Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 22:52
Behavioral task
behavioral1
Sample
09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe
-
Size
282KB
-
MD5
09a7a3ad08908cfc605b5fbf800a6e10
-
SHA1
7a53cd3ec208e0c0f0a17dbe183e5558a1773ef6
-
SHA256
1f08b4d2fc7e0e9e5a25e924cd92b54a12228525138edf52b3ec002c8a2dff8a
-
SHA512
1d4499d10d48a9c48d18fc44961b0d7e514940cb3363ca52a2e56b4776001af2817c75150a3fafddd05bf991d6fa70607288e9bf3c8e4606abf1733c10c2bf28
-
SSDEEP
6144:hwDXrJ1ryPClC+Vog84RkEjiPISUOgW9X+hOGzC/:hSd1ryPgFag8akmZzcukG2/
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\JEFPL.exe family_berbew -
Executes dropped EXE 1 IoCs
Processes:
JEFPL.exepid process 2260 JEFPL.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1932 cmd.exe 1932 cmd.exe -
Drops file in System32 directory 3 IoCs
Processes:
09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exedescription ioc process File created C:\windows\SysWOW64\JEFPL.exe.bat 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe File created C:\windows\SysWOW64\JEFPL.exe 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe File opened for modification C:\windows\SysWOW64\JEFPL.exe 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exeJEFPL.exepid process 1284 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe 2260 JEFPL.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exeJEFPL.exepid process 1284 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe 1284 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe 2260 JEFPL.exe 2260 JEFPL.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.execmd.exedescription pid process target process PID 1284 wrote to memory of 1932 1284 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe cmd.exe PID 1284 wrote to memory of 1932 1284 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe cmd.exe PID 1284 wrote to memory of 1932 1284 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe cmd.exe PID 1284 wrote to memory of 1932 1284 09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe cmd.exe PID 1932 wrote to memory of 2260 1932 cmd.exe JEFPL.exe PID 1932 wrote to memory of 2260 1932 cmd.exe JEFPL.exe PID 1932 wrote to memory of 2260 1932 cmd.exe JEFPL.exe PID 1932 wrote to memory of 2260 1932 cmd.exe JEFPL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\09a7a3ad08908cfc605b5fbf800a6e10_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\JEFPL.exe.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\JEFPL.exeC:\windows\system32\JEFPL.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\JEFPL.exe.batFilesize
74B
MD5e89082e7e71b2fcdd0372abaa5a5c8d6
SHA1f5b9acb41dfd4a9ef50c79a839b92d0fe0465432
SHA256b1d2da4283e538843a2ee58afd9f065965404c4d57dfb6a2c5053618843a266e
SHA5120415687798ece7431f443a4835344b88f8859ad815255c50d982c55b89bc2bb074f8d4564ae370b28bf09436c3bdbc28a3e7f1de67a79d0a6ea0c8e9d9d5c2bc
-
\Windows\SysWOW64\JEFPL.exeFilesize
282KB
MD5ece59b067700a7b2490afb7399cb11b3
SHA1210e426838e51b6c2b597f2a0f990e0a075d27f3
SHA256cc36c6c87f0ce2137e1aefec0a7b323d5a37340138e22306fa7b2caf318477a5
SHA5129b335ddbe3ff7a048c0de0eca603051e2cca377fedd6c927b27a0399fc2b184adb17595d9bf8730e36dbe99f6de5ddec920f56e92fcedf4e577bc15dfc506982
-
memory/1284-0-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1284-12-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1932-15-0x0000000000170000-0x00000000001A9000-memory.dmpFilesize
228KB
-
memory/2260-19-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2260-20-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB