40552ebcd97c313caf7858723ae1e50040b77b2c43995f8392635b72feda4202

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe
Size

4.5MB
MD5

0842b03bfe19d8f7c9d61d7d865c2390
SHA1

cfe01d8156cbd47f2c83824d423a11128ef37cfe
SHA256

40552ebcd97c313caf7858723ae1e50040b77b2c43995f8392635b72feda4202
SHA512

119292b187e7a94450c1cba0ccfba16701c0132f2819257ba3b0eb4a0b4b45f0ba07b81b2f1ca7779d5b0dc3706bcbe67925c96c4dfa0c2df7faee1963338914
SSDEEP

98304:g/ZFIjBzldUfs/ZFIjBz7jSZD1tU7ymT1:g/ZFIjBzF/ZFIjBzPEUus1

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hasfj.exe	family_berbew

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

hasfj.exe

pid process

5044 hasfj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5044	hasfj.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe

description	pid	process	target process
PID 776 wrote to memory of 5044	776	0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe	hasfj.exe
PID 776 wrote to memory of 5044	776	0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe	hasfj.exe
PID 776 wrote to memory of 5044	776	0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe	hasfj.exe

C:\Users\Admin\AppData\Local\Temp\0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0842b03bfe19d8f7c9d61d7d865c2390_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\hasfj.exe
"C:\Users\Admin\AppData\Local\Temp\hasfj.exe"
2⤵
- Executes dropped EXE
PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hasfj.exe
Filesize
4.5MB

MD5
d1f16a11d5035dae5e2f66c998604780

SHA1
37851b670e333c6b007b8e22934737774a3e912e

SHA256
ae12a8f981b3acb63addcaaf358f4878b5c81817a8b0c67ad8e4ff6bfa18299a

SHA512
5f9dd43708755ce80266ceadcc9542535dfaa958571fd7b8900460203194dacaf52071e870429cd307fc96bc4d40d293a0d7da11ddcf5d2e85363239c7527bf2

Download Submit
memory/776-0-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/776-4-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/776-1-0x0000000003150000-0x0000000003156000-memory.dmp

Filesize
24KB

Download
memory/5044-23-0x0000000002120000-0x0000000002126000-memory.dmp

Filesize
24KB

Download
memory/5044-17-0x0000000002ED0000-0x0000000002ED6000-memory.dmp

Filesize
24KB

Download