Analysis

  • max time kernel
    94s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 03:23

General

  • Target

    de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe

  • Size

    141KB

  • MD5

    de1c5b59010e912f48e8dc0086d7fad0

  • SHA1

    ea4df63ce5011519318991fb78e932f67a009830

  • SHA256

    b521920c0526ca8450f75ec86916cb801110b2edca600be5f4ec0290d2b3a6bc

  • SHA512

    9fef05d6d532cc0bb026f65c9a9314a22c594686cb6a6f9c5cd89ec169e741d4165a69f510cc28a1f7464e88562802bb59c53f298cb520d690f86eeff9595588

  • SSDEEP

    3072:+llQ+n0A9aYFbwQ9bGCmBJFWpoPSkGFj/p7sW0l:+llQML9aYFbN9bGCKJFtE/JK

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs
  • Malware Dropper & Backdoor - Berbew 9 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 9 IoCs
  • Drops file in System32 directory 27 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\de1c5b59010e912f48e8dc0086d7fad0_NEIKI.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\SysWOW64\Nklfoi32.exe
      C:\Windows\system32\Nklfoi32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\Nafokcol.exe
        C:\Windows\system32\Nafokcol.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\SysWOW64\Ngcgcjnc.exe
          C:\Windows\system32\Ngcgcjnc.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3076
          • C:\Windows\SysWOW64\Njacpf32.exe
            C:\Windows\system32\Njacpf32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4660
            • C:\Windows\SysWOW64\Nbhkac32.exe
              C:\Windows\system32\Nbhkac32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:3948
              • C:\Windows\SysWOW64\Nkqpjidj.exe
                C:\Windows\system32\Nkqpjidj.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4348
                • C:\Windows\SysWOW64\Nnolfdcn.exe
                  C:\Windows\system32\Nnolfdcn.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:4132
                  • C:\Windows\SysWOW64\Ndidbn32.exe
                    C:\Windows\system32\Ndidbn32.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2580
                    • C:\Windows\SysWOW64\Nkcmohbg.exe
                      C:\Windows\system32\Nkcmohbg.exe
                      10⤵
                      • Executes dropped EXE
                      PID:4776
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 400
                        11⤵
                        • Program crash
                        PID:1432
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4776 -ip 4776
    1⤵
      PID:3444

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Nafokcol.exe

            Filesize

            141KB

            MD5

            2e2952b1ef58b6b376eee706eba5e852

            SHA1

            5b401ab8118e44d04cbf234407c5f4f337a02736

            SHA256

            3055ac539589c1f5cdf83428de44c13f13e3f380cd9376e61f40b1dcc5caea6a

            SHA512

            e1200a20e8571f571abd66bf578b8e90286cc4878ef333a96ec59bec9a1e62b581f32927d22b0c0d208da1d7e7cd446522302f572c5cd3f87e29156729f816f7

          • C:\Windows\SysWOW64\Nbhkac32.exe

            Filesize

            141KB

            MD5

            ae03819f4de63bbc84c1b23a99e5230d

            SHA1

            615475241fc9e2dabe4f15904c87330874da2183

            SHA256

            e942332707f0b749b648bead31b0801ddf798ff3212828bb36b2bd804ca6e30b

            SHA512

            aab5789d9febc8916ace2de5d6af317dd0b252c0b4e94ce7273a936d416a22514184e7515a378fd8396172b5e99f98b591665b52b88a75116313503c357a088c

          • C:\Windows\SysWOW64\Ndidbn32.exe

            Filesize

            141KB

            MD5

            1cd8dd830da8dfbfd34e24193c183001

            SHA1

            af6d7c49c367bde997a271be08840043b92f7a10

            SHA256

            b15e6071d81e2a258254688df66293a15384f17511fefdc397b2aafc5b941d2c

            SHA512

            0d2320482b8f4c10fb020ac58eb8b0e9c7737d5b4b6cd62ee4ed5e2571f92f2c832226ff00e307c397ee3846f7925f19143753c3d738598abdbc9c5c7c86e6dc

          • C:\Windows\SysWOW64\Ngcgcjnc.exe

            Filesize

            141KB

            MD5

            5afffb7917f8a4473aa5c7b0b53283a4

            SHA1

            8d73df190c0539b64eaf729a29df21afd5c1f252

            SHA256

            a361872ad9aa9679b9f4a217d21cff9cc612dc7171bc924228ac199b19d7cc39

            SHA512

            7259e74a853b302be1b190b7bb3732f1d6ac9835e028771743777a39869a4c563012621e9afed68cc47aaf030d6abcc0d3c1f375dc7eccc71a6bbfdd23fa1ac4

          • C:\Windows\SysWOW64\Njacpf32.exe

            Filesize

            141KB

            MD5

            7506c36974e75d2a0a49e13eedcd26a7

            SHA1

            498d674fa40658af47f66d92ff7aefac41763305

            SHA256

            fd87cf5815e52a727774511991707306d10adf3126f7cdbacaabf939151419e3

            SHA512

            94920165285b3744ac0085bb5f212498c35b07f3727bc0a545ee4a00f6b38be909752c06cae73d137a233281b709bf5c1b41e90be278bda3b7040a47411958cf

          • C:\Windows\SysWOW64\Nkcmohbg.exe

            Filesize

            141KB

            MD5

            1aba7000a85f840fb7e7714855cc3d6e

            SHA1

            2aa49d62634820f638e9906ed335e3746b222a0c

            SHA256

            0eb8afd49554e79bb7ea8141b6ecea9d7f781257d6200959e545aef9e3a98b3c

            SHA512

            63398e4869f5a0d9c36c552c9436de0df64dbab1efb99f26d0eaa5a51b9b51171bffe0e880ecfd2319914eac23513911011a8fbb4fdf308323e19e0bdf7ea7cd

          • C:\Windows\SysWOW64\Nklfoi32.exe

            Filesize

            141KB

            MD5

            e51270e5ea8f933510db0b7c095de951

            SHA1

            58819ac9dfa8fb77c846a4b8a151285b52555c03

            SHA256

            e0f4996559f8b3ad8174d4a613521a3300748944adf049efb684105f8c56a628

            SHA512

            1fc28a47c3cc7aa2e360d0d28d2fe3502ac9fe865a0986d65b1d0df45c17db56548c896d0e46986aec26413d7f59ef15c05ca6ec2727fbb939604c8fffaf5a5a

          • C:\Windows\SysWOW64\Nkqpjidj.exe

            Filesize

            141KB

            MD5

            acda31f0866fcb8c4c9bc84ad4bf769a

            SHA1

            e063d862220f5ca5c282be137604b529442e0c0d

            SHA256

            e3e70f94b699ca3c7e3e639cb9b84596107a511694d66db71a2422602d867997

            SHA512

            e1735674a4a4ab434faa41133748b94ea47953795089fd9f03ae5efac5ab7340b9cb5a5a1b39b2eab709aa6d8f5e39ba28546e52c1eb71acf4abe06f8ace3211

          • C:\Windows\SysWOW64\Nnolfdcn.exe

            Filesize

            141KB

            MD5

            9ebe5c1696c2d015271946b70b692d7b

            SHA1

            72f1849e764d211dcc19d3d91421fe134ea17d8d

            SHA256

            8b7c416dddf258ce98c5e20d4354286d30ead87567a3640b3aa9db8b3db7faa3

            SHA512

            94fe7c5736e9a09dce38167deef6fe64fb7f0f71b896adc0cbc99eabbbe522c0717b55ede4cb0676f27704427299087a04baf6cd958365315644ceefe6283703

          • memory/1784-13-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/1784-81-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/2252-0-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/2252-82-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/2252-5-0x0000000000431000-0x0000000000432000-memory.dmp

            Filesize

            4KB

          • memory/2580-75-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/2580-65-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/2960-80-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/2960-17-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/3076-29-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/3076-79-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/3948-41-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/3948-77-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/4132-62-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/4348-48-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/4348-76-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/4660-33-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/4660-78-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/4776-72-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB

          • memory/4776-74-0x0000000000400000-0x0000000000443000-memory.dmp

            Filesize

            268KB