23339a49e15ba1c212b8940475c63081fea79bd405617362049bb2cd107bc44f

General

Target

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Size

1.9MB
MD5

56bd230d5641761d3fcae0d8c536a640
SHA1

f616a8760fc962fc0dfcbaa7d8bab8942aa15885
SHA256

23339a49e15ba1c212b8940475c63081fea79bd405617362049bb2cd107bc44f
SHA512

8d7a7e1681bf4708bdfe0061120eaf775abde587234c2841a17ca052d730482a09b1ed66599fa1074cf4af4b5007cdfbefd3b46e4c87ae5220567d171db3e553
SSDEEP

49152:PiGbpfNPyupenXN5NgPyeBhbq4TTow+lsgr5e:v4XNayeBhhTW75

Score

10^/10

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 5 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/736-0-0x0000000000400000-0x00000000004F2000-memory.dmp	family_berbew
behavioral2/memory/736-6-0x0000000000400000-0x00000000004F2000-memory.dmp	family_berbew
C:\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe	family_berbew
behavioral2/memory/1704-7-0x0000000000400000-0x00000000004F2000-memory.dmp	family_berbew
behavioral2/memory/1704-14-0x0000000005050000-0x0000000005142000-memory.dmp	family_berbew

Deletes itself 1 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

1704 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

1704 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

19 pastebin.com
20 pastebin.com

pid	process
1704	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid	process
1704	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

flow	ioc
19	pastebin.com
20	pastebin.com

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2764	736	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
2512	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
2792	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
3504	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
208	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
4808	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
976	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
3916	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
872	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
4036	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
1932	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
2624	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
3024	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
676	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
2412	1704	WerFault.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

1704 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
1704 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

736 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid process

1704 56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid	process
1704	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
1704	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid	process
736	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

pid	process
1704	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

description	pid	process	target process
PID 736 wrote to memory of 1704	736	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
PID 736 wrote to memory of 1704	736	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
PID 736 wrote to memory of 1704	736	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe	56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 352
2⤵
- Program crash
PID:2764

C:\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 344
3⤵
- Program crash
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 628
3⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 636
3⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 680
3⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 680
3⤵
- Program crash
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 896
3⤵
- Program crash
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1396
3⤵
- Program crash
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1408
3⤵
- Program crash
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1464
3⤵
- Program crash
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1696
3⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1396
3⤵
- Program crash
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1672
3⤵
- Program crash
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1064
3⤵
- Program crash
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1692
3⤵
- Program crash
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 736 -ip 736
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1704 -ip 1704
1⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1704 -ip 1704
1⤵
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1704 -ip 1704
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1704 -ip 1704
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1704 -ip 1704
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1704 -ip 1704
1⤵
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1704 -ip 1704
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1704 -ip 1704
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1704 -ip 1704
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1704 -ip 1704
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1704 -ip 1704
1⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1704 -ip 1704
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1704 -ip 1704
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1704 -ip 1704
1⤵
PID:3500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\56bd230d5641761d3fcae0d8c536a640_NeikiAnalytics.exe
Filesize
1.9MB

MD5
8c9ba78a25e4400eb629eb5bea9dd50b

SHA1
feebc2242314f6d360333a462b15a21b706ab65f

SHA256
f74867d9fa9dede62c0ca16b127cb6014645881d2ee2c94b7f8adab4a7a6a999

SHA512
3b18f7b471871c0b02bc5d94626a166be40a02bc7d4e43b6e606dbd922d45be9af3c097c1086cec6da6f1792cbec8d2c8529abe323e7c8ff1163925fde3fddaf

Download Submit
memory/736-0-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/736-6-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1704-7-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1704-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1704-14-0x0000000005050000-0x0000000005142000-memory.dmp

Filesize
968KB

Download
memory/1704-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1704-27-0x000000000B980000-0x000000000BA23000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads