Analysis Overview
SHA256
ea7dc678eb5e1b60662eac77e0ff06d4d6acf9bc2e00d333731f1d12ea71edd2
Threat Level: Known bad
The file 57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Malware Dropper & Backdoor - Berbew
Berbew family
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-09 14:13
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 14:13
Reported
2024-05-09 14:15
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA1.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA1.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1248 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\EA1.tmp |
| PID 1248 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\EA1.tmp |
| PID 1248 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\EA1.tmp |
| PID 1248 wrote to memory of 2696 | N/A | C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\EA1.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\EA1.tmp
"C:\Users\Admin\AppData\Local\Temp\EA1.tmp"
Network
Files
\Users\Admin\AppData\Local\Temp\EA1.tmp
| MD5 | 14ef027f5ba75f5a171d25beb096fecc |
| SHA1 | 2b71033f7baab19a283a8f653658c8bb91f068ad |
| SHA256 | 13eacb47857c8e66128f67a8de76663ad2cdbc030a59243a5123e12144195e26 |
| SHA512 | 457ece1f63556c5c5f9100614d97c1860579d919cbf378243d8109bf6018b5e0fe84278a7c1b6294cb3f61ea3dc2310c8fe35f02ebafaee8b93fbdbba9eff139 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 14:13
Reported
2024-05-09 14:15
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
124s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\512D.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4476 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\512D.tmp |
| PID 4476 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\512D.tmp |
| PID 4476 wrote to memory of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\512D.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57253ea6c3d290a72ed2b861efb1e320_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\512D.tmp
"C:\Users\Admin\AppData\Local\Temp\512D.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| BE | 2.17.196.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\512D.tmp
| MD5 | 14ef027f5ba75f5a171d25beb096fecc |
| SHA1 | 2b71033f7baab19a283a8f653658c8bb91f068ad |
| SHA256 | 13eacb47857c8e66128f67a8de76663ad2cdbc030a59243a5123e12144195e26 |
| SHA512 | 457ece1f63556c5c5f9100614d97c1860579d919cbf378243d8109bf6018b5e0fe84278a7c1b6294cb3f61ea3dc2310c8fe35f02ebafaee8b93fbdbba9eff139 |