7d8b4def7f8814fed90911f579ad0adc359f0b49793610c0fc6c1fb3ec0d19ec

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

524effc2f8e5f4eff5444278a9222300_NeikiAnalytics.exe
Size

955KB
MD5

524effc2f8e5f4eff5444278a9222300
SHA1

c7edca938be2bf03f9728fee995f290b4f5e06a0
SHA256

7d8b4def7f8814fed90911f579ad0adc359f0b49793610c0fc6c1fb3ec0d19ec
SHA512

b778db23da62fdcb32ba68457457a075cbf3bb81f0401db0c237eefb6261f1e408e2345f6cb4c8fbcaa46d4b95da7262b01cc00bea2e75676ee01258a9e125a6
SSDEEP

24576:oTES8M1kLUjqi8bjkDOKz6HtyLZmX1+RnM3L2N9Y3G3wSK6JE4t6FGerrthf:oTESSrbjk5awZmF+RnM3L2N9YWgSK6JW

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9AF.tmp	family_berbew

Deletes itself 1 IoCs

Processes:

9AF.tmp

pid process

4004 9AF.tmp
Executes dropped EXE 1 IoCs

Processes:

9AF.tmp

pid process

4004 9AF.tmp

pid	process
4004	9AF.tmp

pid	process
4004	9AF.tmp

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

524effc2f8e5f4eff5444278a9222300_NeikiAnalytics.exe

description	pid	process	target process
PID 636 wrote to memory of 4004	636	524effc2f8e5f4eff5444278a9222300_NeikiAnalytics.exe	9AF.tmp
PID 636 wrote to memory of 4004	636	524effc2f8e5f4eff5444278a9222300_NeikiAnalytics.exe	9AF.tmp
PID 636 wrote to memory of 4004	636	524effc2f8e5f4eff5444278a9222300_NeikiAnalytics.exe	9AF.tmp

C:\Users\Admin\AppData\Local\Temp\524effc2f8e5f4eff5444278a9222300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\524effc2f8e5f4eff5444278a9222300_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Users\Admin\AppData\Local\Temp\9AF.tmp
  "C:\Users\Admin\AppData\Local\Temp\9AF.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:2496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9AF.tmp

Filesize
955KB

MD5
5923d351395f3cae0ed8a7ec95dfdf25

SHA1
4cd4fe958b82b2ee0bd556f4d16204d5429246dc

SHA256
897bfa2b1b57f02cfa99bf996398379bb00416104900bc196db2cf9862352d1a

SHA512
5fa8209163f9c325f92242d8cd7d47e8251c070ce555b1d2c107b3c418bb524e8d2e3ae6306b8235a23aaf738d41f204f6cd10da001374c4717e0982aa2fa83a

Download Submit