Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 09:43
Behavioral task
behavioral1
Sample
3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe
-
Size
134KB
-
MD5
3dace7785dc47efeda9461cd2ef272e0
-
SHA1
6d616a54b99898ed491b8e9e1fca6622f023ebea
-
SHA256
10d98476d141d9e49ae998bc809cda3324db84aa2712d16b6132b8c300c1dd0e
-
SHA512
9d3e87823d6da3741a5330f665a7a6b12d2dff8032878439e01b42d45dc909e6a0b2a19c0f0371d925776425a275dd5c5624663f40be8c1d5a496571477a1ddd
-
SSDEEP
3072:KzltUeOsaQgAOMG9whpdyTtsg1Zpj3QlDJjz/9ze:unOsaQgAOjvrZFODJjBze
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\popup.sed family_berbew -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.execmd.exeiexpress.exedescription pid process target process PID 2596 wrote to memory of 804 2596 3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe cmd.exe PID 2596 wrote to memory of 804 2596 3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe cmd.exe PID 2596 wrote to memory of 804 2596 3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe cmd.exe PID 804 wrote to memory of 1512 804 cmd.exe iexpress.exe PID 804 wrote to memory of 1512 804 cmd.exe iexpress.exe PID 804 wrote to memory of 1512 804 cmd.exe iexpress.exe PID 1512 wrote to memory of 1152 1512 iexpress.exe makecab.exe PID 1512 wrote to memory of 1152 1512 iexpress.exe makecab.exe PID 1512 wrote to memory of 1152 1512 iexpress.exe makecab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\74A3.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\3dace7785dc47efeda9461cd2ef272e0_NeikiAnalytics.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\iexpress.exeiexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\makecab.exeC:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\74A3.tmp\1.batFilesize
1KB
MD502dba5f37067292355c6d01a57d4ef48
SHA17c67ab3f99fbf7a53018dd295d2968c525db83d9
SHA2568b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242
SHA51212201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a
-
C:\Users\Admin\AppData\Local\Temp\popup.sedFilesize
134KB
MD55c1ad3e384d5ce3dfbd6173e67e2b30b
SHA194d2de0d8f7a847ef537c870c4e0f18ae5c2865b
SHA256dc0f833bb96550c258bf50d2dc1adf681f88f2f5fb1ae945df3b4ac919bb1001
SHA5123717bbe3daad4d7c141b4880872483a453bf3eab8c44bcfbcc169fff8016df14c32ea9b52e3edb602d588b820c1b302d043a07e055926d3e986821784858a105
-
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDFFilesize
724B
MD5c3ca008abd6997c4b036a7e8be75cb2c
SHA105f7a3527bb04c691b08f040f562582035398829
SHA25629ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3
SHA512bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083