625cf9bc8af11e49312d42b48a072050ef65dba1357b462b4dda21bdc94d6de0

General

Target

ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe
Size

1.2MB
MD5

ecfc7a87c55a47b128c6de2d11c83fc0
SHA1

ffbc67ad54c4b178422c0c8ced7cbcdf36ce8f45
SHA256

625cf9bc8af11e49312d42b48a072050ef65dba1357b462b4dda21bdc94d6de0
SHA512

b041427f5210fe3bdbb0fea744b9ba8dc6d95399897b4b0ab8f980a85c662977686556b3910776a0aacf033c8d47570eb2bc05800b7802ac3f1941a675f94ba9
SSDEEP

24576:mSgo4U1YeywJncgm/RYwA+0Etwqrnkkkztwdbla/ZSqa/JX3gK6BbK077Lv+f6Tg:Zgo4UC1wJwNHfwUVkzSdZgpg2XB+0bGV

Score

10^/10

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000b00000002343b-5.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
3880	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
3880	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
10	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2260	3472	WerFault.exe	83
4272	3880	WerFault.exe	90
4964	3880	WerFault.exe	90
4584	3880	WerFault.exe	90
4716	3880	WerFault.exe	90
968	3880	WerFault.exe	90
4664	3880	WerFault.exe	90
2988	3880	WerFault.exe	90
4472	3880	WerFault.exe	90
1344	3880	WerFault.exe	90
4040	3880	WerFault.exe	90
1368	3880	WerFault.exe	90
2836	3880	WerFault.exe	90
4508	3880	WerFault.exe	90
4692	3880	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3880	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe
3880	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3472	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3880	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 3880	3472	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe	90
PID 3472 wrote to memory of 3880	3472	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe	90
PID 3472 wrote to memory of 3880	3472	ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 344
  2⤵
  - Program crash
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:3880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 344
    3⤵
    - Program crash
    PID:4272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 628
    3⤵
    - Program crash
    PID:4964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 636
    3⤵
    - Program crash
    PID:4584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 660
    3⤵
    - Program crash
    PID:4716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 700
    3⤵
    - Program crash
    PID:968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 936
    3⤵
    - Program crash
    PID:4664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1412
    3⤵
    - Program crash
    PID:2988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1472
    3⤵
    - Program crash
    PID:4472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1416
    3⤵
    - Program crash
    PID:1344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1420
    3⤵
    - Program crash
    PID:4040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1536
    3⤵
    - Program crash
    PID:1368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1520
    3⤵
    - Program crash
    PID:2836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1036
    3⤵
    - Program crash
    PID:4508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1048
    3⤵
    - Program crash
    PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3472 -ip 3472
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3880 -ip 3880
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3880 -ip 3880
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3880 -ip 3880
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3880 -ip 3880
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3880 -ip 3880
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3880 -ip 3880
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3880 -ip 3880
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3880 -ip 3880
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3880 -ip 3880
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3880 -ip 3880
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3880 -ip 3880
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3880 -ip 3880
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3880 -ip 3880
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3880 -ip 3880
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ecfc7a87c55a47b128c6de2d11c83fc0_NeikiAnalytics.exe

Filesize
1.2MB

MD5
678473361a09abf9010186b6b84a8a84

SHA1
a63fb98eda404c7f0ee3adedfb2c01d38f996dfc

SHA256
3cb28a5525477e94a6fc40f0511ae01bf5229c4188bd39af30eacb18dfd9537f

SHA512
91143131ace4141537a07a27fa4d9397fd40608ca71bafbae4fbd4ca28a81f2a215bdbc7e2a61e045450d8bbc074e0eee18573d50a31df0dcae2f323700ee460

Download Submit
memory/3472-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3472-6-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3880-7-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3880-14-0x00000000050A0000-0x00000000051B7000-memory.dmp

Filesize
1.1MB

Download
memory/3880-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3880-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3880-27-0x000000000B9A0000-0x000000000BA43000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing