Analysis

  • max time kernel
    142s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 13:47

General

  • Target

    58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe

  • Size

    425KB

  • MD5

    8bd52990104ee8b452b30509a54de250

  • SHA1

    37f7509b541a6c804cf94ef2203f79a82e4c5479

  • SHA256

    58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644

  • SHA512

    0e896fd6aa1b7e0795e4f78a73d716ca63970f326d8625e8842b1c6a864455828eb9981869d65b0801c6c5a12bd8bc1e96da8468383dfd0076f7c24f227672a2

  • SSDEEP

    12288:aJkNYZiPEdqbCjh5Wc1+Lj1f1C+ffZMcQUZn2qhg2kD44zzrGEPVQ:aJkNYcux5Wc1+Lj1f1C+ffZMcQUZn2qv

Score
10/10

Malware Config

Signatures

  • Malware Dropper & Backdoor - Berbew 1 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 7 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:692
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 384
      2⤵
      • Program crash
      PID:3856
    • C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe
      C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of UnmapMainImage
      PID:2884
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 352
        3⤵
        • Program crash
        PID:2472
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 768
        3⤵
        • Program crash
        PID:1684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 788
        3⤵
        • Program crash
        PID:4884
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 808
        3⤵
        • Program crash
        PID:4540
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 776
        3⤵
        • Program crash
        PID:1608
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 772
        3⤵
        • Program crash
        PID:5056
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 692 -ip 692
    1⤵
      PID:4768
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2884 -ip 2884
      1⤵
        PID:1212
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2884 -ip 2884
        1⤵
          PID:2848
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2884 -ip 2884
          1⤵
            PID:3464
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2884 -ip 2884
            1⤵
              PID:1960
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2884 -ip 2884
              1⤵
                PID:2404
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2884 -ip 2884
                1⤵
                  PID:4992

                Network

                MITRE ATT&CK Matrix

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\58c19437787d235fc1006177ba11157a134ce102f919fd96ec2449b27282d644_NeikiAnalytics.exe

                  Filesize

                  425KB

                  MD5

                  a2604a2439f1b70bf8ff0a8dc4cab1fa

                  SHA1

                  dc352fb077ff6755b62f127e0452984eb2492500

                  SHA256

                  bc65c99a57de491496ffe71b47afe9314961129182160d9c7d921486a283ebc1

                  SHA512

                  ece44a0819ec89ad13a0f19cd7c002f58d7227e2d0a94c8984a9f01951bc8bd60112a525bd22f829038dc544f031d054eff7c31831d58dbe72c88602d7f866b8

                • memory/692-0-0x0000000000400000-0x0000000000433000-memory.dmp

                  Filesize

                  204KB

                • memory/692-7-0x0000000000400000-0x0000000000433000-memory.dmp

                  Filesize

                  204KB

                • memory/2884-8-0x0000000000400000-0x0000000000433000-memory.dmp

                  Filesize

                  204KB

                • memory/2884-9-0x0000000000400000-0x0000000000415000-memory.dmp

                  Filesize

                  84KB

                • memory/2884-14-0x00000000014E0000-0x0000000001513000-memory.dmp

                  Filesize

                  204KB