Analysis

  • max time kernel
    92s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 03:25

General

  • Target

    de6691e2dda3e61636b7fca20acc9640_NEIKI.exe

  • Size

    5.5MB

  • MD5

    de6691e2dda3e61636b7fca20acc9640

  • SHA1

    048e67318651a53cc6b9a7651838a5edf0d53dfb

  • SHA256

    43776b80c311fdcc1d0c7e330554de6a94b61f31fac184a8bada88cafb084a39

  • SHA512

    6efb8d6d85af62a36f7da093664ed5c77cde011dcedc909301be1b739f26d1a08eaf4d79efa3abe49476def02ff3d678146ca542ab2ab624fe384a2c5f674f37

  • SSDEEP

    98304:J6Gn9646r6HaSHFaZRBEYyqmS2DiHPKQgmZ0aUgUjvha/4wzlF65iE:taSHFaZRBEYyqmS2DiHPKQgwUgUjvhoM

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs
  • Malware Dropper & Backdoor - Berbew 14 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 13 IoCs
  • Drops file in System32 directory 39 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 42 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\de6691e2dda3e61636b7fca20acc9640_NEIKI.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Windows\SysWOW64\Dfdbojmq.exe
      C:\Windows\system32\Dfdbojmq.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\SysWOW64\Domfgpca.exe
        C:\Windows\system32\Domfgpca.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3560
        • C:\Windows\SysWOW64\Ffbnph32.exe
          C:\Windows\system32\Ffbnph32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\SysWOW64\Fqaeco32.exe
            C:\Windows\system32\Fqaeco32.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2260
            • C:\Windows\SysWOW64\Hjjbcbqj.exe
              C:\Windows\system32\Hjjbcbqj.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2912
              • C:\Windows\SysWOW64\Iidipnal.exe
                C:\Windows\system32\Iidipnal.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2924
                • C:\Windows\SysWOW64\Jiphkm32.exe
                  C:\Windows\system32\Jiphkm32.exe
                  8⤵
                  • Adds autorun key to be loaded by Explorer.exe on startup
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:5096
                  • C:\Windows\SysWOW64\Jbhmdbnp.exe
                    C:\Windows\system32\Jbhmdbnp.exe
                    9⤵
                    • Adds autorun key to be loaded by Explorer.exe on startup
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:2840
                    • C:\Windows\SysWOW64\Kknafn32.exe
                      C:\Windows\system32\Kknafn32.exe
                      10⤵
                      • Adds autorun key to be loaded by Explorer.exe on startup
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:2612
                      • C:\Windows\SysWOW64\Kgfoan32.exe
                        C:\Windows\system32\Kgfoan32.exe
                        11⤵
                        • Adds autorun key to be loaded by Explorer.exe on startup
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:2496
                        • C:\Windows\SysWOW64\Mjqjih32.exe
                          C:\Windows\system32\Mjqjih32.exe
                          12⤵
                          • Adds autorun key to be loaded by Explorer.exe on startup
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1868
                          • C:\Windows\SysWOW64\Nceonl32.exe
                            C:\Windows\system32\Nceonl32.exe
                            13⤵
                            • Adds autorun key to be loaded by Explorer.exe on startup
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:4696
                            • C:\Windows\SysWOW64\Nkcmohbg.exe
                              C:\Windows\system32\Nkcmohbg.exe
                              14⤵
                              • Executes dropped EXE
                              PID:3304
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 408
                                15⤵
                                • Program crash
                                PID:4616
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3304 -ip 3304
    1⤵
      PID:4816

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\Dfdbojmq.exe

            Filesize

            5.5MB

            MD5

            312e264bd797fcde6e056b97f746f548

            SHA1

            e3ac2d19eec93fa6c926789e69030f23fcb6949f

            SHA256

            831abd7a11c93f7b9350ac8bb90f4f8f34278a0cb1ae84d5a6a81e7a16aa78f8

            SHA512

            a9ccda1a7e0a5515571d92def4010d24caceff9d36efcc97207b81ea971bb43163e7b89b6f82fd16af3deb5da6fc5fd5b749bfe24d1e95990ef8e69c7c6896ce

          • C:\Windows\SysWOW64\Domfgpca.exe

            Filesize

            5.5MB

            MD5

            d19ec5a2154f73ff6b2f8de7fac33e26

            SHA1

            7a1bb22e5b666baf6ebb952f108a2c131e0c6581

            SHA256

            1225a13785e7e5f685e76fd8e562d48b4bca7b81c477757b02c9ce397a65588b

            SHA512

            5b6129d0d70678c0d51a053f0f257737636a5df2f1e133305c3c3321ec9e226261ce5804462269a2176ea8782e3a868fb4e95ce6cdbd8ac7c3015d902bcacf81

          • C:\Windows\SysWOW64\Ffbnph32.exe

            Filesize

            5.5MB

            MD5

            13e1cf1d082a673492231967f93f1774

            SHA1

            e3c96e18133d656199d8d442bee9627bf08a0755

            SHA256

            c50519ce3440c4433836b53350b2bbd31e8125593fd8c553aff88a6cd6dc8cde

            SHA512

            7f18b9d8e64943ee620f3c0870014de78cc28559e452129bc8fa6caea8eac4d75bbbe263d14b4f062e195a76567d591caf929eb4e6c661cdcc2e78fb920a4a9a

          • C:\Windows\SysWOW64\Fqaeco32.exe

            Filesize

            5.5MB

            MD5

            de8ed894de2035cf30ab97f7ea3c518f

            SHA1

            16383d16e6ba946ca4370ae1276451d702ad9c6c

            SHA256

            8bb49005007664bdb6a5aef5c9ad1ee60de926f00e118a3d32445ba6be56180a

            SHA512

            b70631659e80ec970e4c9d92070273dcac85277aa525acc66903b69c32b7f3b825818a77a2bf0ddd10e08ab71b23716e497981d8757acdfb572e3b430dc0c3dd

          • C:\Windows\SysWOW64\Hjjbcbqj.exe

            Filesize

            5.5MB

            MD5

            fbfc2ff9ae4e574ec61c908edfb4309f

            SHA1

            ee50c59c7a119968caa8462434247936364fd89a

            SHA256

            d204627d89f219ca95868a415fa1004c682e80993e7a28d94654d558dd161397

            SHA512

            e8d3c3123b5748466000e59176fb723c5904c7314bd25747e0688d48c2560e5ba22f8dcde126a0be6397c8857bb5756ddf8041a99b3bc9d9ac3690b74bf21190

          • C:\Windows\SysWOW64\Iidipnal.exe

            Filesize

            4.4MB

            MD5

            cc22fe4421fef6afe172126a383e3f58

            SHA1

            8b73ac727d7bdf5dd78aaf9be3de17457c57e6d7

            SHA256

            f6e75c867f899908b8831c74a9cdd418d4266d1a729aab97ad2a4f7177ef7b32

            SHA512

            7d88649f2cc11b86da6bd0860f8c66a28d013f542d128dbb83277a9ed5b9a3667b9f4e9e7ba1b955ea03b2cf113b7857c3a2d1639b626736f11e2f7938a5ec44

          • C:\Windows\SysWOW64\Iidipnal.exe

            Filesize

            5.5MB

            MD5

            30129775c5453ba28f01c89b88e83b44

            SHA1

            84ce13669f6693f1fa61fc34589c34ae46e3c470

            SHA256

            0344634fdc7823d57703ccccf4be7d2cb0e9f9e53a06874822dcff9cfdb99301

            SHA512

            98a35bd78c52ad67f8620901204466ec81573a6100ca5c91d0ff0ff514eb9f38d86c809da45d0a72b586ff95fb9f79d700d58fe537afee242283b238be8b171a

          • C:\Windows\SysWOW64\Jbhmdbnp.exe

            Filesize

            5.5MB

            MD5

            5f615b5f0ba62ce467b3f109a82589a6

            SHA1

            a81172b1996ee950f0d05773b2fa9270e51382eb

            SHA256

            baa84d3ec64b4ed636969d6ae791ef01c74ca38e4aac9e79044012ba6e5e30b2

            SHA512

            265595fd3bd289f6d189ff16af7b915cea037bf3e982ad4beed40b48ba0a29481ad8535b51269152aad819844c801258d3dc3a820efa2e97cb00e85eb1196b1f

          • C:\Windows\SysWOW64\Jiphkm32.exe

            Filesize

            5.5MB

            MD5

            e2bf1d48679ccec3c2961e870fdffc47

            SHA1

            2a198d79341142a8e38e0cd8b29244c4f42b7bfe

            SHA256

            a3d2c4e006c565dd75bfbbcf93cef666e06fffa928069c1dfc6d4f324370b6e1

            SHA512

            7ff33c17c37297981c7d65835d8252916440621d7b0c1d54e8a5efe1207bb86ca76f6680090f82b36228298eb389bd28de24a56527c7556fd0960070ee1c3351

          • C:\Windows\SysWOW64\Kgfoan32.exe

            Filesize

            5.5MB

            MD5

            e55a7be26a045c7a9f751e902612a411

            SHA1

            ee38e4117430cb84c327286d58555c01d0c839ec

            SHA256

            3882f32a320f31e88763fb842a45612b22f059745d6c733ecb699dc495ee2185

            SHA512

            8f6422f886fa82ef6c43124b0799b2f284ce53e5ae362c0559e00067911a8516a5763a7c810a42a9bd0322500269602880a0a6d426d7f399863a7984b004feb0

          • C:\Windows\SysWOW64\Kknafn32.exe

            Filesize

            5.5MB

            MD5

            61318872037ce5a1bcdf5c49ea6b117a

            SHA1

            64a259b938ffe2ec96b440098e8c10e18fcccdee

            SHA256

            1c5ec6b0148e0232c2a64d40c1c8c354d0d2ef862504eefe772f30cc248d38cc

            SHA512

            d7340eb9b46ef041340cf0897cc40cfbde17cf82296cec14a743fe5bd9b6f0b99a3f69174b80fc0abc841daa2867f9f72b26d108f0406417e7d94c968a0ae1f8

          • C:\Windows\SysWOW64\Mjqjih32.exe

            Filesize

            5.5MB

            MD5

            2ff11b805ba6f4ec909d05df75ccf3fa

            SHA1

            8869df6ecc3be4b7eeb037348c88b1bcdfe62890

            SHA256

            b9461ded335383190a198c882a705a59742cb93a3e8d6301ffed05639abde79c

            SHA512

            5217167737ba39a68983095b0484f6818b87fa3c93a29fdb9316488cc238f4f531ca75ab2f983962fce50bfdb3c73d8fc1ee2bc577dc8b8276379448a31f33b8

          • C:\Windows\SysWOW64\Nceonl32.exe

            Filesize

            5.5MB

            MD5

            47ad6de597502a8897b97d1ef47efc4b

            SHA1

            b49e4fa240e2ec7404708b856080de6347628204

            SHA256

            7baa107cb1c1ddcd62153f64205b666f462a929a67f9b661f35b2975a8f26b43

            SHA512

            0f88dc5be56e7079a0ea8cf573157eaf160485c21e97ee70489c2121e9627e1af5f4bdf07d167546ddfa63f3cac575c06bc9a41895930af4c2a3274451c288b6

          • C:\Windows\SysWOW64\Nkcmohbg.exe

            Filesize

            5.5MB

            MD5

            3ceac35377a0f07f98726139ce179059

            SHA1

            9a3c64acb1f5b7cec461880e7cc00f83ae40e8ce

            SHA256

            9aee34c274c1fe90c32a51da163e639962d32c303b6a1fa71b85e6fb0bedc382

            SHA512

            26a512047b9a7d20dc0cb58138d895a506b7f9eb7c36ea89e6a7343038e86d3635a63f4507b686370b3c7e580e7500422a3575027bec0734913f2d9600d79758

          • memory/1260-115-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1260-25-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1868-108-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/1868-88-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2260-119-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2260-33-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2496-109-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2496-81-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2512-117-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2512-9-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2612-72-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2612-110-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2840-64-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2840-111-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2912-40-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2912-114-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2924-48-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/2924-113-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3304-105-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3304-106-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3560-116-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/3560-18-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4312-0-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4312-118-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4312-2-0x0000000000431000-0x0000000000432000-memory.dmp

            Filesize

            4KB

          • memory/4696-96-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/4696-107-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/5096-112-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB

          • memory/5096-57-0x0000000000400000-0x0000000000435000-memory.dmp

            Filesize

            212KB