Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2024, 07:41
Behavioral task
behavioral1
Sample
d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe
-
Size
664KB
-
MD5
d4f6ff430554f03ff243cb3411ada820
-
SHA1
78032bece3b62baf8650b9068649cb721f503437
-
SHA256
09e532a9ff0607aa914a56627993d9c6a3cfbe63b0dd89d59c0a1666e825e5e8
-
SHA512
9d8bdd5a57ec06a338de1f67793aafbe4c7896102e5d7e651577e54c6288cb404f990762e1c976f17dbe7c91806472fc6aa68913e8ba0517c832a38052c5ef37
-
SSDEEP
12288:pYIW0p98Oh8P7h8K/+HH99mZp2As80fnb2ZrRsq2dVNLlgjOETn4/5BWpUohOqH:dW298E8ucwHqr2t21RsqONLlgjOETn4a
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000800000002342a-3.dat family_berbew -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 3CBB.tmp -
Executes dropped EXE 1 IoCs
pid Process 2352 3CBB.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings 3CBB.tmp -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2852 WINWORD.EXE 2852 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2352 3CBB.tmp -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE 2852 WINWORD.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3844 wrote to memory of 2352 3844 d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe 83 PID 3844 wrote to memory of 2352 3844 d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe 83 PID 3844 wrote to memory of 2352 3844 d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe 83 PID 2352 wrote to memory of 2852 2352 3CBB.tmp 90 PID 2352 wrote to memory of 2852 2352 3CBB.tmp 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\3CBB.tmp"C:\Users\Admin\AppData\Local\Temp\3CBB.tmp" --pingC:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe A44DAEB391A26577C7AFBA8863DC8BE6C5774FBCF8D6453F6F6DEA1E36D26C1B20E5FA172F8A75D2580DE9FD0C878C0ACD6CBC054A11C155488546E3C1A7B0812⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.docx" /o ""3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
664KB
MD5bea7f9e41539ea1c4fabbb4fac125893
SHA12250afb99b4121e512120f7c38842ec3bdeb2af1
SHA25643bfa800ef215b43f77fe340b50840762d5a05527989883552cfc5f2784a9779
SHA5123e8e8420e997fc9b17164f891764ebaec1f49e3dbf70cfabb1a944ce7046b4fa1ddc064329c7da10f0d189ce82705f40a345696728109d6ecd969fa7fb22c47d
-
Filesize
21KB
MD57079891932a64f097abafd233055a1e9
SHA1246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA5126e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a