649423e81989a6ca672b44b304e29ccee232f4588c10b1b8f12fe9c1915e2865

Analysis

max time kernel
94s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
Size

407KB
MD5

08a3aa17d66386754762099a449ef100
SHA1

c08f7eb8d9073efbbdf78676b79e22165cc8d48b
SHA256

649423e81989a6ca672b44b304e29ccee232f4588c10b1b8f12fe9c1915e2865
SHA512

560e4f18a0da53b0557ced87378e3270759baa0919bf09289972d3d81dc70dec44e9152e63d799c5ec556ce3a43136d993d4b1edc87cd5e91c22e398b3ea4317
SSDEEP

12288:SjrkTLlFRjVABrdX6fxV6te0LkRxWw7BvSa05VhGLZCzEf88BiH5QsT:SjCfMlcV6te0LkRxWw7BvSa05VhGLZCj

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid process

2576 08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid process

2576 08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid	process
2576	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid	process
2576	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4004	884	WerFault.exe	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
4564	2576	WerFault.exe	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid process

884 08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid process

2576 08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid	process
884	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

pid	process
2576	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

description	pid	process	target process
PID 884 wrote to memory of 2576	884	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
PID 884 wrote to memory of 2576	884	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
PID 884 wrote to memory of 2576	884	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe	08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 396
2⤵
- Program crash
PID:4004

C:\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 364
3⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 884 -ip 884
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2576 -ip 2576
1⤵
PID:2560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\08a3aa17d66386754762099a449ef100_NeikiAnalytics.exe
Filesize
407KB

MD5
31f7e5c4d16c67531402693686c96aad

SHA1
672a08c2afa8d2fbc3bcbf2e88c2bee1b0ec612a

SHA256
2bc40fc81ed39ab37340a5d61bb7e5b191ce90807fd63d9b46833b80ae797989

SHA512
427734a1f1a4946507f1d06467e11ba60b1f07d653967d5104233b1b9f2b6bcad9c0f6f1ca1290567a6214b3380e3127ba33036db62307f828a1e25c6928556b

Download Submit
memory/884-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/884-6-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2576-7-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2576-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2576-13-0x0000000001650000-0x0000000001689000-memory.dmp

Filesize
228KB

Download