Analysis
-
max time kernel
136s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 03:23
Behavioral task
behavioral1
Sample
de0cd03f3bef051e711f80491911d4d0_NEIKI.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
de0cd03f3bef051e711f80491911d4d0_NEIKI.exe
Resource
win10v2004-20240426-en
General
-
Target
de0cd03f3bef051e711f80491911d4d0_NEIKI.exe
-
Size
3.7MB
-
MD5
de0cd03f3bef051e711f80491911d4d0
-
SHA1
cdca03424f6f97fef661fa3c27ac57938f6d8f1d
-
SHA256
b3506e6760f5d376b1d5ecd79d29f36276e8947451f91567c68749fc5cbf4b41
-
SHA512
777e98d8b8379bd909036369854d42a8398027f9b68c8a3efe203dd85aec665350ec044a541602e720c3d894a5e857fe937518a49566b6d645f6ce3723e50033
-
SSDEEP
98304:IrTWVDBzcjgBNXcolMZ5nNxvM0oLoPKnllYUugyF:IXWVDBzcjgBNXcolMZ5nNxvM0oLo6Yb
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad de0cd03f3bef051e711f80491911d4d0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" de0cd03f3bef051e711f80491911d4d0_NEIKI.exe -
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x0006000000022fa8-8.dat family_berbew -
Executes dropped EXE 1 IoCs
pid Process 3400 Nkcmohbg.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nkcmohbg.exe de0cd03f3bef051e711f80491911d4d0_NEIKI.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe de0cd03f3bef051e711f80491911d4d0_NEIKI.exe File created C:\Windows\SysWOW64\Hnibdpde.dll de0cd03f3bef051e711f80491911d4d0_NEIKI.exe -
Program crash 1 IoCs
pid pid_target Process 4328 3400 WerFault.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID de0cd03f3bef051e711f80491911d4d0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717} de0cd03f3bef051e711f80491911d4d0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" de0cd03f3bef051e711f80491911d4d0_NEIKI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" de0cd03f3bef051e711f80491911d4d0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 de0cd03f3bef051e711f80491911d4d0_NEIKI.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node de0cd03f3bef051e711f80491911d4d0_NEIKI.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1528 wrote to memory of 3400 1528 de0cd03f3bef051e711f80491911d4d0_NEIKI.exe 82 PID 1528 wrote to memory of 3400 1528 de0cd03f3bef051e711f80491911d4d0_NEIKI.exe 82 PID 1528 wrote to memory of 3400 1528 de0cd03f3bef051e711f80491911d4d0_NEIKI.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\de0cd03f3bef051e711f80491911d4d0_NEIKI.exe"C:\Users\Admin\AppData\Local\Temp\de0cd03f3bef051e711f80491911d4d0_NEIKI.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe2⤵
- Executes dropped EXE
PID:3400 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 4163⤵
- Program crash
PID:4328
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3400 -ip 34001⤵PID:1056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD5a7066c8542ce29df7ae88236d576f4c5
SHA158d0cabdda864596ed180f568b9537f73105cad4
SHA25662bd3b1f936b014debfb1a086b467219d26d0d9dd66c3cf4bdce86ee18f4d202
SHA51242d6b869e2444600af7c5f4e301d6c356d5ed479a5c0c2790e866cb5880fba63e5e9ca30046a5ce01f454b13b82ff239cf0bfae08d4b6be3d7f8e1f29e2053d3