35588414982a203c8bc011ad42df419ed6cccf406ff10397397b53f69a3605bb

Analysis

max time kernel
133s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
Size

951KB
MD5

cc033c9680e8a2e70175372748b45a40
SHA1

99a3c8361ba44a245f582a6e6bbedd4ae308fc74
SHA256

35588414982a203c8bc011ad42df419ed6cccf406ff10397397b53f69a3605bb
SHA512

a53dca8220a138f77109b5675ae3f2b8dfc42e72dec9fec9fd570b454b78fc853e98e4e0d22a00c8daa4db7a43f3c0315cb6ad03a9d85d150512aefa9c3e31b8
SSDEEP

6144:mgj/BKrGX5bRnf8sYT1moABKb7yVF3hbaqJN+ixtwABbxxJa/YESzoU0R:1y2fUsYT1KBlVCqTbjVDa/ZSzJ0R

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 3 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
behavioral2/memory/4236-6-0x0000000000400000-0x00000000004F1000-memory.dmp	family_berbew
C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe	family_berbew
behavioral2/memory/2416-8-0x0000000000400000-0x00000000004F1000-memory.dmp	family_berbew

Deletes itself 1 IoCs

Processes:

cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

pid process

2416 cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

pid process

2416 cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

pid	process
2416	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

pid	process
2416	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2140	4236	WerFault.exe	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
2704	2416	WerFault.exe	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
2292	2416	WerFault.exe	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

pid process

4236 cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

pid	process
4236	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

description	pid	process	target process
PID 4236 wrote to memory of 2416	4236	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
PID 4236 wrote to memory of 2416	4236	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
PID 4236 wrote to memory of 2416	4236	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe	cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 352
2⤵
- Program crash
PID:2140

C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 344
3⤵
- Program crash
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 164
3⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4236 -ip 4236
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2416 -ip 2416
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2416 -ip 2416
1⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
1⤵
PID:1484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
Filesize
951KB

MD5
850362814a534780cf51c33c750092bd

SHA1
828932f07118bbc41c7bd6fd260f2b69a59723ab

SHA256
b069c26485032a630a424896693da6cf559ecc2f96ada9b1e972ea9e47c9b963

SHA512
649258701b6934a2808da1e41806b6cf59950d1537dfcdd727f686cef7b2f34ecf93f3e921f598c071110cf0dc7652f1bf7b4fcdcca87caf34d6a7ff08bbc7a3

Download Submit
memory/2416-7-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2416-8-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4236-0-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/4236-6-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download