Analysis

  • max time kernel
    136s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 03:23

General

  • Target

    de0cd03f3bef051e711f80491911d4d0_NEIKI.exe

  • Size

    3.7MB

  • MD5

    de0cd03f3bef051e711f80491911d4d0

  • SHA1

    cdca03424f6f97fef661fa3c27ac57938f6d8f1d

  • SHA256

    b3506e6760f5d376b1d5ecd79d29f36276e8947451f91567c68749fc5cbf4b41

  • SHA512

    777e98d8b8379bd909036369854d42a8398027f9b68c8a3efe203dd85aec665350ec044a541602e720c3d894a5e857fe937518a49566b6d645f6ce3723e50033

  • SSDEEP

    98304:IrTWVDBzcjgBNXcolMZ5nNxvM0oLoPKnllYUugyF:IXWVDBzcjgBNXcolMZ5nNxvM0oLo6Yb

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Malware Dropper & Backdoor - Berbew 1 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de0cd03f3bef051e711f80491911d4d0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\de0cd03f3bef051e711f80491911d4d0_NEIKI.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\SysWOW64\Nkcmohbg.exe
      C:\Windows\system32\Nkcmohbg.exe
      2⤵
      • Executes dropped EXE
      PID:3400
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 416
        3⤵
        • Program crash
        PID:4328
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3400 -ip 3400
    1⤵
      PID:1056

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Nkcmohbg.exe

            Filesize

            3.7MB

            MD5

            a7066c8542ce29df7ae88236d576f4c5

            SHA1

            58d0cabdda864596ed180f568b9537f73105cad4

            SHA256

            62bd3b1f936b014debfb1a086b467219d26d0d9dd66c3cf4bdce86ee18f4d202

            SHA512

            42d6b869e2444600af7c5f4e301d6c356d5ed479a5c0c2790e866cb5880fba63e5e9ca30046a5ce01f454b13b82ff239cf0bfae08d4b6be3d7f8e1f29e2053d3

          • memory/1528-0-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1528-10-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3400-7-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3400-9-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB