Analysis
-
max time kernel
142s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 13:47
Behavioral task
behavioral1
Sample
58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe
-
Size
425KB
-
MD5
8bd52990104ee8b452b30509a54de250
-
SHA1
37f7509b541a6c804cf94ef2203f79a82e4c5479
-
SHA256
58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644
-
SHA512
0e896fd6aa1b7e0795e4f78a73d716ca63970f326d8625e8842b1c6a864455828eb9981869d65b0801c6c5a12bd8bc1e96da8468383dfd0076f7c24f227672a2
-
SSDEEP
12288:aJkNYZiPEdqbCjh5Wc1+Lj1f1C+ffZMcQUZn2qhg2kD44zzrGEPVQ:aJkNYcux5Wc1+Lj1f1C+ffZMcQUZn2qv
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000d000000023428-5.dat family_berbew -
Deletes itself 1 IoCs
pid Process 2884 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 2884 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe -
Program crash 7 IoCs
pid pid_target Process procid_target 3856 692 WerFault.exe 82 2472 2884 WerFault.exe 89 1684 2884 WerFault.exe 89 4884 2884 WerFault.exe 89 4540 2884 WerFault.exe 89 1608 2884 WerFault.exe 89 5056 2884 WerFault.exe 89 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 692 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2884 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 692 wrote to memory of 2884 692 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe 89 PID 692 wrote to memory of 2884 692 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe 89 PID 692 wrote to memory of 2884 692 58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 3842⤵
- Program crash
PID:3856
-
-
C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 3523⤵
- Program crash
PID:2472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 7683⤵
- Program crash
PID:1684
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 7883⤵
- Program crash
PID:4884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 8083⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 7763⤵
- Program crash
PID:1608
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 7723⤵
- Program crash
PID:5056
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 692 -ip 6921⤵PID:4768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2884 -ip 28841⤵PID:1212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2884 -ip 28841⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2884 -ip 28841⤵PID:3464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2884 -ip 28841⤵PID:1960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2884 -ip 28841⤵PID:2404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2884 -ip 28841⤵PID:4992
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe
Filesize425KB
MD5a2604a2439f1b70bf8ff0a8dc4cab1fa
SHA1dc352fb077ff6755b62f127e0452984eb2492500
SHA256bc65c99a57de491496ffe71b47afe9314961129182160d9c7d921486a283ebc1
SHA512ece44a0819ec89ad13a0f19cd7c002f58d7227e2d0a94c8984a9f01951bc8bd60112a525bd22f829038dc544f031d054eff7c31831d58dbe72c88602d7f866b8