649423e81989a6ca672b44b304e29ccee232f4588c10b1b8f12fe9c1915e2865

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
Size

407KB
MD5

08a3aa17d66386754762099a449ef100
SHA1

c08f7eb8d9073efbbdf78676b79e22165cc8d48b
SHA256

649423e81989a6ca672b44b304e29ccee232f4588c10b1b8f12fe9c1915e2865
SHA512

560e4f18a0da53b0557ced87378e3270759baa0919bf09289972d3d81dc70dec44e9152e63d799c5ec556ce3a43136d993d4b1edc87cd5e91c22e398b3ea4317
SSDEEP

12288:SjrkTLlFRjVABrdX6fxV6te0LkRxWw7BvSa05VhGLZCzEf88BiH5QsT:SjCfMlcV6te0LkRxWw7BvSa05VhGLZCj

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid process

1700 08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid process

1700 08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
Loads dropped DLL 1 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid process

2040 08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid process

2040 08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid process

1700 08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid	process
1700	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid	process
1700	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid	process
2040	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid	process
2040	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid	process
1700	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

description	pid	process	target process
PID 2040 wrote to memory of 1700	2040	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
PID 2040 wrote to memory of 1700	2040	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
PID 2040 wrote to memory of 1700	2040	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
PID 2040 wrote to memory of 1700	2040	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1700

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
Filesize
407KB

MD5
f0b3654f7bf04a27dbadb2d7c59cc369

SHA1
6345e254016ef215b0335c062a5449090180cf2c

SHA256
d89ab35ce8fc72eea32e0c053bef07fd812f7bd966816c44149311f8592efb0b

SHA512
ca63d7bba000f9c205f70329055cd07c8417d5468baed3b0f392bf5898a2fa85b511fa1a7f8f0a1d7e567e3b4ae62b0f4b775cd54f181555811ad07d1a85af09

Download Submit
memory/1700-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1700-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1700-17-0x0000000000130000-0x0000000000169000-memory.dmp

Filesize
228KB

Download
memory/2040-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2040-6-0x00000000000C0000-0x00000000000F9000-memory.dmp

Filesize
228KB

Download