625cf9bc8af11e49312d42b48a072050ef65dba1357b462b4dda21bdc94d6de0

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 14:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe
Size

1.2MB
MD5

ecfc7a87c55a47b128c6de2d11c83fc0
SHA1

ffbc67ad54c4b178422c0c8ced7cbcdf36ce8f45
SHA256

625cf9bc8af11e49312d42b48a072050ef65dba1357b462b4dda21bdc94d6de0
SHA512

b041427f5210fe3bdbb0fea744b9ba8dc6d95399897b4b0ab8f980a85c662977686556b3910776a0aacf033c8d47570eb2bc05800b7802ac3f1941a675f94ba9
SSDEEP

24576:mSgo4U1YeywJncgm/RYwA+0Etwqrnkkkztwdbla/ZSqa/JX3gK6BbK077Lv+f6Tg:Zgo4UC1wJwNHfwUVkzSdZgpg2XB+0bGV

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/files/0x0009000000016d24-4.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
2340	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Loads dropped DLL 1 IoCs

pid	Process
2044	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2340	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2044	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2340	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2340	2044	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe	31
PID 2044 wrote to memory of 2340	2044	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe	31
PID 2044 wrote to memory of 2340	2044	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe	31
PID 2044 wrote to memory of 2340	2044	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Filesize
1.2MB

MD5
5698078b2f475c49891eaa199d3d64b5

SHA1
67fb8ac5b62e987c805dca0516a8b80df84c794b

SHA256
7a7cc93a82af26621ff29d67cfb5eb6761aaeafc601ae0c1881f9210e2166cfc

SHA512
8c20b3927bcf84054a619ef08f4bbd6842c03d0f37fd8ebe9ff25907e40ceb4fb10f4f42273a4fa70d47760ea2529c2f81657ef9ff08c1d1aa1da1e1d13ada8c

Download Submit
memory/2044-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2044-7-0x0000000002E90000-0x0000000002FA7000-memory.dmp

Filesize
1.1MB

Download
memory/2044-8-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2340-11-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2340-17-0x0000000002E60000-0x0000000002F77000-memory.dmp

Filesize
1.1MB

Download
memory/2340-10-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2340-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-39-0x0000000007840000-0x00000000078E3000-memory.dmp

Filesize
652KB

Download