Analysis
-
max time kernel
133s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 18:49
Behavioral task
behavioral1
Sample
cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
-
Size
951KB
-
MD5
cc033c9680e8a2e70175372748b45a40
-
SHA1
99a3c8361ba44a245f582a6e6bbedd4ae308fc74
-
SHA256
35588414982a203c8bc011ad42df419ed6cccf406ff10397397b53f69a3605bb
-
SHA512
a53dca8220a138f77109b5675ae3f2b8dfc42e72dec9fec9fd570b454b78fc853e98e4e0d22a00c8daa4db7a43f3c0315cb6ad03a9d85d150512aefa9c3e31b8
-
SSDEEP
6144:mgj/BKrGX5bRnf8sYT1moABKb7yVF3hbaqJN+ixtwABbxxJa/YESzoU0R:1y2fUsYT1KBlVCqTbjVDa/ZSzJ0R
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 3 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule behavioral2/memory/4236-6-0x0000000000400000-0x00000000004F1000-memory.dmp family_berbew C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe family_berbew behavioral2/memory/2416-8-0x0000000000400000-0x00000000004F1000-memory.dmp family_berbew -
Deletes itself 1 IoCs
Processes:
cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exepid process 2416 cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exepid process 2416 cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2140 4236 WerFault.exe cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe 2704 2416 WerFault.exe cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe 2292 2416 WerFault.exe cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exepid process 4236 cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exedescription pid process target process PID 4236 wrote to memory of 2416 4236 cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe PID 4236 wrote to memory of 2416 4236 cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe PID 4236 wrote to memory of 2416 4236 cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 3522⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 3443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 1643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4236 -ip 42361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2416 -ip 24161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2416 -ip 24161⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3812,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cc033c9680e8a2e70175372748b45a40_NeikiAnalytics.exeFilesize
951KB
MD5850362814a534780cf51c33c750092bd
SHA1828932f07118bbc41c7bd6fd260f2b69a59723ab
SHA256b069c26485032a630a424896693da6cf559ecc2f96ada9b1e972ea9e47c9b963
SHA512649258701b6934a2808da1e41806b6cf59950d1537dfcdd727f686cef7b2f34ecf93f3e921f598c071110cf0dc7652f1bf7b4fcdcca87caf34d6a7ff08bbc7a3
-
memory/2416-7-0x0000000000400000-0x00000000004F1000-memory.dmpFilesize
964KB
-
memory/2416-8-0x0000000000400000-0x00000000004F1000-memory.dmpFilesize
964KB
-
memory/4236-0-0x0000000000400000-0x00000000004F1000-memory.dmpFilesize
964KB
-
memory/4236-6-0x0000000000400000-0x00000000004F1000-memory.dmpFilesize
964KB