ef1c08dd62bdd1d1a32723c7bd7f248ff1fb241a6750f6e35c33fae389eb6730

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Size

1004KB
MD5

406434dc8589a615d696ccdee4d5b100
SHA1

8f5e4057925a8004538c49f7c334f4b3612938c5
SHA256

ef1c08dd62bdd1d1a32723c7bd7f248ff1fb241a6750f6e35c33fae389eb6730
SHA512

e71bd02da5bf2b40cc44f59316eb1d55982f5183b4ce863f653646688cc8075d8eaf97deea16c7ffd613618c0be409f1dcc5e451e78d5f18a17eb8e791c26777
SSDEEP

24576:YLV4+bV+zthrwXYC4jLj+GHhn8F0fe5+9FWa/ZSCBHn677:YZYZwXJQLrHBp9FWgVBHn6

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe	family_berbew

Executes dropped EXE 1 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid process

1248 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Loads dropped DLL 1 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid process

112 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
4 pastebin.com
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid process

1248 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid process

112 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid process

1248 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid	process
1248	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid	process
112	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

flow	ioc
3	pastebin.com
4	pastebin.com

pid	process
1248	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid	process
112	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid	process
1248	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

description	pid	process	target process
PID 112 wrote to memory of 1248	112	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
PID 112 wrote to memory of 1248	112	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
PID 112 wrote to memory of 1248	112	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
PID 112 wrote to memory of 1248	112	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:112
- C:\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

Filesize
1004KB

MD5
d687b1ac7549ea2cbee9a6b59603e567

SHA1
c4e83494fb2c40892135c1abc8b897513b2c0885

SHA256
ead43b3b2d1c46bc2af1b5969e4e89b568208de314a55c6fc2638abb1bdb612b

SHA512
c8a818847d0528f63b1bddd22ff21e72089ae5aa927134ed252fb6ac79f1c60a2a948b71d1a49a50196fcd461c848981ef6a5452f070e40c6696c85234618feb

Download Submit
memory/112-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/112-6-0x00000000031A0000-0x000000000328F000-memory.dmp

Filesize
956KB

Download
memory/112-10-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1248-11-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1248-17-0x0000000002DF0000-0x0000000002EDF000-memory.dmp

Filesize
956KB

Download
memory/1248-9-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1248-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1248-39-0x000000000D720000-0x000000000D7C3000-memory.dmp

Filesize
652KB

Download