Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 03:37
Behavioral task
behavioral1
Sample
5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
-
Size
282KB
-
MD5
5d02bc977215b338c0b7f944413afdc0
-
SHA1
5871cd14ec1e8bc9a97f5e9b589ad077c6631971
-
SHA256
0923d0ac98ab34176f2bd74a6fb71371e4bc8419823d1012871040bc8fa704eb
-
SHA512
bc3d0cb4bd6cd123201a5a03ceec1699d0bc961e57d516164360acae15d854c878284d3c94fb41f174023796faaede280a983ae39340db4f3d509004fe648d44
-
SSDEEP
6144:IF4q1TyahVHIB4RnH6NXj5kEjiPISUOgW9X+hOGzC/:Iqq1Tlhij5kmZzcukG2/
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\system\YFHSX.exe family_berbew -
Executes dropped EXE 1 IoCs
Processes:
YFHSX.exepid process 2568 YFHSX.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2932 cmd.exe 2932 cmd.exe -
Drops file in Windows directory 3 IoCs
Processes:
5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exedescription ioc process File created C:\windows\system\YFHSX.exe.bat 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe File created C:\windows\system\YFHSX.exe 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe File opened for modification C:\windows\system\YFHSX.exe 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exeYFHSX.exepid process 2904 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe 2568 YFHSX.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exeYFHSX.exepid process 2904 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe 2904 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe 2568 YFHSX.exe 2568 YFHSX.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.execmd.exedescription pid process target process PID 2904 wrote to memory of 2932 2904 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe cmd.exe PID 2904 wrote to memory of 2932 2904 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe cmd.exe PID 2904 wrote to memory of 2932 2904 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe cmd.exe PID 2904 wrote to memory of 2932 2904 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe cmd.exe PID 2932 wrote to memory of 2568 2932 cmd.exe YFHSX.exe PID 2932 wrote to memory of 2568 2932 cmd.exe YFHSX.exe PID 2932 wrote to memory of 2568 2932 cmd.exe YFHSX.exe PID 2932 wrote to memory of 2568 2932 cmd.exe YFHSX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system\YFHSX.exe.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\windows\system\YFHSX.exeC:\windows\system\YFHSX.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\system\YFHSX.exeFilesize
282KB
MD5e38d7b91bdc6d52398cfa3cd39a19da4
SHA1a0d387e261571afc8ed28bc32f0cd8595f1d1c1b
SHA256b50708c7cf413f1d97e43b7cbd7284afd2da51081f1e369f607c6dd8f97a174c
SHA5129b9c03981e1aa1c00bdd4c9f783e0cae409cdca2a88d6eb6a46fe780b9024555058c2cb7950d6bd86ecbd611d5441d6dfe75a4ccbf085cc101f25b88d1132e98
-
C:\Windows\system\YFHSX.exe.batFilesize
70B
MD5ee2da3c639a2aebbd65c0608dd932db4
SHA1f32544f82a843efdbcec29a0dd7428bcd9b74075
SHA256642ebdf7904fb9b00367924341ce3729815c14f25fbfe02f04c00f28fa94f576
SHA51296b0f317f29473ce3b5ef384b8e06a227085f1a7e4a04186daead118b4509e4216c4b377a1a86b3256bc27efaa8a93d0783f1529e412736980b6f1572d70f96a
-
memory/2568-20-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2568-21-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2904-0-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2904-12-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2932-19-0x0000000000190000-0x00000000001C9000-memory.dmpFilesize
228KB
-
memory/2932-18-0x0000000000190000-0x00000000001C9000-memory.dmpFilesize
228KB