe
                        C:\Windows\system32\Nkcmohbg.exe
                        11⤵
                        • Executes dropped EXE
                        PID:1532
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 412
                          12⤵
                          • Program crash
                          PID:3048
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1532 -ip 1532
    1⤵
      PID:3580

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Ipkobd32.dll

            Filesize

            7KB

            MD5

            92d8c29761d60ad20281f89629784f4b

            SHA1

            6140a32dad673f9d7ab925bba2ef0324673ceae2

            SHA256

            dc2e2b53847aa43b00eed8ba3a225137f5a3ccf978052c7a496d4ec2d2f988c2

            SHA512

            01b0784e57b969cdd9da0b182aadbd484be2933a03dcfb91a6e7a51b61fe344bc6dde0605952dcf49c5167a4bf305f24cc9924ef409568951086b80a68d5f4d0

          • C:\Windows\SysWOW64\Nafokcol.exe

            Filesize

            391KB

            MD5

            90fad81011fa8eca5aa295e75cd3a04b

            SHA1

            d0577329d586bb1d6b49dd0ee5c46dd29e8f6655

            SHA256

            eb8f331d78eb61aeeb127cce78d023525784557405abff20b199f8497fa2e34a

            SHA512

            235ceaa938cb01ea967fa727ef6c85b876d7ee49785be700dafaef6c7ae954f07deaae5ac1aef602e99145f9ce3707585a3814539de1d514ca4cdc599cb5f557

          • C:\Windows\SysWOW64\Nbhkac32.exe

            Filesize

            391KB

            MD5

            70049f9d690dd11562597dbfb9eb99d6

            SHA1

            8d3d0e745a649e16904812a71427f1bcefbd66dd

            SHA256

            1ce7b6d6ce8f5234f39d6496d44df432d2c20fefb65d2f63cb49ed2d907acd30

            SHA512

            1e34f0f1761b36940f498ca6f60b17e965623fe9141d396e13691aa562e18c849bd9ec0b8512f15e009948d29601ae4944edf01cb842932754e399e45ec3c42e

          • C:\Windows\SysWOW64\Nbkhfc32.exe

            Filesize

            391KB

            MD5

            44b5074ea5f81e4143d613119af2a4ce

            SHA1

            80e5d15fecd464835fa99b9dcccde912e54a5e1d

            SHA256

            087b2247702fbfc04fbceda278f25ff83a86ca0a9ac376cb6f7416ab6258f0f3

            SHA512

            fdaaf0f81b70f031b869b0dd7a8e779fe7f8cd357c653448987528db38e04414c7c672a6fcae7db570b2e6c802622a8d639149e90fc128077e431508f656d8b6

          • C:\Windows\SysWOW64\Nddkgonp.exe

            Filesize

            391KB

            MD5

            c1019f5cb9637bf716edbcc0b48ef777

            SHA1

            f68d22de73a5d64c4ebeab5b6d0753485f94af9f

            SHA256

            8cdb035fdfac59942f1164aad4d246da90638326f3b2894a6fae0c2e64a35371

            SHA512

            fd48b40640f444b1c2bc173202e6e8fee898101087d4989d495321b378efc2832cdf0354d68d5a0e239c17b9966c9c75acac25e94bacc3b5f86fc6ca374fdd25

          • C:\Windows\SysWOW64\Ndghmo32.exe

            Filesize

            391KB

            MD5

            5aaa59cfb309643ffe112872fd077b96

            SHA1

            34cd328e45e03990f7b7c6036742cc3828d8c46e

            SHA256

            5741576a1298f33e209995dcc87cd4240fecd5213345caa28aaf2d23c82ebc72

            SHA512

            61370a9d2f070f7e4ec0f182830c96d0c9d3d2cbb51e64846c44e800616461be8ae8709304f4e718860856ceb16a8366e5f431ae3eb0f3335953cef3022967d4

          • C:\Windows\SysWOW64\Ndghmo32.exe

            Filesize

            391KB

            MD5

            af8b794eb6b9eae6c6649652459cc47a

            SHA1

            83ddf446df8f4ab47f00d399a5a16a44d6da13ad

            SHA256

            6c4855b59435dc456a33923e3d3e0526101bfdf5ccb00ab091b1b6d6e8a20e43

            SHA512

            a2f48356fa6084645ecad391fc837034146b04a7cd72947ed2d39ee3ef62218808a7d0c8c470ee96ba4a57e2d2575c226c49bb0439d47a4a5b653da2399c333c

          • C:\Windows\SysWOW64\Ndidbn32.exe

            Filesize

            391KB

            MD5

            ab75bc5aa530871e902a996493dd9a01

            SHA1

            e47f1fff19221fbf282dc6a7b0aa5c6edb72c0fb

            SHA256

            0610b8295d528b02ee3d82ad98b91e75fc30fd46c7f50b4cd8bafd7b0a490d0b

            SHA512

            aff3fe4561c88f029fcfb1b7909393ae7e17df4e4854c4b5360d4e4395518b7d7ea9685ce0e176f7402ef80069c4e55f0823b0a6fb64e77981cb289bd0cc7734

          • C:\Windows\SysWOW64\Ngcgcjnc.exe

            Filesize

            391KB

            MD5

            38741f11ef55a2ff6138cbcedaf1d721

            SHA1

            4319cee6678d52832037729060f7204b4a53b1fc

            SHA256

            abbda7eb0e0e82680a15f475d2ea764a698820a9fecdee92b9905b3a85b0cad6

            SHA512

            f41a02d7999b8024630763317460870bfaf8e9a40dbdf0ee2c510d1424c61ba3547890b3043c4220613517fc79e31ba2429b6609c91b741614972979480cf401

          • C:\Windows\SysWOW64\Ngedij32.exe

            Filesize

            391KB

            MD5

            d569616bc168e9ff55c80c210e60afaf

            SHA1

            8e43c510422c5b785e11fc7c7fd261b42066675d

            SHA256

            af86d01fd15aba317212696a8a382756eed7770a1a536e870568c39661855aab

            SHA512

            725432cb011709829ef3dbbb2968b900b415dfd14b67f0a510ab766229e7e2fbc77f3a29be241f886edd6bdf71a3640539a9213d55686085bb7af0b835a54fb1

          • C:\Windows\SysWOW64\Njacpf32.exe

            Filesize

            391KB

            MD5

            ebab69544147d8b2b3af0b1e9e00e428

            SHA1

            f91962b4327227c98da56b387b3934668436cf1e

            SHA256

            62d37c8cbc729dd98f0824a2677c772ac25d358ad321e79dd6a9c3c9093220b1

            SHA512

            f06beb34f81f4a3d82534f02f20cc20d32798df2f99df4dfbd979fe619015f8df29b798fd17969bc352b8e7a9818679154381f28e764762cb3a6ccede288fce2

          • C:\Windows\SysWOW64\Nkcmohbg.exe

            Filesize

            391KB

            MD5

            150c1c5d98a1fbd95eb6d7122e91ad91

            SHA1

            f1b4f588c4c2060587fe4d39500e1968a51cdac9

            SHA256

            7c991c36ea19fa7cfaba2955b0175a6b06f8405fbbf86b097439438ed644a582

            SHA512

            4926bc7bced1759ac295020f1d1cb7da9dc49958184557119059abd110dc46ebc86960a23423891f10ce17a2aa97b444a815d38905a038179256c4caccfd55d2

          • memory/32-8-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/32-89-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/376-72-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/376-82-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/1504-85-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/1504-40-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/1532-80-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/1532-81-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/2444-0-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/2444-90-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/2596-87-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/2596-24-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/3024-84-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/3024-47-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/3972-88-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/3972-15-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/4272-83-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/4272-56-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/4496-86-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/4496-32-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB

          • memory/4548-68-0x0000000000400000-0x0000000000434000-memory.dmp

            Filesize

            208KB