Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 20:16
Behavioral task
behavioral1
Sample
1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe
-
Size
772KB
-
MD5
1e2660d4b58cd139f2e3f76d039c64b0
-
SHA1
a57f0975a17a9909e73b6e945a7f364b396036f2
-
SHA256
2d8698f84ada9faa1ffa836b7cd92107e44018979b1c6ac5cc0ca1efbaacc1d8
-
SHA512
0922d6483eaca4ac39bf53126c847ecfbaf0ea3a2888c7339df4a73e379d387ee3c2b99e30283b26de1e74566b888e25100b15419760c8f36040cdc4c6fd95df
-
SSDEEP
24576:qW298E8u94hQZTZ5spa+qmd6f5HpmwhNeZLLGDtEC5AoFhR4gNUagtu:a98E8uS8cpa+qmd6flpmkNeZ/GDtEC59
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\9D49.tmp family_berbew -
Executes dropped EXE 1 IoCs
Processes:
9D49.tmppid process 2984 9D49.tmp -
Loads dropped DLL 1 IoCs
Processes:
1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exepid process 1340 1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2572 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
9D49.tmppid process 2984 9D49.tmp -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 2572 WINWORD.EXE 2572 WINWORD.EXE 2572 WINWORD.EXE 2572 WINWORD.EXE 2572 WINWORD.EXE 2572 WINWORD.EXE 2572 WINWORD.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe9D49.tmpdescription pid process target process PID 1340 wrote to memory of 2984 1340 1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe 9D49.tmp PID 1340 wrote to memory of 2984 1340 1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe 9D49.tmp PID 1340 wrote to memory of 2984 1340 1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe 9D49.tmp PID 1340 wrote to memory of 2984 1340 1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe 9D49.tmp PID 2984 wrote to memory of 2572 2984 9D49.tmp WINWORD.EXE PID 2984 wrote to memory of 2572 2984 9D49.tmp WINWORD.EXE PID 2984 wrote to memory of 2572 2984 9D49.tmp WINWORD.EXE PID 2984 wrote to memory of 2572 2984 9D49.tmp WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9D49.tmp"C:\Users\Admin\AppData\Local\Temp\9D49.tmp" --pingC:\Users\Admin\AppData\Local\Temp\1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.exe 800B77CDCE1649F99EA4061C4177DC20D3DC4DA48D77803031C1E4138478EAB6447366632BEB076B63A11338CF913841C0B51655941FFAFCB73E05FDAEFEA0FD2⤵
- Executes dropped EXE
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.docx"3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1e2660d4b58cd139f2e3f76d039c64b0_NeikiAnalytics.docxFilesize
21KB
MD57079891932a64f097abafd233055a1e9
SHA1246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA5126e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a
-
C:\Users\Admin\AppData\Local\Temp\9D49.tmpFilesize
772KB
MD5dc802bdd9f53ac16346e384df2d4a7c3
SHA140993b3fc1b48c552aa7369292c770c9e084c1ea
SHA25667b5ff2c2161b31d3f5366902f4ec219082a4706940f6422cd7d60542fe87300
SHA5126d3ae4ae9508711823104694697cad920fbb88a629d8a036f4b3264aefc8fdd1b50cebb10ee46c07ce7743c766b87e9e4e3b53832c26d1f7d13e6975609f2037
-
memory/2572-7-0x000000002FA41000-0x000000002FA42000-memory.dmpFilesize
4KB
-
memory/2572-8-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2572-9-0x000000007101D000-0x0000000071028000-memory.dmpFilesize
44KB
-
memory/2572-13-0x000000007101D000-0x0000000071028000-memory.dmpFilesize
44KB