5a263e1964484df64bd2f665f55223967f0e35dd56d90aa944bc31dec84fd4e2

General

Target

1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
Size

1.3MB
MD5

1fab2c6e63761fb11bfc67073c1a7450
SHA1

2a1700745e6b7bb49cbf63476c6afe2dc9fd2b15
SHA256

5a263e1964484df64bd2f665f55223967f0e35dd56d90aa944bc31dec84fd4e2
SHA512

2dd034d957e2118d89e9a91a22fa6cee03cd1587d2d32be6c2a9af45c70be7aa5234503aba63146fc09b214b6e1459a2e918366363776320ced00d93349db7b4
SSDEEP

24576:qVZj6AR51wrjsOBvpCphWYt/TBb4eBTWa/ZSjXuF77Lv+f6T8Qnskb2i6OBKaBWE:qV8RrJuphWYN9bjQgGXuFbq4TT+E

Score

10^/10

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

pid process

1392 1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

pid process

1392 1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

13 pastebin.com
14 pastebin.com

pid	process
1392	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

pid	process
1392	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

flow	ioc
13	pastebin.com
14	pastebin.com

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
712	2268	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
1624	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
4484	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
2288	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
3928	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
4348	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
3804	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
1616	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
3308	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
224	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
4436	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
4648	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
4368	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
3628	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
2256	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
4668	1392	WerFault.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

pid process

1392 1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
1392 1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

pid process

2268 1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

pid process

1392 1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

pid	process
1392	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
1392	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

pid	process
2268	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

pid	process
1392	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

description	pid	process	target process
PID 2268 wrote to memory of 1392	2268	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
PID 2268 wrote to memory of 1392	2268	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
PID 2268 wrote to memory of 1392	2268	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe	1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 344
2⤵
- Program crash
PID:712

C:\Users\Admin\AppData\Local\Temp\1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 344
3⤵
- Program crash
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 628
3⤵
- Program crash
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 680
3⤵
- Program crash
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 680
3⤵
- Program crash
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 660
3⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 900
3⤵
- Program crash
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1412
3⤵
- Program crash
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1464
3⤵
- Program crash
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1636
3⤵
- Program crash
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1640
3⤵
- Program crash
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1480
3⤵
- Program crash
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1468
3⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1680
3⤵
- Program crash
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1668
3⤵
- Program crash
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 672
3⤵
- Program crash
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2268 -ip 2268
1⤵
PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1392 -ip 1392
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1392 -ip 1392
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1392 -ip 1392
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1392 -ip 1392
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1392 -ip 1392
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1392 -ip 1392
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1392 -ip 1392
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1392 -ip 1392
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1392 -ip 1392
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1392 -ip 1392
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1392 -ip 1392
1⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1392 -ip 1392
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1392 -ip 1392
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1392 -ip 1392
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1392 -ip 1392
1⤵
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1fab2c6e63761fb11bfc67073c1a7450_NeikiAnalytics.exe
Filesize
1.3MB

MD5
0df886082e1e34a220ce57940cfea69d

SHA1
6a52170ca30ec87ca911aa949c3367109aff26d7

SHA256
e0db181607c660b0d2cfd6d1f0f3210136c8b32e215cf1bfe8899574bba6c5b3

SHA512
51968224e4319c127645a6875bd879a8611d4bbdb7910f109debcb08c44ee397ef12cd63a3d8f775c5517832b94f021ed707bf14dc5458a1ca501e40d2dfacfb

Download Submit
memory/1392-7-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1392-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1392-14-0x0000000004EB0000-0x0000000004F9F000-memory.dmp

Filesize
956KB

Download
memory/1392-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-27-0x000000000B970000-0x000000000BA13000-memory.dmp

Filesize
652KB

Download
memory/1392-28-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2268-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2268-6-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads