Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 14:21
Behavioral task
behavioral1
Sample
0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe
-
Size
4.5MB
-
MD5
0842b03bfe19d8f7c9d61d7d865c2390
-
SHA1
cfe01d8156cbd47f2c83824d423a11128ef37cfe
-
SHA256
40552ebcd97c313caf7858723ae1e50040b77b2c43995f8392635b72feda4202
-
SHA512
119292b187e7a94450c1cba0ccfba16701c0132f2819257ba3b0eb4a0b4b45f0ba07b81b2f1ca7779d5b0dc3706bcbe67925c96c4dfa0c2df7faee1963338914
-
SSDEEP
98304:g/ZFIjBzldUfs/ZFIjBz7jSZD1tU7ymT1:g/ZFIjBzF/ZFIjBzPEUus1
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\hasfj.exe family_berbew -
Executes dropped EXE 1 IoCs
Processes:
hasfj.exepid process 2016 hasfj.exe -
Loads dropped DLL 1 IoCs
Processes:
0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exepid process 1432 0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exedescription pid process target process PID 1432 wrote to memory of 2016 1432 0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe hasfj.exe PID 1432 wrote to memory of 2016 1432 0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe hasfj.exe PID 1432 wrote to memory of 2016 1432 0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe hasfj.exe PID 1432 wrote to memory of 2016 1432 0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe hasfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hasfj.exe"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\hasfj.exeFilesize
4.5MB
MD5d1f16a11d5035dae5e2f66c998604780
SHA137851b670e333c6b007b8e22934737774a3e912e
SHA256ae12a8f981b3acb63addcaaf358f4878b5c81817a8b0c67ad8e4ff6bfa18299a
SHA5125f9dd43708755ce80266ceadcc9542535dfaa958571fd7b8900460203194dacaf52071e870429cd307fc96bc4d40d293a0d7da11ddcf5d2e85363239c7527bf2
-
memory/1432-0-0x0000000000480000-0x0000000000486000-memory.dmpFilesize
24KB
-
memory/1432-1-0x0000000000490000-0x0000000000496000-memory.dmpFilesize
24KB
-
memory/1432-8-0x0000000000480000-0x0000000000486000-memory.dmpFilesize
24KB
-
memory/2016-15-0x00000000002B0000-0x00000000002B6000-memory.dmpFilesize
24KB
-
memory/2016-22-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB