Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 13:47
Behavioral task
behavioral1
Sample
58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe
-
Size
425KB
-
MD5
8bd52990104ee8b452b30509a54de250
-
SHA1
37f7509b541a6c804cf94ef2203f79a82e4c5479
-
SHA256
58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644
-
SHA512
0e896fd6aa1b7e0795e4f78a73d716ca63970f326d8625e8842b1c6a864455828eb9981869d65b0801c6c5a12bd8bc1e96da8468383dfd0076f7c24f227672a2
-
SSDEEP
12288:aJkNYZiPEdqbCjh5Wc1+Lj1f1C+ffZMcQUZn2qhg2kD44zzrGEPVQ:aJkNYcux5Wc1+Lj1f1C+ffZMcQUZn2qv
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000f000000012334-4.dat family_berbew -
Deletes itself 1 IoCs
pid Process 2660 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 2660 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe -
Loads dropped DLL 1 IoCs
pid Process 2220 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2660 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2220 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2660 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2660 2220 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 2660 2220 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 2660 2220 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe 28 PID 2220 wrote to memory of 2660 2220 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
PID:2660
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe
Filesize425KB
MD505dfb95eae366404ff3a9ee60472e6e9
SHA174c1611473f755f959fa1b20c5b365e144d106c1
SHA25605ba8a1deae7fa117cd898a6e6d3de16e110b1b0e132a796a09a759e19f1cdda
SHA5129712493e65352bce94e232b8ca7ef1b5defb006a9f85edd3b2543d52497c25c7c86f206bb1c6da6913d0197a0ab7fff2067698fd4260e1205a35e0ab2c1b10ba