2d8698f84ada9faa1ffa836b7cd92107e44018979b1c6ac5cc0ca1efbaacc1d8

General

Target

1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe
Size

772KB
MD5

1e2660d4b58cd139f2e3f76d039c64b0
SHA1

a57f0975a17a9909e73b6e945a7f364b396036f2
SHA256

2d8698f84ada9faa1ffa836b7cd92107e44018979b1c6ac5cc0ca1efbaacc1d8
SHA512

0922d6483eaca4ac39bf53126c847ecfbaf0ea3a2888c7339df4a73e379d387ee3c2b99e30283b26de1e74566b888e25100b15419760c8f36040cdc4c6fd95df
SSDEEP

24576:qW298E8u94hQZTZ5spa+qmd6f5HpmwhNeZLLGDtEC5AoFhR4gNUagtu:a98E8uS8cpa+qmd6flpmkNeZ/GDtEC59

Score

10^/10

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9D49.tmp	family_berbew

Executes dropped EXE 1 IoCs

Processes:

9D49.tmp

pid process

2984 9D49.tmp
Loads dropped DLL 1 IoCs

Processes:

1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe

pid process

1340 1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2984	9D49.tmp

pid	process
1340	1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2572 WINWORD.EXE
Suspicious behavior: RenamesItself 1 IoCs

Processes:

9D49.tmp

pid process

2984 9D49.tmp
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

2572 WINWORD.EXE
2572 WINWORD.EXE
2572 WINWORD.EXE
2572 WINWORD.EXE
2572 WINWORD.EXE
2572 WINWORD.EXE
2572 WINWORD.EXE

pid	process
2572	WINWORD.EXE

pid	process
2984	9D49.tmp

pid	process
2572	WINWORD.EXE
2572	WINWORD.EXE
2572	WINWORD.EXE
2572	WINWORD.EXE
2572	WINWORD.EXE
2572	WINWORD.EXE
2572	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe9D49.tmp

description	pid	process	target process
PID 1340 wrote to memory of 2984	1340	1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe	9D49.tmp
PID 1340 wrote to memory of 2984	1340	1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe	9D49.tmp
PID 1340 wrote to memory of 2984	1340	1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe	9D49.tmp
PID 1340 wrote to memory of 2984	1340	1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe	9D49.tmp
PID 2984 wrote to memory of 2572	2984	9D49.tmp	WINWORD.EXE
PID 2984 wrote to memory of 2572	2984	9D49.tmp	WINWORD.EXE
PID 2984 wrote to memory of 2572	2984	9D49.tmp	WINWORD.EXE
PID 2984 wrote to memory of 2572	2984	9D49.tmp	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\9D49.tmp
"C:\Users\Admin\AppData\Local\Temp\9D49.tmp" --pingC:\Users\Admin\AppData\Local\Temp\1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe 800B77CDCE1649F99EA4061C4177DC20D3DC4DA48D77803031C1E4138478EAB6447366632BEB076B63A11338CF913841C0B51655941FFAFCB73E05FDAEFEA0FD
2⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2984

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.docx"
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2572

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.docx
Filesize
21KB

MD5
7079891932a64f097abafd233055a1e9

SHA1
246d95feafe67689d49a5a4cadba18d3ac1914e5

SHA256
c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1

SHA512
6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D49.tmp
Filesize
772KB

MD5
dc802bdd9f53ac16346e384df2d4a7c3

SHA1
40993b3fc1b48c552aa7369292c770c9e084c1ea

SHA256
67b5ff2c2161b31d3f5366902f4ec219082a4706940f6422cd7d60542fe87300

SHA512
6d3ae4ae9508711823104694697cad920fbb88a629d8a036f4b3264aefc8fdd1b50cebb10ee46c07ce7743c766b87e9e4e3b53832c26d1f7d13e6975609f2037

Download Submit
memory/2572-7-0x000000002FA41000-0x000000002FA42000-memory.dmp

Filesize
4KB

Download
memory/2572-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2572-9-0x000000007101D000-0x0000000071028000-memory.dmp

Filesize
44KB

Download
memory/2572-13-0x000000007101D000-0x0000000071028000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads