9f7b2752bbf92bc460d563111e83aec9b23f8e0bc24e2d4dee3a365e957f57b9

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe
Size

283KB
MD5

8308d16ebf76f59565d371d3e03a1b50
SHA1

51262fed9ff5e3dced0c9ae2eca5a2d3f559008b
SHA256

9f7b2752bbf92bc460d563111e83aec9b23f8e0bc24e2d4dee3a365e957f57b9
SHA512

3ec41856e9278894d5992810e75f92672e6b36cd32fe7439d3756136314863c74bb5e0c70704ec7403dfaa0d4592ee04c1b730d1ac384b3bf5dc4c0ffb12b57e
SSDEEP

6144:RPeNbxR6k0AHWeuD5xqH/YtjPbIqVC/CWPssZkVRnr5:oNbxR6k0i5Y5xwwJ8qVVWPssZGr5

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

pid process

4196 8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

pid process

4196 8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

pid	process
4196	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

pid	process
4196	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4300	4140	WerFault.exe	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe
2380	4196	WerFault.exe	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

pid process

4140 8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

pid process

4196 8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

pid	process
4140	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

pid	process
4196	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

description	pid	process	target process
PID 4140 wrote to memory of 4196	4140	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe
PID 4140 wrote to memory of 4196	4140	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe
PID 4140 wrote to memory of 4196	4140	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe	8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 396
  2⤵
  - Program crash
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 364
    3⤵
    - Program crash
    PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4140 -ip 4140
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4196 -ip 4196
1⤵
PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8308d16ebf76f59565d371d3e03a1b50_NeikiAnalytics.exe

Filesize
283KB

MD5
e42c1b0fb13ff894075814451fd7ccc3

SHA1
c4149b7b14e0cbe0043df35051195c75601e94dc

SHA256
529543cdf1f339c2a4c23fdd167a9f26e2f8dadb1f677b1c84a5b6bc09513bde

SHA512
baecfbcd670849b0cd03c463ee6dc21f1517f856c286f77bf2f071310db883e8ab5ae02900cf3aa4bb64d047bd41c8c932456c1939291c30480e026f822664fb

Download Submit
memory/4140-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4140-6-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4196-13-0x00000000014A0000-0x00000000014E1000-memory.dmp

Filesize
260KB

Download