Malware Analysis Report

2025-01-23 02:45

Sample ID 240523-eq3nzsde73
Target 99a70b503408bf56ef8593b595f86490_NeikiAnalytics.exe
SHA256 734afdfeb7c03816b420ba035b388a5c8351fe267c5c90c6d59dbbe3f108b558
Tags
backdoor dropper trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

734afdfeb7c03816b420ba035b388a5c8351fe267c5c90c6d59dbbe3f108b558

Threat Level: Known bad

The file 99a70b503408bf56ef8593b595f86490_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor dropper trojan berbew

Berbew family

Malware Dropper & Backdoor - Berbew

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-23 04:09

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 04:09

Reported

2024-05-23 04:12

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99a70b503408bf56ef8593b595f86490_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2DB5.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2DB5.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\99a70b503408bf56ef8593b595f86490_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\99a70b503408bf56ef8593b595f86490_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\99a70b503408bf56ef8593b595f86490_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\2DB5.tmp

"C:\Users\Admin\AppData\Local\Temp\2DB5.tmp"

Network

N/A

Files

memory/2044-1-0x00000000011C0000-0x00000000012AF000-memory.dmp

\Users\Admin\AppData\Local\Temp\2DB5.tmp

MD5 2dc8ea1d64cea15c04a747f67c72fd94
SHA1 7c32a7b941976f9e1041cacf093abcea45e69d1e
SHA256 3348009415f280a850fc1433925921e01ccfc5e70f5c649b7c0f986ba6f4b010
SHA512 ae2ffab3a0fe32a5175c7315924eb02828c263b168786e3410318ba70fbfbd60148d363e7c1108f7969e1a48db97e6feccf765dfe6a8f01376770f79693d6552

memory/3012-7-0x0000000000230000-0x000000000031F000-memory.dmp

memory/2044-5-0x00000000011C0000-0x00000000012AF000-memory.dmp

memory/3012-8-0x0000000000230000-0x000000000031F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 04:09

Reported

2024-05-23 04:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\99a70b503408bf56ef8593b595f86490_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D18.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3D18.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\99a70b503408bf56ef8593b595f86490_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\99a70b503408bf56ef8593b595f86490_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\3D18.tmp

"C:\Users\Admin\AppData\Local\Temp\3D18.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
NL 23.62.61.97:443 www.bing.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\3D18.tmp

MD5 2dc8ea1d64cea15c04a747f67c72fd94
SHA1 7c32a7b941976f9e1041cacf093abcea45e69d1e
SHA256 3348009415f280a850fc1433925921e01ccfc5e70f5c649b7c0f986ba6f4b010
SHA512 ae2ffab3a0fe32a5175c7315924eb02828c263b168786e3410318ba70fbfbd60148d363e7c1108f7969e1a48db97e6feccf765dfe6a8f01376770f79693d6552

memory/4016-4-0x0000000000EA0000-0x0000000000F8F000-memory.dmp

memory/1808-3-0x0000000000600000-0x00000000006EF000-memory.dmp

memory/4016-6-0x0000000000EA0000-0x0000000000F8F000-memory.dmp