Analysis Overview
SHA256
d6f0f1b879263af9ec2a63733a0cff9994203a7cdc994e193749f4238d4c0a0e
Threat Level: Known bad
The file 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Malware Dropper & Backdoor - Berbew
Berbew family
Executes dropped EXE
Loads dropped DLL
Deletes itself
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 03:52
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 03:52
Reported
2024-05-22 03:55
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2972 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe |
| PID 2972 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe |
| PID 2972 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe |
| PID 2972 wrote to memory of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
Files
memory/2972-0-0x0000000000400000-0x00000000004EF000-memory.dmp
\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
| MD5 | 7054b1c5132afed23be11ea430e01cff |
| SHA1 | 4168e7ae32ae7d3b69881f7a325abcbf7c906498 |
| SHA256 | 08a62ddf6feeb352a28ac580f53ddde66b823af0c3ab0a2c8202e97095723c72 |
| SHA512 | 75239298a961583e12560ed54183d5680903e58d694af2d9702a5ab4445cdb4aea2777accc914aab1d76b493f1bb1c8294677e7ec06b6df859ec16718241ef74 |
memory/2972-6-0x0000000003100000-0x00000000031EF000-memory.dmp
memory/2972-10-0x0000000000400000-0x00000000004EF000-memory.dmp
memory/2992-9-0x0000000000400000-0x00000000004EF000-memory.dmp
memory/2992-17-0x0000000002E30000-0x0000000002F1F000-memory.dmp
memory/2992-11-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2992-39-0x000000000E820000-0x000000000E8C3000-memory.dmp
memory/2992-33-0x0000000000400000-0x0000000000443000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 03:52
Reported
2024-05-22 03:55
Platform
win10v2004-20240426-en
Max time kernel
131s
Max time network
131s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe |
| PID 2112 wrote to memory of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe |
| PID 2112 wrote to memory of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2112 -ip 2112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 352
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1508 -ip 1508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
Files
memory/2112-0-0x0000000000400000-0x00000000004EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
| MD5 | 9a41aee67e5e31cb134b9c8148034089 |
| SHA1 | eefd219248236cda28b63c1c0a6606cb79454e26 |
| SHA256 | 8746b56789ef51a9c2ccdfbcbb596cd454c4928f58274b71ad2dd18719be47a5 |
| SHA512 | 80ba092e8ccc48601b4899d6cf07dfb41ee4a0da1b2f5dc59ec03193d2d819c948f799003ac7c86f131a1c115efe540de06334abc9b299c56261c523c22a13ef |
memory/2112-5-0x0000000000400000-0x00000000004EF000-memory.dmp
memory/1508-7-0x0000000000400000-0x00000000004EF000-memory.dmp
memory/1508-8-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/1508-14-0x0000000004FD0000-0x00000000050BF000-memory.dmp
memory/1508-21-0x0000000000400000-0x0000000000443000-memory.dmp
memory/1508-27-0x000000000B970000-0x000000000BA13000-memory.dmp