ef1c08dd62bdd1d1a32723c7bd7f248ff1fb241a6750f6e35c33fae389eb6730

General

Target

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Size

1004KB
MD5

406434dc8589a615d696ccdee4d5b100
SHA1

8f5e4057925a8004538c49f7c334f4b3612938c5
SHA256

ef1c08dd62bdd1d1a32723c7bd7f248ff1fb241a6750f6e35c33fae389eb6730
SHA512

e71bd02da5bf2b40cc44f59316eb1d55982f5183b4ce863f653646688cc8075d8eaf97deea16c7ffd613618c0be409f1dcc5e451e78d5f18a17eb8e791c26777
SSDEEP

24576:YLV4+bV+zthrwXYC4jLj+GHhn8F0fe5+9FWa/ZSCBHn677:YZYZwXJQLrHBp9FWgVBHn6

Score

10^/10

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid process

3288 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid process

3288 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 pastebin.com
16 pastebin.com

pid	process
3288	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid	process
3288	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

flow	ioc
15	pastebin.com
16	pastebin.com

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1608	1824	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
2864	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
3988	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
4292	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
4024	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
2524	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
3648	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
2108	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
2700	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
4064	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
4404	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
1804	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
860	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
4872	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
2120	3288	WerFault.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid process

3288 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
3288 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid process

1824 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid process

3288 406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid	process
3288	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
3288	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid	process
1824	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

pid	process
3288	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

description	pid	process	target process
PID 1824 wrote to memory of 3288	1824	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
PID 1824 wrote to memory of 3288	1824	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
PID 1824 wrote to memory of 3288	1824	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe	406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 344
2⤵
- Program crash
PID:1608

C:\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 208
3⤵
- Program crash
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 628
3⤵
- Program crash
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 636
3⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 692
3⤵
- Program crash
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 720
3⤵
- Program crash
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 916
3⤵
- Program crash
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1412
3⤵
- Program crash
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1464
3⤵
- Program crash
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1476
3⤵
- Program crash
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1564
3⤵
- Program crash
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1560
3⤵
- Program crash
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1552
3⤵
- Program crash
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 1652
3⤵
- Program crash
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 672
3⤵
- Program crash
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1824 -ip 1824
1⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3288 -ip 3288
1⤵
PID:1808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3288 -ip 3288
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3288 -ip 3288
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3288 -ip 3288
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3288 -ip 3288
1⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3288 -ip 3288
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3288 -ip 3288
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3288 -ip 3288
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3288 -ip 3288
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3288 -ip 3288
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3288 -ip 3288
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3288 -ip 3288
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3288 -ip 3288
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3288 -ip 3288
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\406434dc8589a615d696ccdee4d5b100_NeikiAnalytics.exe
Filesize
1004KB

MD5
4c4c16a1b4662404c1926fc003ae8d20

SHA1
8042e65cf47adfa9fd8cc9b3344645abb3929491

SHA256
fc3a79b6fba98ab8cc2315245d2637422b1d53352ec2fc8f9d726e9183202529

SHA512
b632a8f2b15661634d23bd330c8a9c385358c1e99b42b541889a1f6e778fbeb85068ac21b4ae33a336ba025a0b73abf1ac8ad17feb41c846595e9d4542c7d1d7

Download Submit
memory/1824-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1824-6-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3288-7-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/3288-9-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3288-14-0x0000000004FE0000-0x00000000050CF000-memory.dmp

Filesize
956KB

Download
memory/3288-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3288-27-0x000000000B970000-0x000000000BA13000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads