Analysis
-
max time kernel
141s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 19:09
Behavioral task
behavioral1
Sample
02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe
-
Size
425KB
-
MD5
02b7e3d1ca9a0bcde2819eb4af348270
-
SHA1
c768232dc558a3d2ce6f432da6ccfd985e42bdc3
-
SHA256
041fee05837018829d6a95df247c52e733f2f8d93a304e0d4e118b67bc0df112
-
SHA512
e392384f200107345d9edfb210b67275187d747d9277dd56473d8406b303aacdc7e7995e934ce9a79fdc890912350f6d3bf2a7166e067ef17d694577ceb21304
-
SSDEEP
12288:rT0kEd8CZtGbvJWc1+Lj1f1C+ffZMcQUZn2qhg2kD44zzrGEPVQ:8kEd9Z+RWc1+Lj1f1C+ffZMcQUZn2qhJ
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a000000023432-5.dat family_berbew -
Deletes itself 1 IoCs
pid Process 4388 02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 4388 02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe -
Program crash 7 IoCs
pid pid_target Process procid_target 3192 2916 WerFault.exe 81 4076 4388 WerFault.exe 88 464 4388 WerFault.exe 88 4540 4388 WerFault.exe 88 4892 4388 WerFault.exe 88 4820 4388 WerFault.exe 88 5068 4388 WerFault.exe 88 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2916 02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 4388 02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2916 wrote to memory of 4388 2916 02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe 88 PID 2916 wrote to memory of 4388 2916 02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe 88 PID 2916 wrote to memory of 4388 2916 02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 3842⤵
- Program crash
PID:3192
-
-
C:\Users\Admin\AppData\Local\Temp\02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\02b7e3d1ca9a0bcde2819eb4af348270_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:4388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 3523⤵
- Program crash
PID:4076
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 7683⤵
- Program crash
PID:464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 8083⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 8163⤵
- Program crash
PID:4892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 7763⤵
- Program crash
PID:4820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 8283⤵
- Program crash
PID:5068
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2916 -ip 29161⤵PID:2308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4388 -ip 43881⤵PID:5096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4388 -ip 43881⤵PID:3312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4388 -ip 43881⤵PID:4056
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4388 -ip 43881⤵PID:4052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4388 -ip 43881⤵PID:2712
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4388 -ip 43881⤵PID:3636
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425KB
MD50089420bf317d84842a6661201176414
SHA1b18d950c01847439b5fbf1f2d88796ebf9827671
SHA25621bb1e61db287dfd90e35b410979df7429185065b338c8d8d637be0bc0bf2830
SHA512d597b43a86558486f17b6d56dadb0a08ee656ed4d3ec106d4e834ee4b6c9961c8fca170fb519adaeb1e59e47f72d05a499b7fbda534397081b4869db7cdbae80