3cdbc9edaad1bb5560d2fdcfbfdfa8ed760ba7ea4f4aebffce8ecfff48b35ecf

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe
Size

1.8MB
MD5

3e84a68b1a10702663d4f8a5c7278f50
SHA1

8b24d6c86f8ff9082430ac2e6a1ddd0e06e00677
SHA256

3cdbc9edaad1bb5560d2fdcfbfdfa8ed760ba7ea4f4aebffce8ecfff48b35ecf
SHA512

9e9d25e5c57bbc0718286bd1389581323766055b6cb271fef2c3a75b3807357d543a79b84af8e0c31ec8f315418917ca77a14888b62cca6031cd0d724cf695cb
SSDEEP

24576:NUx6xXa5NG6dujqxz10BDia/ZSaLQreBh77Lv+f6T8Qnskb2i6OBKaBudep+dnsg:+816dAqVa+gPyeBhbq4TTow+lsg

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 4 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/memory/2408-0-0x0000000000400000-0x00000000004F2000-memory.dmp	family_berbew
behavioral1/files/0x000d000000012262-4.dat	family_berbew
behavioral1/memory/808-8-0x0000000000400000-0x00000000004F2000-memory.dmp	family_berbew
behavioral1/memory/808-15-0x0000000002F30000-0x0000000003022000-memory.dmp	family_berbew

Deletes itself 1 IoCs

pid	Process
808	3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
808	3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe

Loads dropped DLL 1 IoCs

pid	Process
2408	3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
808	3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2408	3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
808	3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 808	2408	3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe	29
PID 2408 wrote to memory of 808	2408	3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe	29
PID 2408 wrote to memory of 808	2408	3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe	29
PID 2408 wrote to memory of 808	2408	3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\3e84a68b1a10702663d4f8a5c7278f50_NeikiAnalytics.exe

Filesize
1.8MB

MD5
3c8b5f9f4e44d63a4da97ba82f46a4fe

SHA1
b556ee4d6356526f4dd90f84292d6967af80b58f

SHA256
a59abf43a4c418930b376192e2cf6d8a112e40f1866a9b4d3c5ff6445ddad04d

SHA512
9b218f0a15490b8b2c640b37d71ec3f4fca6414057c75d6eeabffb453c368f5c9da94b5522fe8c24bc86a5bd171131200e8d02199d608b9247a20d18374c58fb

Download Submit
memory/808-8-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/808-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/808-15-0x0000000002F30000-0x0000000003022000-memory.dmp

Filesize
968KB

Download
memory/808-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/808-37-0x000000000D800000-0x000000000D8A3000-memory.dmp

Filesize
652KB

Download
memory/2408-0-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download