1f08b4d2fc7e0e9e5a25e924cd92b54a12228525138edf52b3ec002c8a2dff8a

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
Size

282KB
MD5

09a7a3ad08908cfc605b5fbf800a6e10
SHA1

7a53cd3ec208e0c0f0a17dbe183e5558a1773ef6
SHA256

1f08b4d2fc7e0e9e5a25e924cd92b54a12228525138edf52b3ec002c8a2dff8a
SHA512

1d4499d10d48a9c48d18fc44961b0d7e514940cb3363ca52a2e56b4776001af2817c75150a3fafddd05bf991d6fa70607288e9bf3c8e4606abf1733c10c2bf28
SSDEEP

6144:hwDXrJ1ryPClC+Vog84RkEjiPISUOgW9X+hOGzC/:hSd1ryPgFag8akmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Windows\SysWOW64\JEFPL.exe	family_berbew

Executes dropped EXE 1 IoCs

Processes:

JEFPL.exe

pid process

2260 JEFPL.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1932 cmd.exe
1932 cmd.exe

pid	process
2260	JEFPL.exe

pid	process
1932	cmd.exe
1932	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe

description	ioc	process
File created	C:\windows\SysWOW64\JEFPL.exe.bat	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\JEFPL.exe	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
File opened for modification	C:\windows\SysWOW64\JEFPL.exe	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exeJEFPL.exe

pid process

1284 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
2260 JEFPL.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exeJEFPL.exe

pid process

1284 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
1284 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
2260 JEFPL.exe
2260 JEFPL.exe

pid	process
1284	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
2260	JEFPL.exe

pid	process
1284	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
1284	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
2260	JEFPL.exe
2260	JEFPL.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 1284 wrote to memory of 1932	1284	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe	cmd.exe
PID 1284 wrote to memory of 1932	1284	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe	cmd.exe
PID 1284 wrote to memory of 1932	1284	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe	cmd.exe
PID 1284 wrote to memory of 1932	1284	09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe	cmd.exe
PID 1932 wrote to memory of 2260	1932	cmd.exe	JEFPL.exe
PID 1932 wrote to memory of 2260	1932	cmd.exe	JEFPL.exe
PID 1932 wrote to memory of 2260	1932	cmd.exe	JEFPL.exe
PID 1932 wrote to memory of 2260	1932	cmd.exe	JEFPL.exe

C:\Users\Admin\AppData\Local\Temp\09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\JEFPL.exe.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\windows\SysWOW64\JEFPL.exe
C:\windows\system32\JEFPL.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2260

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\JEFPL.exe.bat
Filesize
74B

MD5
e89082e7e71b2fcdd0372abaa5a5c8d6

SHA1
f5b9acb41dfd4a9ef50c79a839b92d0fe0465432

SHA256
b1d2da4283e538843a2ee58afd9f065965404c4d57dfb6a2c5053618843a266e

SHA512
0415687798ece7431f443a4835344b88f8859ad815255c50d982c55b89bc2bb074f8d4564ae370b28bf09436c3bdbc28a3e7f1de67a79d0a6ea0c8e9d9d5c2bc

Download Submit
\Windows\SysWOW64\JEFPL.exe
Filesize
282KB

MD5
ece59b067700a7b2490afb7399cb11b3

SHA1
210e426838e51b6c2b597f2a0f990e0a075d27f3

SHA256
cc36c6c87f0ce2137e1aefec0a7b323d5a37340138e22306fa7b2caf318477a5

SHA512
9b335ddbe3ff7a048c0de0eca603051e2cca377fedd6c927b27a0399fc2b184adb17595d9bf8730e36dbe99f6de5ddec920f56e92fcedf4e577bc15dfc506982

Download Submit
memory/1284-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1284-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1932-15-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download
memory/2260-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2260-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads