b969ff4389d57e1814479ecfdab249dd79ba7edb33d667b894609ecf0ebfc223

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
Size

448KB
MD5

260337b82952618538052e8da5fc3d50
SHA1

90ad0a9b15abfc2555c74a2c543626b4fcf5412a
SHA256

b969ff4389d57e1814479ecfdab249dd79ba7edb33d667b894609ecf0ebfc223
SHA512

1d436f6a4762e97204a178aaf0b3fe21c066facd9218c7c9a48a757c6b1a25ad7ee5d3031db092cc9b3e41295fc68335731f4a341493137717932a7114f7a01e
SSDEEP

6144:IKUAPnNPza2eH2UQY3UuM1kEjiPISUOgW9X+hOGzC/NM:HUAPnpreH2lHkmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Windows\SysWOW64\NMEZMM.exe	family_berbew

Executes dropped EXE 1 IoCs

Processes:

NMEZMM.exe

pid process

2660 NMEZMM.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2952 cmd.exe
2952 cmd.exe

pid	process
2660	NMEZMM.exe

pid	process
2952	cmd.exe
2952	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe

description	ioc	process
File created	C:\windows\SysWOW64\NMEZMM.exe.bat	260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\NMEZMM.exe	260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
File opened for modification	C:\windows\SysWOW64\NMEZMM.exe	260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

260337b82952618538052e8da5fc3d50_NeikiAnalytics.exeNMEZMM.exe

pid process

1856 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
2660 NMEZMM.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

260337b82952618538052e8da5fc3d50_NeikiAnalytics.exeNMEZMM.exe

pid process

1856 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
1856 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
2660 NMEZMM.exe
2660 NMEZMM.exe

pid	process
1856	260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
2660	NMEZMM.exe

pid	process
1856	260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
1856	260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
2660	NMEZMM.exe
2660	NMEZMM.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

260337b82952618538052e8da5fc3d50_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 1856 wrote to memory of 2952	1856	260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe	cmd.exe
PID 1856 wrote to memory of 2952	1856	260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe	cmd.exe
PID 1856 wrote to memory of 2952	1856	260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe	cmd.exe
PID 1856 wrote to memory of 2952	1856	260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe	cmd.exe
PID 2952 wrote to memory of 2660	2952	cmd.exe	NMEZMM.exe
PID 2952 wrote to memory of 2660	2952	cmd.exe	NMEZMM.exe
PID 2952 wrote to memory of 2660	2952	cmd.exe	NMEZMM.exe
PID 2952 wrote to memory of 2660	2952	cmd.exe	NMEZMM.exe

C:\Users\Admin\AppData\Local\Temp\260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\NMEZMM.exe.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952

C:\windows\SysWOW64\NMEZMM.exe
C:\windows\system32\NMEZMM.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2660

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NMEZMM.exe.bat
Filesize
76B

MD5
ddb91bbe9a4c53d7b628b8be7b05d202

SHA1
b71b9c0d8b2c3b114fd6427b64f3c6865d98428a

SHA256
ee0ed99313dcc31fc7716f82bf2008667f26c01cf038d69cc1394f30dfb58471

SHA512
9c33d43c23d88ae4abe43544f1b5a93797375585a6ef068aa96e1f15b660bfd989305ec619bc44a2e2a1a1d66c311e6b0b58589a9a27c55f03024410b8ea018e

Download Submit
\Windows\SysWOW64\NMEZMM.exe
Filesize
448KB

MD5
d24834a03a3569d375e1d5e60ea8fca6

SHA1
adef85479096600c9cd74146302ea79156fde386

SHA256
10b3117192f546f2841a5df603d20ae3bf3cb34a5097496be38156a12209ca58

SHA512
8a192b1e2e03616c62fcd72eb29c6402affee692cf7a757a5c3546519e333c94434c0bf2b989d7150842c2e6043caef49c09c79a5180d1149975ed2ca5ab8bcc

Download Submit
memory/1856-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1856-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-16-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download
memory/2952-18-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads