Analysis Overview
SHA256
4955d92a89d436f1480d52b0cd2ecd39ee9a1bbbda099a78b2478a1da9eb7dff
Threat Level: Known bad
The file 3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Malware Dropper & Backdoor - Berbew
Deletes itself
Executes dropped EXE
Loads dropped DLL
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:22
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:22
Reported
2024-05-22 21:24
Platform
win7-20231129-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1420 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe |
| PID 1420 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe |
| PID 1420 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe |
| PID 1420 wrote to memory of 2192 | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe
Network
Files
memory/1420-0-0x0000000000400000-0x0000000000437000-memory.dmp
\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe
| MD5 | f8e3bed173aecfa406a044e896c2b281 |
| SHA1 | b2f99abac50069dba5cd12a2c0e41163652706da |
| SHA256 | 52af71d78f71f9da9f9b123c12c681c6df599d7abdab43358df8fc6a7574b25f |
| SHA512 | 8573725a575c999b3312129fa00ec132b544e71687b840c1daf69da062dd87755f4c168c573055a42ccf0dd410506d1298d76748c9cae8a648006c2a07c21cf1 |
memory/1420-5-0x0000000000130000-0x0000000000167000-memory.dmp
memory/2192-10-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2192-18-0x00000000002C0000-0x00000000002F7000-memory.dmp
memory/2192-13-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1420-12-0x0000000000400000-0x0000000000437000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:22
Reported
2024-05-22 21:24
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
103s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1572 wrote to memory of 780 | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe |
| PID 1572 wrote to memory of 780 | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe |
| PID 1572 wrote to memory of 780 | N/A | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1572 -ip 1572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 396
C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 780 -ip 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 364
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1572-0-0x0000000000400000-0x0000000000437000-memory.dmp
memory/780-8-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1572-7-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3ed3a2904554e5be316f0cc03363a280_NeikiAnalytics.exe
| MD5 | cd6f035dead8e8e9983de8aa23621464 |
| SHA1 | 4f4ec9b17294311a17eecbe5d944a7cb1a87e44e |
| SHA256 | 94d753a53afdab7ab8aae32b154bef42879008c24c47f28c398c63462d57bc62 |
| SHA512 | fe522178cbbcb7e7c631efdfa514bad56985a6f2a12da93036d4a5c6099820708c62385a913c4861b553da2d0b5b70b6b21c3cd22e1d1282f22f42eb976a23ac |
memory/780-14-0x0000000000190000-0x00000000001C7000-memory.dmp
memory/780-9-0x0000000000400000-0x000000000041A000-memory.dmp