3a8e4717b85572e91e3adf10ae094f9ba846e5e2ead1ef54f759800ea59067f8

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Size

1.2MB
MD5

1d48e906cd1cf0af7a391ec1becb7950
SHA1

f452f766bc9d89abd584c3b982ad49700eaec161
SHA256

3a8e4717b85572e91e3adf10ae094f9ba846e5e2ead1ef54f759800ea59067f8
SHA512

d5bd5099c95cccda206242e140173a413d9f5cb97d45b29777522fc04f274548bbe7f83370d3fc746c0789d8f49084a5ce94b841f42531a93eafc8dd361420d8
SSDEEP

24576:4fIEerrf5D+daoyUTIYKE4+j2m/F3Va/ZSua/JXINkDbC77Lv+f6T8ytUmmlD:lEy5D+U1YjfgRg6NkDObltUt

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

2084 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

2084 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Loads dropped DLL 1 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

2196 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
4 pastebin.com
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

2084 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

2196 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

2084 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid	process
2084	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid	process
2084	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid	process
2196	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

flow	ioc
3	pastebin.com
4	pastebin.com

pid	process
2084	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid	process
2196	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid	process
2084	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

description	pid	process	target process
PID 2196 wrote to memory of 2084	2196	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
PID 2196 wrote to memory of 2084	2196	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
PID 2196 wrote to memory of 2084	2196	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
PID 2196 wrote to memory of 2084	2196	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Filesize
1.2MB

MD5
07f836d4fa2c74542527169382d4f00f

SHA1
bee91ea1a19666b9d15feb0a1fb170a952250c5f

SHA256
e6a019164c8051828219bda2399bc783d0ce76cc1edc6b69b3b630fb04d8b332

SHA512
c67d650c6983a466353e56b44b2d9c0dec37a2232b4782665b549eb158c76411ef72ed06b050cbf66e7731ebea5038adb15d189d29db5265a720b4b315749222

Download Submit
memory/2084-9-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2084-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2084-16-0x0000000002F50000-0x0000000003067000-memory.dmp

Filesize
1.1MB

Download
memory/2084-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2084-38-0x000000000EF20000-0x000000000EFC3000-memory.dmp

Filesize
652KB

Download
memory/2084-39-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2196-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2196-8-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download