Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 03:52
Behavioral task
behavioral1
Sample
181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
-
Size
1004KB
-
MD5
181db888bf33cca99f4476e9a2f8ac90
-
SHA1
ec2dc6567b58c88136367bdaf33b24416cd8e6c6
-
SHA256
d6f0f1b879263af9ec2a63733a0cff9994203a7cdc994e193749f4238d4c0a0e
-
SHA512
4e0aacf01697cd667c656c3e1eee12f88c7a172ac3bdd7460303e4cbfab69f0c9218ae364514c8c48d442b5a009f314a8bd5e519cf396269e57891c7767dd106
-
SSDEEP
24576:bozoTIZag459tan13wabhma/ZSCBHn677:koTd9tU13wQmgVBHn6
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral1/files/0x000c00000001444f-4.dat family_berbew -
Deletes itself 1 IoCs
pid Process 2992 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 2992 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Loads dropped DLL 1 IoCs
pid Process 2972 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 pastebin.com 3 pastebin.com -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2992 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2972 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2992 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2972 wrote to memory of 2992 2972 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe 29 PID 2972 wrote to memory of 2992 2972 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe 29 PID 2972 wrote to memory of 2992 2972 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe 29 PID 2972 wrote to memory of 2992 2972 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1004KB
MD57054b1c5132afed23be11ea430e01cff
SHA14168e7ae32ae7d3b69881f7a325abcbf7c906498
SHA25608a62ddf6feeb352a28ac580f53ddde66b823af0c3ab0a2c8202e97095723c72
SHA51275239298a961583e12560ed54183d5680903e58d694af2d9702a5ab4445cdb4aea2777accc914aab1d76b493f1bb1c8294677e7ec06b6df859ec16718241ef74