Analysis
-
max time kernel
131s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 03:52
Behavioral task
behavioral1
Sample
181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
-
Size
1004KB
-
MD5
181db888bf33cca99f4476e9a2f8ac90
-
SHA1
ec2dc6567b58c88136367bdaf33b24416cd8e6c6
-
SHA256
d6f0f1b879263af9ec2a63733a0cff9994203a7cdc994e193749f4238d4c0a0e
-
SHA512
4e0aacf01697cd667c656c3e1eee12f88c7a172ac3bdd7460303e4cbfab69f0c9218ae364514c8c48d442b5a009f314a8bd5e519cf396269e57891c7767dd106
-
SSDEEP
24576:bozoTIZag459tan13wabhma/ZSCBHn677:koTd9tU13wQmgVBHn6
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a000000023466-6.dat family_berbew -
Deletes itself 1 IoCs
pid Process 1508 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 1508 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 pastebin.com 17 pastebin.com -
Program crash 15 IoCs
pid pid_target Process procid_target 832 2112 WerFault.exe 82 2812 1508 WerFault.exe 88 2696 1508 WerFault.exe 88 4980 1508 WerFault.exe 88 1720 1508 WerFault.exe 88 1624 1508 WerFault.exe 88 3660 1508 WerFault.exe 88 2280 1508 WerFault.exe 88 4908 1508 WerFault.exe 88 3068 1508 WerFault.exe 88 3116 1508 WerFault.exe 88 2344 1508 WerFault.exe 88 4596 1508 WerFault.exe 88 4960 1508 WerFault.exe 88 4620 1508 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1508 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe 1508 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2112 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1508 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2112 wrote to memory of 1508 2112 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe 88 PID 2112 wrote to memory of 1508 2112 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe 88 PID 2112 wrote to memory of 1508 2112 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 3522⤵
- Program crash
PID:832
-
-
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 3443⤵
- Program crash
PID:2812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 6323⤵
- Program crash
PID:2696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 6683⤵
- Program crash
PID:4980
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 6683⤵
- Program crash
PID:1720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 6803⤵
- Program crash
PID:1624
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 9203⤵
- Program crash
PID:3660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 14083⤵
- Program crash
PID:2280
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 14563⤵
- Program crash
PID:4908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 14683⤵
- Program crash
PID:3068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 14723⤵
- Program crash
PID:3116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 14603⤵
- Program crash
PID:2344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 15123⤵
- Program crash
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 15403⤵
- Program crash
PID:4960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 6363⤵
- Program crash
PID:4620
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2112 -ip 21121⤵PID:3436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1508 -ip 15081⤵PID:2328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1508 -ip 15081⤵PID:4780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1508 -ip 15081⤵PID:1276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1508 -ip 15081⤵PID:4464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1508 -ip 15081⤵PID:1676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1508 -ip 15081⤵PID:3320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1508 -ip 15081⤵PID:728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1508 -ip 15081⤵PID:4352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1508 -ip 15081⤵PID:3352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1508 -ip 15081⤵PID:4220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1508 -ip 15081⤵PID:4360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1508 -ip 15081⤵PID:3360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1508 -ip 15081⤵PID:644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1508 -ip 15081⤵PID:1068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1004KB
MD59a41aee67e5e31cb134b9c8148034089
SHA1eefd219248236cda28b63c1c0a6606cb79454e26
SHA2568746b56789ef51a9c2ccdfbcbb596cd454c4928f58274b71ad2dd18719be47a5
SHA51280ba092e8ccc48601b4899d6cf07dfb41ee4a0da1b2f5dc59ec03193d2d819c948f799003ac7c86f131a1c115efe540de06334abc9b299c56261c523c22a13ef