5f11f00d4e9b9145550e83adbef1b76398ef1f682c8e89bd315d780f7b71aa47

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 06:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe
Size

384KB
MD5

981a51e751c0377ec7caf94366c61ec0
SHA1

92f9c74f24f375e2bce73e0f4d00ab67fb0dbf07
SHA256

5f11f00d4e9b9145550e83adbef1b76398ef1f682c8e89bd315d780f7b71aa47
SHA512

7a51e8646675651f1cdd14dd875685cf943da0de9846e427ea5742d3d2ed46196e2aa1b54a28e56972f55c7b300d0582e312229631b8d03ad7ebe6b244b8de69
SSDEEP

12288:cN25sxu0LfDwiRkpLdrVtdW/sEzrWtHOw0iFauY/B/dc:cNfoDlVtdW/sEzrWtHOw0iFauY/B/dc

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000c000000023407-5.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
1220	981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1220	981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2576	1072	WerFault.exe	80
1040	1220	WerFault.exe	88

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1072	981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1220	981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 1220	1072	981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe	88
PID 1072 wrote to memory of 1220	1072	981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe	88
PID 1072 wrote to memory of 1220	1072	981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 396
  2⤵
  - Program crash
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 364
    3⤵
    - Program crash
    PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1072 -ip 1072
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1220 -ip 1220
1⤵
PID:1036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\981a51e751c0377ec7caf94366c61ec0_NeikiAnalytics.exe

Filesize
384KB

MD5
0aab611add85d263910119ef8fb570a4

SHA1
2949754d452584ed1218a06f1c530172ee5ec33c

SHA256
1c4c9c0bcc6cbe4498ed8801076275ba3a668313ad1bedf52732b2927fe06881

SHA512
8c97dc853ff093970fcd73d180a28d6bf84ccb47961d62c73c607023668740052c057bbad0b01d65ab41883bf10af8b2a6cdc2e5ac80984193478d70b44dccb0

Download Submit
memory/1072-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1072-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1220-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1220-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1220-14-0x00000000014B0000-0x00000000014E7000-memory.dmp

Filesize
220KB

Download