4db97c1f5c7902059b98900b924425a23f7e59440e24d8b59ebbd45f9dc26a06

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe
Size

283KB
MD5

0ddb400968fe60ab676ca8920f526040
SHA1

446355620605f7cb42d715f15cffbd1f41c2e6ce
SHA256

4db97c1f5c7902059b98900b924425a23f7e59440e24d8b59ebbd45f9dc26a06
SHA512

50910d2f8d451e6c4e75865b36b061a48aa9c567345f3b0024ae055a0f99248ef1336a18d304ff31b598f2f777f1e0a370bd6bb01b0683511ce62fa6b46d8416
SSDEEP

6144:9jKFTUB3eMuvaewRp6f4sOz5kFvgIqVC/CWPssZkVRnr5:9jKyVeMuvae+8f4sOyFvZqVVWPssZGr5

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

pid process

3692 0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

pid process

3692 0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

pid	process
3692	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

pid	process
3692	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1492	652	WerFault.exe	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe
3764	3692	WerFault.exe	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

pid process

652 0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

pid process

3692 0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

pid	process
652	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

pid	process
3692	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

description	pid	process	target process
PID 652 wrote to memory of 3692	652	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe
PID 652 wrote to memory of 3692	652	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe
PID 652 wrote to memory of 3692	652	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe	0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 396
2⤵
- Program crash
PID:1492

C:\Users\Admin\AppData\Local\Temp\0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 364
3⤵
- Program crash
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 652 -ip 652
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3692 -ip 3692
1⤵
PID:4152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ddb400968fe60ab676ca8920f526040_NeikiAnalytics.exe
Filesize
283KB

MD5
bb67cd62483e4a778b54f07a869bfe81

SHA1
abf4ca5d4a0197f818b2186030cdff652d496eaa

SHA256
09d6111bf7211afbdd0dca8f35e4add21e6c94ab63efac2562943be997dda47b

SHA512
e0af6edac533cb3f77c820bdcb83f3656f29c2f720aee0daf093fc8aed70260aed3915df5343f85468f02f6aadc358589b521dbae8a55427b196a77023a8ef6c

Download Submit
memory/652-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/652-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3692-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3692-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3692-13-0x0000000004D60000-0x0000000004DA1000-memory.dmp

Filesize
260KB

Download