Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09/05/2024, 14:44
Behavioral task
behavioral1
Sample
6354e243a82ef3602c9682a6a92d9940_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
6354e243a82ef3602c9682a6a92d9940_NeikiAnalytics.exe
-
Size
389KB
-
MD5
6354e243a82ef3602c9682a6a92d9940
-
SHA1
a38514280a04b6c1c0d7e9c25e5a981a51792d78
-
SHA256
a8205d8b0eb6ce6ab7a29e62b08853c5fb06cee410d6440ab4c9d1b7ffe5ff2d
-
SHA512
b400e7c6d00537a86c27858b7cf0beacd61d987f99cc2f704b8867978e739684d80d1637a523098f551c4a63092b2ceb4d90d62831284ee1f4c6e403764bdacf
-
SSDEEP
6144:nnOsaQgAOjvrZFODJjBz3j1jTqQy6v2GGnugOtihzXZ:nnOflT/ZFIjBz3xjTxynGUOUhXZ
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c000000014890-10.dat family_berbew -
Executes dropped EXE 1 IoCs
pid Process 2616 hasfj.exe -
Loads dropped DLL 1 IoCs
pid Process 2268 6354e243a82ef3602c9682a6a92d9940_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2616 2268 6354e243a82ef3602c9682a6a92d9940_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2616 2268 6354e243a82ef3602c9682a6a92d9940_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2616 2268 6354e243a82ef3602c9682a6a92d9940_NeikiAnalytics.exe 28 PID 2268 wrote to memory of 2616 2268 6354e243a82ef3602c9682a6a92d9940_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\6354e243a82ef3602c9682a6a92d9940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6354e243a82ef3602c9682a6a92d9940_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
389KB
MD58bac3b2c3f2a70f6effc496485a85c16
SHA1cd018c97b2a9f88e528d99c4f4041507c99ecbd7
SHA256414927797134b23c5c3717465e6e2852f20e5d7a4a70576991ba03ae2e81cb94
SHA51255a0b519aba3988668917a0e7c1fb3af71a5acd7e1f31bd636b71de133decc0343414c56bb9442f4e5c7d6095442c7c2c8669383c0ff8c4d0babbef5ba5ec8fc