Malware Analysis Report

2025-01-23 05:10

Sample ID 240522-efffpsbd5w
Target 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
SHA256 d6f0f1b879263af9ec2a63733a0cff9994203a7cdc994e193749f4238d4c0a0e
Tags
backdoor trojan dropper berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6f0f1b879263af9ec2a63733a0cff9994203a7cdc994e193749f4238d4c0a0e

Threat Level: Known bad

The file 181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew

Malware Dropper & Backdoor - Berbew

Berbew family

Executes dropped EXE

Loads dropped DLL

Deletes itself

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 03:52

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 03:52

Reported

2024-05-22 03:55

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp

Files

memory/2972-0-0x0000000000400000-0x00000000004EF000-memory.dmp

\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe

MD5 7054b1c5132afed23be11ea430e01cff
SHA1 4168e7ae32ae7d3b69881f7a325abcbf7c906498
SHA256 08a62ddf6feeb352a28ac580f53ddde66b823af0c3ab0a2c8202e97095723c72
SHA512 75239298a961583e12560ed54183d5680903e58d694af2d9702a5ab4445cdb4aea2777accc914aab1d76b493f1bb1c8294677e7ec06b6df859ec16718241ef74

memory/2972-6-0x0000000003100000-0x00000000031EF000-memory.dmp

memory/2972-10-0x0000000000400000-0x00000000004EF000-memory.dmp

memory/2992-9-0x0000000000400000-0x00000000004EF000-memory.dmp

memory/2992-17-0x0000000002E30000-0x0000000002F1F000-memory.dmp

memory/2992-11-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/2992-39-0x000000000E820000-0x000000000E8C3000-memory.dmp

memory/2992-33-0x0000000000400000-0x0000000000443000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 03:52

Reported

2024-05-22 03:55

Platform

win10v2004-20240426-en

Max time kernel

131s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2112 -ip 2112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 352

C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 1540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp

Files

memory/2112-0-0x0000000000400000-0x00000000004EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\181db888bf33cca99f4476e9a2f8ac90_NeikiAnalytics.exe

MD5 9a41aee67e5e31cb134b9c8148034089
SHA1 eefd219248236cda28b63c1c0a6606cb79454e26
SHA256 8746b56789ef51a9c2ccdfbcbb596cd454c4928f58274b71ad2dd18719be47a5
SHA512 80ba092e8ccc48601b4899d6cf07dfb41ee4a0da1b2f5dc59ec03193d2d819c948f799003ac7c86f131a1c115efe540de06334abc9b299c56261c523c22a13ef

memory/2112-5-0x0000000000400000-0x00000000004EF000-memory.dmp

memory/1508-7-0x0000000000400000-0x00000000004EF000-memory.dmp

memory/1508-8-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/1508-14-0x0000000004FD0000-0x00000000050BF000-memory.dmp

memory/1508-21-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1508-27-0x000000000B970000-0x000000000BA13000-memory.dmp