3a8e4717b85572e91e3adf10ae094f9ba846e5e2ead1ef54f759800ea59067f8

General

Target

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Size

1.2MB
MD5

1d48e906cd1cf0af7a391ec1becb7950
SHA1

f452f766bc9d89abd584c3b982ad49700eaec161
SHA256

3a8e4717b85572e91e3adf10ae094f9ba846e5e2ead1ef54f759800ea59067f8
SHA512

d5bd5099c95cccda206242e140173a413d9f5cb97d45b29777522fc04f274548bbe7f83370d3fc746c0789d8f49084a5ce94b841f42531a93eafc8dd361420d8
SSDEEP

24576:4fIEerrf5D+daoyUTIYKE4+j2m/F3Va/ZSua/JXINkDbC77Lv+f6T8ytUmmlD:lEy5D+U1YjfgRg6NkDObltUt

Score

10^/10

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

2100 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

2100 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 pastebin.com
13 pastebin.com

pid	process
2100	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid	process
2100	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

flow	ioc
12	pastebin.com
13	pastebin.com

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
960	3952	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
4844	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
3036	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
1680	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
3884	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
5040	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
4228	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
4388	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
4616	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
1736	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
4680	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
2168	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
3496	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
1932	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
4432	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
3592	2100	WerFault.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

2100 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
2100 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

3952 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid process

2100 1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid	process
2100	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
2100	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid	process
3952	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

pid	process
2100	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

description	pid	process	target process
PID 3952 wrote to memory of 2100	3952	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
PID 3952 wrote to memory of 2100	3952	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
PID 3952 wrote to memory of 2100	3952	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe	1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 344
2⤵
- Program crash
PID:960

C:\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 356
3⤵
- Program crash
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 636
3⤵
- Program crash
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 636
3⤵
- Program crash
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 656
3⤵
- Program crash
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 720
3⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 904
3⤵
- Program crash
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1400
3⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1396
3⤵
- Program crash
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1464
3⤵
- Program crash
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1636
3⤵
- Program crash
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1456
3⤵
- Program crash
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1520
3⤵
- Program crash
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1644
3⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1672
3⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 624
3⤵
- Program crash
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3952 -ip 3952
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2100 -ip 2100
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2100 -ip 2100
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2100 -ip 2100
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2100 -ip 2100
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2100 -ip 2100
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2100 -ip 2100
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2100 -ip 2100
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2100 -ip 2100
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2100 -ip 2100
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2100 -ip 2100
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2100 -ip 2100
1⤵
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2100 -ip 2100
1⤵
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2100 -ip 2100
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2100 -ip 2100
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2100 -ip 2100
1⤵
PID:3536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1d48e906cd1cf0af7a391ec1becb7950_NeikiAnalytics.exe
Filesize
1.2MB

MD5
a262e303aa4ef4a5ea35f3b3bf404b6a

SHA1
9330654898d512a007e0998c8a95992846b55048

SHA256
5b9876c97c8e680204b0728eb930d07b0e494b9383cbb3d58def10d1d7625312

SHA512
42c082a823100aca862371168c4a07579d15c6740008566fe71b51c42b73a64c63318aeedc3d27e384be26498c1f1b6e3c8eaca124b07027435496074fee5781

Download Submit
memory/2100-7-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2100-14-0x0000000005070000-0x0000000005187000-memory.dmp

Filesize
1.1MB

Download
memory/2100-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2100-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2100-27-0x000000000DAA0000-0x000000000DB43000-memory.dmp

Filesize
652KB

Download
memory/2100-28-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3952-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3952-5-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads