0923d0ac98ab34176f2bd74a6fb71371e4bc8419823d1012871040bc8fa704eb

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
Size

282KB
MD5

5d02bc977215b338c0b7f944413afdc0
SHA1

5871cd14ec1e8bc9a97f5e9b589ad077c6631971
SHA256

0923d0ac98ab34176f2bd74a6fb71371e4bc8419823d1012871040bc8fa704eb
SHA512

bc3d0cb4bd6cd123201a5a03ceec1699d0bc961e57d516164360acae15d854c878284d3c94fb41f174023796faaede280a983ae39340db4f3d509004fe648d44
SSDEEP

6144:IF4q1TyahVHIB4RnH6NXj5kEjiPISUOgW9X+hOGzC/:Iqq1Tlhij5kmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\system\YFHSX.exe	family_berbew

Executes dropped EXE 1 IoCs

Processes:

YFHSX.exe

pid process

2568 YFHSX.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2932 cmd.exe
2932 cmd.exe

pid	process
2568	YFHSX.exe

pid	process
2932	cmd.exe
2932	cmd.exe

Drops file in Windows directory 3 IoCs

Processes:

5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe

description	ioc	process
File created	C:\windows\system\YFHSX.exe.bat	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
File created	C:\windows\system\YFHSX.exe	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
File opened for modification	C:\windows\system\YFHSX.exe	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exeYFHSX.exe

pid process

2904 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
2568 YFHSX.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exeYFHSX.exe

pid process

2904 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
2904 5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
2568 YFHSX.exe
2568 YFHSX.exe

pid	process
2904	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
2568	YFHSX.exe

pid	process
2904	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
2904	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
2568	YFHSX.exe
2568	YFHSX.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 2904 wrote to memory of 2932	2904	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe	cmd.exe
PID 2904 wrote to memory of 2932	2904	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe	cmd.exe
PID 2904 wrote to memory of 2932	2904	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe	cmd.exe
PID 2904 wrote to memory of 2932	2904	5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe	cmd.exe
PID 2932 wrote to memory of 2568	2932	cmd.exe	YFHSX.exe
PID 2932 wrote to memory of 2568	2932	cmd.exe	YFHSX.exe
PID 2932 wrote to memory of 2568	2932	cmd.exe	YFHSX.exe
PID 2932 wrote to memory of 2568	2932	cmd.exe	YFHSX.exe

C:\Users\Admin\AppData\Local\Temp\5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d02bc977215b338c0b7f944413afdc0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system\YFHSX.exe.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932

C:\windows\system\YFHSX.exe
C:\windows\system\YFHSX.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2568

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\YFHSX.exe
Filesize
282KB

MD5
e38d7b91bdc6d52398cfa3cd39a19da4

SHA1
a0d387e261571afc8ed28bc32f0cd8595f1d1c1b

SHA256
b50708c7cf413f1d97e43b7cbd7284afd2da51081f1e369f607c6dd8f97a174c

SHA512
9b9c03981e1aa1c00bdd4c9f783e0cae409cdca2a88d6eb6a46fe780b9024555058c2cb7950d6bd86ecbd611d5441d6dfe75a4ccbf085cc101f25b88d1132e98

Download Submit
C:\Windows\system\YFHSX.exe.bat
Filesize
70B

MD5
ee2da3c639a2aebbd65c0608dd932db4

SHA1
f32544f82a843efdbcec29a0dd7428bcd9b74075

SHA256
642ebdf7904fb9b00367924341ce3729815c14f25fbfe02f04c00f28fa94f576

SHA512
96b0f317f29473ce3b5ef384b8e06a227085f1a7e4a04186daead118b4509e4216c4b377a1a86b3256bc27efaa8a93d0783f1529e412736980b6f1572d70f96a

Download Submit
memory/2568-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2568-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2904-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2904-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2932-19-0x0000000000190000-0x00000000001C9000-memory.dmp

Filesize
228KB

Download
memory/2932-18-0x0000000000190000-0x00000000001C9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads