Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 03:42
Behavioral task
behavioral1
Sample
5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
5daf9572c2a632329758888668015d80_NeikiAnalytics.exe
-
Size
282KB
-
MD5
5daf9572c2a632329758888668015d80
-
SHA1
706452dd65d03cb83e3f3a99efc06d9c995272d8
-
SHA256
e73ea851a05c004157c6e41a3d6aa84ceefe4b82369ab9b79a385dccff33d78a
-
SHA512
3f5d8da190a1bae56d7245e8745debe2a85e97cc6da8dd26cd23ab58582dd5e3d93d979bd2c608a2140d653352eac7abc246c23a1ee9d8827e90989087fc96c3
-
SSDEEP
6144:ustaRDOzrIzIAUdL+SkEjiPISUOgW9X+hOGzC/:e8zXdVkmZzcukG2/
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\system\TLRKP.exe family_berbew -
Executes dropped EXE 1 IoCs
Processes:
TLRKP.exepid process 2728 TLRKP.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2608 cmd.exe 2608 cmd.exe -
Drops file in Windows directory 3 IoCs
Processes:
5daf9572c2a632329758888668015d80_NeikiAnalytics.exedescription ioc process File opened for modification C:\windows\system\TLRKP.exe 5daf9572c2a632329758888668015d80_NeikiAnalytics.exe File created C:\windows\system\TLRKP.exe.bat 5daf9572c2a632329758888668015d80_NeikiAnalytics.exe File created C:\windows\system\TLRKP.exe 5daf9572c2a632329758888668015d80_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5daf9572c2a632329758888668015d80_NeikiAnalytics.exeTLRKP.exepid process 1712 5daf9572c2a632329758888668015d80_NeikiAnalytics.exe 2728 TLRKP.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
5daf9572c2a632329758888668015d80_NeikiAnalytics.exeTLRKP.exepid process 1712 5daf9572c2a632329758888668015d80_NeikiAnalytics.exe 1712 5daf9572c2a632329758888668015d80_NeikiAnalytics.exe 2728 TLRKP.exe 2728 TLRKP.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5daf9572c2a632329758888668015d80_NeikiAnalytics.execmd.exedescription pid process target process PID 1712 wrote to memory of 2608 1712 5daf9572c2a632329758888668015d80_NeikiAnalytics.exe cmd.exe PID 1712 wrote to memory of 2608 1712 5daf9572c2a632329758888668015d80_NeikiAnalytics.exe cmd.exe PID 1712 wrote to memory of 2608 1712 5daf9572c2a632329758888668015d80_NeikiAnalytics.exe cmd.exe PID 1712 wrote to memory of 2608 1712 5daf9572c2a632329758888668015d80_NeikiAnalytics.exe cmd.exe PID 2608 wrote to memory of 2728 2608 cmd.exe TLRKP.exe PID 2608 wrote to memory of 2728 2608 cmd.exe TLRKP.exe PID 2608 wrote to memory of 2728 2608 cmd.exe TLRKP.exe PID 2608 wrote to memory of 2728 2608 cmd.exe TLRKP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5daf9572c2a632329758888668015d80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5daf9572c2a632329758888668015d80_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system\TLRKP.exe.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\windows\system\TLRKP.exeC:\windows\system\TLRKP.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\system\TLRKP.exeFilesize
282KB
MD53e388abf39c2b372e338248de21ec277
SHA172496b7d4ecea03d19a006e15b4079961c408490
SHA256510ab883d06901d0ec26226a10c098465d1b7eede1262aa35b6da13e7b8956d3
SHA51214086b9f60e73b5f9cb8fa4c70ff8215e789384324627247d3aeb28aeb064a8ca556f495225c544096860955cfb8d8f02e8bdb859a0d4518d99370505ca709a9
-
C:\Windows\system\TLRKP.exe.batFilesize
70B
MD5ff51fcb3fb913fde308d204007688835
SHA1435c8f68a9d938a8b6544c73cd4b8952408db4e5
SHA2560abd1c89d03fec9ecd98858316c0e8efdfb5c550a269ad7e6a3f7cedfecc4f3d
SHA512bb8626f2540a2ddd1448d4f1ed71e8e19ff1b637b79a4624eb1131c22e77b7b3a3b9380a576a95a19dcb77fc36030176483e16c8969e4dbc0d531dc3df55a290
-
memory/1712-0-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1712-12-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2608-19-0x0000000000170000-0x00000000001A9000-memory.dmpFilesize
228KB
-
memory/2608-17-0x0000000000170000-0x00000000001A9000-memory.dmpFilesize
228KB
-
memory/2728-20-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB