9d5b57e406848cc976a83ec602bdb956ab3e66c06af0a20dcf80f6e63ecaca51

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe
Size

3.7MB
MD5

325a7e71e508e8ab5660857640bea4c0
SHA1

838a1791dbc0fbc830e516f6779f8bd01b507957
SHA256

9d5b57e406848cc976a83ec602bdb956ab3e66c06af0a20dcf80f6e63ecaca51
SHA512

225fd3f5c2f942373b3adce682fab711db2f83e487cca42fc8c0a2e748e8eb0fad60f605275af0f36254a05cee9e058fa08bfeaab3f079d2942e5b034e396bc0
SSDEEP

98304:7i4XtWHdJYrVxHtt3styb9giYdR+xBSOzz:/uJYrVxHtt3styb9giYdR+xBSOzz

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/files/0x000f000000012272-4.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
2264	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe

Loads dropped DLL 4 IoCs

pid	Process
1520	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2068	2264	WerFault.exe	29

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1520	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2264	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2264	1520	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe	29
PID 1520 wrote to memory of 2264	1520	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe	29
PID 1520 wrote to memory of 2264	1520	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe	29
PID 1520 wrote to memory of 2264	1520	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe	29
PID 2264 wrote to memory of 2068	2264	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe	30
PID 2264 wrote to memory of 2068	2264	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe	30
PID 2264 wrote to memory of 2068	2264	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe	30
PID 2264 wrote to memory of 2068	2264	325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe	30

C:\Users\Admin\AppData\Local\Temp\325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 144
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\325a7e71e508e8ab5660857640bea4c0_NeikiAnalytics.exe

Filesize
3.7MB

MD5
2d90f0e4a3a2d80b59700ed766ae3fc6

SHA1
4a0ff330c06327ea713cd3c9326b36e2bffe1550

SHA256
ee4dbfeb1921b591592ae3b3e3958ba82936b3ec8f51440e97dab5987c291c30

SHA512
aa594147d1a6637fd6077e973bc0026960f1f520a48aca5811e41feea03484eecf3d9362d582bea4d92ebc2cae64c2956af2d3cf40b1770c692fce548c2e6584

Download Submit
memory/1520-0-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1520-6-0x0000000002D70000-0x0000000002E56000-memory.dmp

Filesize
920KB

Download
memory/1520-9-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2264-10-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2264-11-0x0000000002F20000-0x0000000003006000-memory.dmp

Filesize
920KB

Download