2efd01bb3b0c34f27fddc7821b0ccf9e81d1b9417ce033a472c7e1fb2aa996e7

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
Size

991KB
MD5

00104c976967a8c76c8eee1039fb31b0
SHA1

e3d742b9051f67e985444c49d0a69e55370720b5
SHA256

2efd01bb3b0c34f27fddc7821b0ccf9e81d1b9417ce033a472c7e1fb2aa996e7
SHA512

45b3fbfed99f4a76fd2c190517c860aa5c3c8913685d174b6086840d0966d131871c4c7fd7916985cb7f262a790a00754336b60878bc171c91a123643084a971
SSDEEP

24576:06FowquPvO8SW0PfjZEzOf1aSU8/ha/ZSMQugi8ndZ5G:7awMb8qJg1Qugi8ndZ5G

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid process

2920 00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid process

2920 00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
Loads dropped DLL 1 IoCs

Processes:

00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid process

1760 00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
3 pastebin.com
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid process

2920 00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid process

1760 00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid process

2920 00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid	process
2920	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid	process
2920	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid	process
1760	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

flow	ioc
4	pastebin.com
3	pastebin.com

pid	process
2920	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid	process
1760	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

pid	process
2920	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

description	pid	process	target process
PID 1760 wrote to memory of 2920	1760	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
PID 1760 wrote to memory of 2920	1760	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
PID 1760 wrote to memory of 2920	1760	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
PID 1760 wrote to memory of 2920	1760	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe	00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\00104c976967a8c76c8eee1039fb31b0_NeikiAnalytics.exe
Filesize
991KB

MD5
2e9ee4fbd67a90a8e7478807b2aa86d5

SHA1
1409dd3ff27a469b05940b0e6f46ee6446e36704

SHA256
9b9b65525294764c40cefbc6b49fb95918d63f1aefc2732892161fcfa0d619a1

SHA512
ade108604ace488c0121bb91a9727f48277ee18c40e45944c9265c8fb354cb0468f8d13c2972f2f4260f07b43ca05e0e70184ce5af33f089fc0a3d80dd1ad9e4

Download Submit
memory/1760-0-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1760-7-0x00000000030E0000-0x00000000031D5000-memory.dmp

Filesize
980KB

Download
memory/1760-10-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/2920-9-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/2920-12-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2920-17-0x0000000002E30000-0x0000000002F25000-memory.dmp

Filesize
980KB

Download
memory/2920-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2920-38-0x000000000EB60000-0x000000000EC03000-memory.dmp

Filesize
652KB

Download