4f85c862e659229e2e753b5ad0638d795259aef46e935ea8f39de16c25c86c49

General

Target

80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
Size

109KB
MD5

80ba9889a86fab53a0d4e607514d89e0
SHA1

daa00af2f79b7999362309be439dfc2c683f22f0
SHA256

4f85c862e659229e2e753b5ad0638d795259aef46e935ea8f39de16c25c86c49
SHA512

7d021392370b229b4888da47e1a0b0857132a43d8e239c5535c7827f1981d62290e72602a4eee65939440fa615fcc4ce47c927c736ee6f936bdfb4148fe817af
SSDEEP

3072:WieXLGonh2E0yirdFJ9rLCqwzBu1DjHLMVDqqkSp:WlXXcLhFJ93wtu1DjrFqh

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exeIaeiieeb.exeInljnfkg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inljnfkg.exe

Malware Dropper & Backdoor - Berbew 10 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral1/memory/2012-0-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral1/memory/2012-6-0x0000000001F90000-0x0000000001FD4000-memory.dmp	family_berbew
\Windows\SysWOW64\Iaeiieeb.exe	family_berbew
\Windows\SysWOW64\Inljnfkg.exe	family_berbew
behavioral1/memory/2800-31-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
C:\Windows\SysWOW64\Iagfoe32.exe	family_berbew
behavioral1/memory/2744-39-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral1/memory/2012-44-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral1/memory/2216-45-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew
behavioral1/memory/2800-46-0x0000000000400000-0x0000000000444000-memory.dmp	family_berbew

Executes dropped EXE 3 IoCs

Processes:

Iaeiieeb.exeInljnfkg.exeIagfoe32.exe

pid process

2216 Iaeiieeb.exe
2800 Inljnfkg.exe
2744 Iagfoe32.exe

pid	process
2216	Iaeiieeb.exe
2800	Inljnfkg.exe
2744	Iagfoe32.exe

Loads dropped DLL 10 IoCs

Processes:

80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exeIaeiieeb.exeInljnfkg.exeWerFault.exe

pid	process
2012	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
2012	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
2216	Iaeiieeb.exe
2216	Iaeiieeb.exe
2800	Inljnfkg.exe
2800	Inljnfkg.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe

Drops file in System32 directory 9 IoCs

Processes:

80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exeIaeiieeb.exeInljnfkg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Inljnfkg.exe	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Inljnfkg.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Inljnfkg.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\Jdnaob32.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Inljnfkg.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2636 2744 WerFault.exe Iagfoe32.exe

pid	pid_target	process	target process
2636	2744	WerFault.exe	Iagfoe32.exe

Modifies registry class 12 IoCs

Processes:

80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exeIaeiieeb.exeInljnfkg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inljnfkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnaob32.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Inljnfkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Inljnfkg.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exeIaeiieeb.exeInljnfkg.exeIagfoe32.exe

description	pid	process	target process
PID 2012 wrote to memory of 2216	2012	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe	Iaeiieeb.exe
PID 2012 wrote to memory of 2216	2012	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe	Iaeiieeb.exe
PID 2012 wrote to memory of 2216	2012	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe	Iaeiieeb.exe
PID 2012 wrote to memory of 2216	2012	80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe	Iaeiieeb.exe
PID 2216 wrote to memory of 2800	2216	Iaeiieeb.exe	Inljnfkg.exe
PID 2216 wrote to memory of 2800	2216	Iaeiieeb.exe	Inljnfkg.exe
PID 2216 wrote to memory of 2800	2216	Iaeiieeb.exe	Inljnfkg.exe
PID 2216 wrote to memory of 2800	2216	Iaeiieeb.exe	Inljnfkg.exe
PID 2800 wrote to memory of 2744	2800	Inljnfkg.exe	Iagfoe32.exe
PID 2800 wrote to memory of 2744	2800	Inljnfkg.exe	Iagfoe32.exe
PID 2800 wrote to memory of 2744	2800	Inljnfkg.exe	Iagfoe32.exe
PID 2800 wrote to memory of 2744	2800	Inljnfkg.exe	Iagfoe32.exe
PID 2744 wrote to memory of 2636	2744	Iagfoe32.exe	WerFault.exe
PID 2744 wrote to memory of 2636	2744	Iagfoe32.exe	WerFault.exe
PID 2744 wrote to memory of 2636	2744	Iagfoe32.exe	WerFault.exe
PID 2744 wrote to memory of 2636	2744	Iagfoe32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\80ba9889a86fab53a0d4e607514d89e0_NeikiAnalytics.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\Iaeiieeb.exe
C:\Windows\system32\Iaeiieeb.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\Inljnfkg.exe
C:\Windows\system32\Inljnfkg.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 140
5⤵
- Loads dropped DLL
- Program crash
PID:2636

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
109KB

MD5
152bea805fdd72bda447eea71c9a4e5c

SHA1
ccb7ca17e85360555452256763f770622f4996c0

SHA256
9d5bfa9e171f2dc46a468bbe301f0f568765d6c6ecc9e88cf4d789d4de2f26bf

SHA512
8dfe1cca21c28369ddf4e282e234c63d8aa141c5631b3c52bcc90b657cd8b9a14f317f011bf1255624014048244cea796f2b83f3a9d6f42894014c0834337a54

Download Submit
\Windows\SysWOW64\Iaeiieeb.exe
Filesize
109KB

MD5
e8bd4a8b56ce8670057b2918f7d519bd

SHA1
89ce9dfe16de87b6cc97fb17e644a14e324ded25

SHA256
5c1dc0736f0f59bd899caf52d9922d1c5682c6ecf35fc7c167cfe971a33445a7

SHA512
94382e0fe8df4ed0ee83b2306c326a39a09288621aa3cbfff77d55443e6ef36bcec5e8108fd95c4c1b644ee11722f13a5a83a6584eb748756cd3a16e05d28719

Download Submit
\Windows\SysWOW64\Inljnfkg.exe
Filesize
109KB

MD5
4a5cf6ef4db130526631497302732baa

SHA1
519e6ecb52e8c879e460149121704a88bb224456

SHA256
8317c11e85f7c3f3246fa3a84f716b6a0b9d2ca733a93714123ffd841ccd1380

SHA512
6d832d21b80a82ca36c4d0e83cb82e99f7cfd45280b6c8afcacc93e4d19ae09ad46d0935ec27403bf803cf46310b66269e665eaad463f546f210fa26d5cb1886

Download Submit
memory/2012-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2012-6-0x0000000001F90000-0x0000000001FD4000-memory.dmp

Filesize
272KB

Download
memory/2012-44-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2216-25-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/2216-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2744-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-46-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads