f5fd9a5d141f5ea4d7ca1b217f13681697281bfe0fbc8596027a8d087c7293bb

General

Target

30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
Size

89KB
MD5

30030d3c91e1ec098abdc9b13e4882b0
SHA1

a39307e964c1aa570c7796584ba68f1c6809a1a4
SHA256

f5fd9a5d141f5ea4d7ca1b217f13681697281bfe0fbc8596027a8d087c7293bb
SHA512

8ebdf56ac452f6fc7a7450ce5b37c00b3601f76b6fafe194b117705c179275f52dedba0fad4dfbce38bdadbbef6e4cbe26db2cf05783165c12820dd9263b20de
SSDEEP

1536:Wk/w06Ouwz9Svj5QXhUKqIfmX5fubmPpRM6sl4QVKLvJdbRQ9D68a+VMKKTRVGFv:Wk/P6YkLWhUKfmpfZM6slKldbekr4MKr

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Paihlpfi.exePakdbp32.exe30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exePpdbgncl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Paihlpfi.exe

Malware Dropper & Backdoor - Berbew 4 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Ppdbgncl.exe	family_berbew
C:\Windows\SysWOW64\Paihlpfi.exe	family_berbew
C:\Windows\SysWOW64\Pakdbp32.exe	family_berbew
C:\Windows\SysWOW64\Pififb32.exe	family_berbew

Executes dropped EXE 4 IoCs

Processes:

Ppdbgncl.exePaihlpfi.exePakdbp32.exePififb32.exe

pid process

4740 Ppdbgncl.exe
572 Paihlpfi.exe
1308 Pakdbp32.exe
1456 Pififb32.exe

pid	process
4740	Ppdbgncl.exe
572	Paihlpfi.exe
1308	Pakdbp32.exe
1456	Pififb32.exe

Drops file in System32 directory 12 IoCs

Processes:

Paihlpfi.exePakdbp32.exe30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exePpdbgncl.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Deaiemli.dll	Paihlpfi.exe
File opened for modification	C:\Windows\SysWOW64\Pififb32.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Ppdbgncl.exe	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Ppdbgncl.exe	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Paihlpfi.exe	Ppdbgncl.exe
File opened for modification	C:\Windows\SysWOW64\Paihlpfi.exe	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Mpagaf32.dll	Ppdbgncl.exe
File created	C:\Windows\SysWOW64\Pakdbp32.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Jjgkan32.dll	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\Pakdbp32.exe	Paihlpfi.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pakdbp32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2828 1456 WerFault.exe Pififb32.exe

pid	pid_target	process	target process
2828	1456	WerFault.exe	Pififb32.exe

Modifies registry class 15 IoCs

Processes:

30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exePaihlpfi.exePakdbp32.exePpdbgncl.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Paihlpfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll"	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpagaf32.dll"	Ppdbgncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Paihlpfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppdbgncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaiemli.dll"	Paihlpfi.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exePpdbgncl.exePaihlpfi.exePakdbp32.exe

description	pid	process	target process
PID 4544 wrote to memory of 4740	4544	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe	Ppdbgncl.exe
PID 4544 wrote to memory of 4740	4544	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe	Ppdbgncl.exe
PID 4544 wrote to memory of 4740	4544	30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe	Ppdbgncl.exe
PID 4740 wrote to memory of 572	4740	Ppdbgncl.exe	Paihlpfi.exe
PID 4740 wrote to memory of 572	4740	Ppdbgncl.exe	Paihlpfi.exe
PID 4740 wrote to memory of 572	4740	Ppdbgncl.exe	Paihlpfi.exe
PID 572 wrote to memory of 1308	572	Paihlpfi.exe	Pakdbp32.exe
PID 572 wrote to memory of 1308	572	Paihlpfi.exe	Pakdbp32.exe
PID 572 wrote to memory of 1308	572	Paihlpfi.exe	Pakdbp32.exe
PID 1308 wrote to memory of 1456	1308	Pakdbp32.exe	Pififb32.exe
PID 1308 wrote to memory of 1456	1308	Pakdbp32.exe	Pififb32.exe
PID 1308 wrote to memory of 1456	1308	Pakdbp32.exe	Pififb32.exe

C:\Users\Admin\AppData\Local\Temp\30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\30030d3c91e1ec098abdc9b13e4882b0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\Ppdbgncl.exe
  C:\Windows\system32\Ppdbgncl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\Paihlpfi.exe
    C:\Windows\system32\Paihlpfi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\Pakdbp32.exe
      C:\Windows\system32\Pakdbp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        5⤵
        Executes dropped EXE
        
        PID:1456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 412
        6⤵
        Program crash
        
        PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1456 -ip 1456
1⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Paihlpfi.exe

Filesize
89KB

MD5
223405d20c71f9f0389de61b3474ad12

SHA1
da813ccb4277fa026c9f481b32fc0487251881b6

SHA256
bff0ac0745c6282886a3f430da0a808edaaf9ec6e517d8f255469e887dc111ad

SHA512
48bd4269a01a47eed5117db48fd5a690c95d7eeddc9970798d454e8f8fb9da1b039cced1968e3202f5e846d9a7c69b0113e6a3572e8b86f53ad5245a277aea36

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
89KB

MD5
9a0a8b256cbebdd2a174fdc55cfe4a93

SHA1
080bd91f6acbb307db18c12b70055d90d49af545

SHA256
9d15a0dc250d4057870d5387dd417dd9ea3ceb6e9dae3be302990c155fc1a6ee

SHA512
7f469a4513749e692300296376e7f50adbf9c45652e0f8a600734ce50fe76141cfd066fc992174aae5df120186b6109d0e3b2a4b1dafd3d122dfa386a70b0370

Download Submit
C:\Windows\SysWOW64\Pififb32.exe

Filesize
89KB

MD5
46a94bcd61643960457ee69b8dd5f4ef

SHA1
d348345b205c2f35afb7bdd724d85913fb79e5be

SHA256
db1ca4fce6c081f75131f3ac2cecf807af5850029078091ba725ecca7b36cdfe

SHA512
087866aef8b83874d85e20335f036dd26aeb8261d8753f16521ffd545c5c4a17b1357bf5c3501fd8e1d7c0a4680ce8f77e725d291a43d05c95158b0455602b25

Download Submit
C:\Windows\SysWOW64\Ppdbgncl.exe

Filesize
89KB

MD5
6ec0fccb29ded95b699e785f1aa1c583

SHA1
2aa1230f5037ab3c66077853e97f5913bac7affd

SHA256
2250ac2992b504d856afa7d8e6ac85bbbf5afb4e2cd928e8e1cccdafdf4a7b60

SHA512
006a69ca467d668159be89f8ba1962dc6fab2f551bd1ec52f478b86070cc0c046538961ce559af5f3d9cca250a064f18bd0396d42d9dcbcf154e0ab6b5ba924d

Download Submit
memory/572-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/572-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1308-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1308-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1456-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1456-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4544-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4544-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4740-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads