10d98476d141d9e49ae998bc809cda3324db84aa2712d16b6132b8c300c1dd0e

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe
Size

134KB
MD5

3dace7785dc47efeda9461cd2ef272e0
SHA1

6d616a54b99898ed491b8e9e1fca6622f023ebea
SHA256

10d98476d141d9e49ae998bc809cda3324db84aa2712d16b6132b8c300c1dd0e
SHA512

9d3e87823d6da3741a5330f665a7a6b12d2dff8032878439e01b42d45dc909e6a0b2a19c0f0371d925776425a275dd5c5624663f40be8c1d5a496571477a1ddd
SSDEEP

3072:KzltUeOsaQgAOMG9whpdyTtsg1Zpj3QlDJjz/9ze:unOsaQgAOjvrZFODJjBze

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\popup.sed	family_berbew

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.execmd.exeiexpress.exe

description	pid	process	target process
PID 2596 wrote to memory of 804	2596	3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe	cmd.exe
PID 2596 wrote to memory of 804	2596	3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe	cmd.exe
PID 2596 wrote to memory of 804	2596	3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe	cmd.exe
PID 804 wrote to memory of 1512	804	cmd.exe	iexpress.exe
PID 804 wrote to memory of 1512	804	cmd.exe	iexpress.exe
PID 804 wrote to memory of 1512	804	cmd.exe	iexpress.exe
PID 1512 wrote to memory of 1152	1512	iexpress.exe	makecab.exe
PID 1512 wrote to memory of 1152	1512	iexpress.exe	makecab.exe
PID 1512 wrote to memory of 1152	1512	iexpress.exe	makecab.exe

C:\Users\Admin\AppData\Local\Temp\3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\74A3.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\iexpress.exe
iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\makecab.exe
C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
4⤵
PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74A3.tmp\1.bat
Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed
Filesize
134KB

MD5
5c1ad3e384d5ce3dfbd6173e67e2b30b

SHA1
94d2de0d8f7a847ef537c870c4e0f18ae5c2865b

SHA256
dc0f833bb96550c258bf50d2dc1adf681f88f2f5fb1ae945df3b4ac919bb1001

SHA512
3717bbe3daad4d7c141b4880872483a453bf3eab8c44bcfbcc169fff8016df14c32ea9b52e3edb602d588b820c1b302d043a07e055926d3e986821784858a105

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF
Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit