Malware Analysis Report

2025-03-15 09:58

Sample ID 240520-jjclfaab83
Target d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe
SHA256 09e532a9ff0607aa914a56627993d9c6a3cfbe63b0dd89d59c0a1666e825e5e8
Tags
backdoor trojan dropper berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09e532a9ff0607aa914a56627993d9c6a3cfbe63b0dd89d59c0a1666e825e5e8

Threat Level: Known bad

The file d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew

Berbew family

Malware Dropper & Backdoor - Berbew

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious behavior: RenamesItself

Modifies registry class

Uses Volume Shadow Copy WMI provider

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 07:41

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 07:41

Reported

2024-05-20 07:44

Platform

win7-20240419-en

Max time kernel

144s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10B3.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10B3.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\10B3.tmp

"C:\Users\Admin\AppData\Local\Temp\10B3.tmp" --pingC:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe 22BB5D28BC538A1D9801915A3BEF4BAC6BF99714816C52B99BF055EC5A8DB2D569267DA6634F98B2B7A91110F9FDEFDAA123BB4D3876E209A6C2481D4C8A1AB5

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.docx"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\10B3.tmp

MD5 6c63d396f92925fa16d1d59f05f09979
SHA1 07f4b3e375160a091d82d2639afa46e393f67a44
SHA256 6283081beec69165512d389ccef3adf8ea75efa0da67209d2dd63e2a31da5afb
SHA512 b3d2d11202bc2102cc5a538d03cc0894cb40a878d1013a5da30ebcea6ebb9e24316840b21c4aa195dcec69be6a51e562d8da20fa9828a7d8702f631c8b1a72f3

memory/2636-7-0x000000002FBA1000-0x000000002FBA2000-memory.dmp

memory/2636-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2636-9-0x0000000070B5D000-0x0000000070B68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.docx

MD5 7079891932a64f097abafd233055a1e9
SHA1 246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256 c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA512 6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

memory/2636-13-0x0000000070B5D000-0x0000000070B68000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 07:41

Reported

2024-05-20 07:44

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3CBB.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3CBB.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3CBB.tmp N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3CBB.tmp N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3CBB.tmp

"C:\Users\Admin\AppData\Local\Temp\3CBB.tmp" --pingC:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.exe A44DAEB391A26577C7AFBA8863DC8BE6C5774FBCF8D6453F6F6DEA1E36D26C1B20E5FA172F8A75D2580DE9FD0C878C0ACD6CBC054A11C155488546E3C1A7B081

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.168:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 168.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3CBB.tmp

MD5 bea7f9e41539ea1c4fabbb4fac125893
SHA1 2250afb99b4121e512120f7c38842ec3bdeb2af1
SHA256 43bfa800ef215b43f77fe340b50840762d5a05527989883552cfc5f2784a9779
SHA512 3e8e8420e997fc9b17164f891764ebaec1f49e3dbf70cfabb1a944ce7046b4fa1ddc064329c7da10f0d189ce82705f40a345696728109d6ecd969fa7fb22c47d

C:\Users\Admin\AppData\Local\Temp\d4f6ff430554f03ff243cb3411ada820_NeikiAnalytics.docx

MD5 7079891932a64f097abafd233055a1e9
SHA1 246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256 c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA512 6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

memory/2852-9-0x00007FFAFC930000-0x00007FFAFC940000-memory.dmp

memory/2852-10-0x00007FFAFC930000-0x00007FFAFC940000-memory.dmp

memory/2852-11-0x00007FFAFC930000-0x00007FFAFC940000-memory.dmp

memory/2852-13-0x00007FFAFC930000-0x00007FFAFC940000-memory.dmp

memory/2852-12-0x00007FFB3C94D000-0x00007FFB3C94E000-memory.dmp

memory/2852-14-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

memory/2852-15-0x00007FFAFC930000-0x00007FFAFC940000-memory.dmp

memory/2852-16-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

memory/2852-17-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

memory/2852-18-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

memory/2852-20-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

memory/2852-21-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

memory/2852-22-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

memory/2852-23-0x00007FFAFA730000-0x00007FFAFA740000-memory.dmp

memory/2852-19-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

memory/2852-25-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

memory/2852-24-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp

memory/2852-26-0x00007FFAFA730000-0x00007FFAFA740000-memory.dmp

memory/2852-42-0x00007FFB3C8B0000-0x00007FFB3CAA5000-memory.dmp