9168ae0c6a9ae5627eefaae0716954a6e0375b6a512a19f722971f88d58ed497

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
Size

282KB
MD5

129a5c3a35af8a88138945b19e005bc0
SHA1

3ad8d32ae0f8f12e10a425b623bdd3997b6e421b
SHA256

9168ae0c6a9ae5627eefaae0716954a6e0375b6a512a19f722971f88d58ed497
SHA512

e81408573c3820e77aa99bff53d94854ba87cc8595d081b3456d59c4fa4147a5d0faa9024bf62a29231144b15c0256ec3dbb73f24824fb63770c841d4feceeb8
SSDEEP

6144:hLmIHtskDVmsF+ALzKvz6T/nQckEjiPISUOgW9X+hOGzC/:NLdVmcTLzKvz6jkmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Windows\SysWOW64\XDMU.exe	family_berbew

Executes dropped EXE 1 IoCs

Processes:

XDMU.exe

pid process

2660 XDMU.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1648 cmd.exe
1648 cmd.exe

pid	process
2660	XDMU.exe

pid	process
1648	cmd.exe
1648	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe

description	ioc	process
File created	C:\windows\SysWOW64\XDMU.exe	129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
File opened for modification	C:\windows\SysWOW64\XDMU.exe	129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\XDMU.exe.bat	129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exeXDMU.exe

pid process

3068 129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
2660 XDMU.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exeXDMU.exe

pid process

3068 129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
3068 129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
2660 XDMU.exe
2660 XDMU.exe

pid	process
3068	129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
2660	XDMU.exe

pid	process
3068	129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
3068	129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
2660	XDMU.exe
2660	XDMU.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 1648	3068	129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe	cmd.exe
PID 3068 wrote to memory of 1648	3068	129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe	cmd.exe
PID 3068 wrote to memory of 1648	3068	129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe	cmd.exe
PID 3068 wrote to memory of 1648	3068	129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe	cmd.exe
PID 1648 wrote to memory of 2660	1648	cmd.exe	XDMU.exe
PID 1648 wrote to memory of 2660	1648	cmd.exe	XDMU.exe
PID 1648 wrote to memory of 2660	1648	cmd.exe	XDMU.exe
PID 1648 wrote to memory of 2660	1648	cmd.exe	XDMU.exe

C:\Users\Admin\AppData\Local\Temp\129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\129a5c3a35af8a88138945b19e005bc0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\XDMU.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\windows\SysWOW64\XDMU.exe
    C:\windows\system32\XDMU.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\XDMU.exe.bat

Filesize
72B

MD5
4a5cf886608c3d2b89ae0a6a771c6eca

SHA1
0d719c5a66a9528f3d3c8e387596f97081ec828e

SHA256
f5bc9d19ddcb019814652e2a86fbeac528fad1b1e67418ef3f0e4651bb840305

SHA512
88416926b3cc8e4096f3ad74fc7334db2457e71495f65890341dc65eb3740ba27387ee761d97c6ddac2f2ddb046bfb8b8d8a0362685ce301e42f0b09a7437404

Download Submit
\Windows\SysWOW64\XDMU.exe

Filesize
282KB

MD5
f8d4dcfc4b1294e4c1274f295b074662

SHA1
e9f09631587321a9d101de0bbe5bb84230f4fd9f

SHA256
97253f0834d220da84c0a10bb6fccbe8b8a38d77912259a8e02a56ce944a3f33

SHA512
212a721b33a09dbfddd742afea008b072538e778788a65fd04810c914f4eabd4c4e7e7c6586ef3285dd33e0517110d0fe889631a488e26fed59ced8f9ee62a87

Download Submit
memory/1648-19-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/1648-16-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2660-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3068-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3068-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download