23339a49e15ba1c212b8940475c63081fea79bd405617362049bb2cd107bc44f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Size

1.9MB
MD5

56bd230d5641761d3fcae0d8c536a640
SHA1

f616a8760fc962fc0dfcbaa7d8bab8942aa15885
SHA256

23339a49e15ba1c212b8940475c63081fea79bd405617362049bb2cd107bc44f
SHA512

8d7a7e1681bf4708bdfe0061120eaf775abde587234c2841a17ca052d730482a09b1ed66599fa1074cf4af4b5007cdfbefd3b46e4c87ae5220567d171db3e553
SSDEEP

49152:PiGbpfNPyupenXN5NgPyeBhbq4TTow+lsgr5e:v4XNayeBhhTW75

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 5 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral1/memory/2256-0-0x0000000000400000-0x00000000004F2000-memory.dmp	family_berbew
\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe	family_berbew
behavioral1/memory/2448-9-0x0000000000400000-0x00000000004F2000-memory.dmp	family_berbew
behavioral1/memory/2256-7-0x0000000000400000-0x00000000004F2000-memory.dmp	family_berbew
behavioral1/memory/2448-16-0x0000000002E80000-0x0000000002F72000-memory.dmp	family_berbew

Deletes itself 1 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

2448 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

2448 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Loads dropped DLL 1 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

2256 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
3 pastebin.com
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

2448 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

2256 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

2448 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid	process
2448	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid	process
2448	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid	process
2256	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

flow	ioc
4	pastebin.com
3	pastebin.com

pid	process
2448	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid	process
2256	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid	process
2448	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

description	pid	process	target process
PID 2256 wrote to memory of 2448	2256	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
PID 2256 wrote to memory of 2448	2256	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
PID 2256 wrote to memory of 2448	2256	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
PID 2256 wrote to memory of 2448	2256	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2448

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Filesize
1.9MB

MD5
ebf94330402769772fb873f6f0b47746

SHA1
137566c931842026457ce79053ac1cec9446056e

SHA256
d7a799c1ceff9208814dd9f57fb4abdf5e2452405d4e7a2dc3684aedefb779e1

SHA512
33531076887f3dfae8bbb849541328b55935b4c1560e3fc9c49e56eda5688c21d2f435054082ece0e12636218c31f8b577bc3dea5879a0f3d29a214ea1b01173

Download Submit
memory/2256-0-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2256-7-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2448-9-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/2448-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2448-16-0x0000000002E80000-0x0000000002F72000-memory.dmp

Filesize
968KB

Download
memory/2448-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2448-38-0x000000000FF70000-0x0000000010013000-memory.dmp

Filesize
652KB

Download