Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/05/2024, 14:42

General

  • Target

    62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe

  • Size

    208KB

  • MD5

    62b0a704ff4299bb89933ba9dd71f070

  • SHA1

    5dbaf86ff56491dc813d8b752fd51c5b57059cc2

  • SHA256

    ab391beb27aabd848c1fe20defa1086c5abbd528955a0cfd7eb1d1c79c107d5c

  • SHA512

    7672e07b79da39acb1d09af62d2e4f711ba3bf42077898a3ed6daed65fd7af492d9d6b5d31f6f893862fe91a432f8d26665cb8fcb3b88b3ddb20cc46e6bcf1ec

  • SSDEEP

    6144:4q6QJoRQpJGbcDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55KmC:42feChtMtkM71r1MSXqPix55Kx

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 14 IoCs
  • Malware Dropper & Backdoor - Berbew 9 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 18 IoCs
  • Drops file in System32 directory 21 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\62b0a704ff4299bb89933ba9dd71f070_NeikiAnalytics.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\Hcifgjgc.exe
      C:\Windows\system32\Hcifgjgc.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\Hnojdcfi.exe
        C:\Windows\system32\Hnojdcfi.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\Hnagjbdf.exe
          C:\Windows\system32\Hnagjbdf.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\Hlfdkoin.exe
            C:\Windows\system32\Hlfdkoin.exe
            5⤵
            • Adds autorun key to be loaded by Explorer.exe on startup
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Windows\SysWOW64\Hcplhi32.exe
              C:\Windows\system32\Hcplhi32.exe
              6⤵
              • Adds autorun key to be loaded by Explorer.exe on startup
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:2372
              • C:\Windows\SysWOW64\Idceea32.exe
                C:\Windows\system32\Idceea32.exe
                7⤵
                • Adds autorun key to be loaded by Explorer.exe on startup
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:2292
                • C:\Windows\SysWOW64\Iagfoe32.exe
                  C:\Windows\system32\Iagfoe32.exe
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:1484
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 140
                    9⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:2444

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Hnagjbdf.exe

          Filesize

          208KB

          MD5

          8fec4eb17ef66085a352531b91fe997e

          SHA1

          ced57ba029e646f8173a4359f9a19c22cc0e2816

          SHA256

          cdf2ab89e9d7fcea46f02a951ccc693c33a99b0ef25a3bf457644b424efc1ff7

          SHA512

          bd47971d69176b81c5064350bb7d6dab2a4cea2a5630889be45f2fc87016f13829ee7f1167e328739172f4c39ab141de0a8d82d5de2b11768847d548dcf6d593

        • C:\Windows\SysWOW64\Lponfjoo.dll

          Filesize

          7KB

          MD5

          3fa562c9b6ae626da3fda006c5fe2995

          SHA1

          98201dd3c5fb1ffef5318f31a64dcb98198de2af

          SHA256

          6b1004da3595ff423c8af3a630564461df692b4bd6a4bcbbe0329b068e7a656b

          SHA512

          440ce95964333d107ba46277a7cfb3c8d7136617732d1c7c77df8f60fc72c838bc899a1453c75785323b086ce5a70f3673ba4dca48f97005143d5aed8f915895

        • \Windows\SysWOW64\Hcifgjgc.exe

          Filesize

          208KB

          MD5

          241d4a8eed9c13a17abe8358ecc21621

          SHA1

          6f9ff78ec54c7ef8773640edb4c785f62b4d1aa0

          SHA256

          9367bfa4323c722ec443c12b1946d070bf386a7432725871bb8b9855d4de6d40

          SHA512

          c37373b5e2b811ae6fbaf840965b17f9fda23aca9b18bc35e2f66f3ca5aa683bc4dfa9ff7ea06ac59b86da471719d5bac250186eaa4f44fb13ab7556ea735a9b

        • \Windows\SysWOW64\Hcplhi32.exe

          Filesize

          208KB

          MD5

          a017216176aa766ce8492c171c548f08

          SHA1

          5dba72d7119ab1f71b5b4a29e5f1358b920f569c

          SHA256

          e8267d22756e4022a53c667fe146372b9c234f964133f02bee3bd07099c99445

          SHA512

          8699c9b459296d91ed25e19b48f8631d32be31b6a627373a0a51a691193080bc71e4141dbe6f06a465ee7ff3039be32407c39bff7e4fd8ed26b1ac078c7b252b

        • \Windows\SysWOW64\Hlfdkoin.exe

          Filesize

          208KB

          MD5

          c98c03a9db277d5939d3dc2ee196484b

          SHA1

          4109f107eaebb93c706a537aeecbca8f0a827ecb

          SHA256

          92e109095740db8d09e067b792fe594a162e376364c333e2c4a313a7c451c82d

          SHA512

          00c27a4beea56a93eaf9f8fab237aa1c65c7cf77fd380101b34fe4893af3ee44a4e2aadc7d71c56c27c39da4b66e61c89fbe332f9ddc801a93f47183686a9195

        • \Windows\SysWOW64\Hnojdcfi.exe

          Filesize

          208KB

          MD5

          e4eaa09d0fba28021a9945ab6cab4b0a

          SHA1

          f81ace0500fbff6dce96f24856d604701399ca14

          SHA256

          399973a9ecaa8a8c6f43c7e172a3ed5217a61c911616bf66e9c6e4e9cd2a411a

          SHA512

          77a12b5e437eadbe49c3e687e4ed4597dfdf4d6443e0b9e004170d18a43cc0cf728e125f31546d71fdacb7915c3e62f5e46bb6bf367bfce0d598021188a50657

        • \Windows\SysWOW64\Iagfoe32.exe

          Filesize

          208KB

          MD5

          7736eef8375042f58d2041469b9e2540

          SHA1

          7f9eb86643729c12fd4b45ed4bcc166ed46c6172

          SHA256

          5520cc61e23b3f7dfe9b86f97b45522f69cdfc342e116fe73b2009a4ab0c1093

          SHA512

          730eace5cba043c34090b63c3877484dfcf67103d4a878939bb939388f1ce01038e567632ba3510bbeebaf1ee64999ddab9a0d5ae3ac39f03f55a44df70b0f45

        • \Windows\SysWOW64\Idceea32.exe

          Filesize

          208KB

          MD5

          ac33384e370afd97f546b9f50a185807

          SHA1

          1a3c811defd12f967b48f2336f318c8c3bb6a120

          SHA256

          93f5066705ad78d5fbec8b2fd40af7328dc546622c10d2caad03d2c9c5734c0a

          SHA512

          14a73e4a1a45b9d993c7d6139e4fd652a1fb80687c80707af3251ab21315d555d1dcd1e8fc8bddebc2a535955db456fbd992f2a68e2a875fbd5878982fcf53e4

        • memory/1484-94-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2188-6-0x0000000000270000-0x00000000002A6000-memory.dmp

          Filesize

          216KB

        • memory/2188-99-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2188-18-0x0000000000270000-0x00000000002A6000-memory.dmp

          Filesize

          216KB

        • memory/2188-0-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2292-103-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2372-68-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2372-77-0x0000000000250000-0x0000000000286000-memory.dmp

          Filesize

          216KB

        • memory/2372-102-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2508-40-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2508-55-0x0000000000440000-0x0000000000476000-memory.dmp

          Filesize

          216KB

        • memory/2508-53-0x0000000000440000-0x0000000000476000-memory.dmp

          Filesize

          216KB

        • memory/2508-100-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2584-32-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2716-66-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2716-101-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB

        • memory/2784-19-0x0000000000400000-0x0000000000436000-memory.dmp

          Filesize

          216KB