Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 07:56
Behavioral task
behavioral1
Sample
260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe
-
Size
448KB
-
MD5
260337b82952618538052e8da5fc3d50
-
SHA1
90ad0a9b15abfc2555c74a2c543626b4fcf5412a
-
SHA256
b969ff4389d57e1814479ecfdab249dd79ba7edb33d667b894609ecf0ebfc223
-
SHA512
1d436f6a4762e97204a178aaf0b3fe21c066facd9218c7c9a48a757c6b1a25ad7ee5d3031db092cc9b3e41295fc68335731f4a341493137717932a7114f7a01e
-
SSDEEP
6144:IKUAPnNPza2eH2UQY3UuM1kEjiPISUOgW9X+hOGzC/NM:HUAPnpreH2lHkmZzcukG2/
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\NMEZMM.exe family_berbew -
Executes dropped EXE 1 IoCs
Processes:
NMEZMM.exepid process 2660 NMEZMM.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2952 cmd.exe 2952 cmd.exe -
Drops file in System32 directory 3 IoCs
Processes:
260337b82952618538052e8da5fc3d50_NeikiAnalytics.exedescription ioc process File created C:\windows\SysWOW64\NMEZMM.exe.bat 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe File created C:\windows\SysWOW64\NMEZMM.exe 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe File opened for modification C:\windows\SysWOW64\NMEZMM.exe 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
260337b82952618538052e8da5fc3d50_NeikiAnalytics.exeNMEZMM.exepid process 1856 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe 2660 NMEZMM.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
260337b82952618538052e8da5fc3d50_NeikiAnalytics.exeNMEZMM.exepid process 1856 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe 1856 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe 2660 NMEZMM.exe 2660 NMEZMM.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
260337b82952618538052e8da5fc3d50_NeikiAnalytics.execmd.exedescription pid process target process PID 1856 wrote to memory of 2952 1856 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe cmd.exe PID 1856 wrote to memory of 2952 1856 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe cmd.exe PID 1856 wrote to memory of 2952 1856 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe cmd.exe PID 1856 wrote to memory of 2952 1856 260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe cmd.exe PID 2952 wrote to memory of 2660 2952 cmd.exe NMEZMM.exe PID 2952 wrote to memory of 2660 2952 cmd.exe NMEZMM.exe PID 2952 wrote to memory of 2660 2952 cmd.exe NMEZMM.exe PID 2952 wrote to memory of 2660 2952 cmd.exe NMEZMM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\260337b82952618538052e8da5fc3d50_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\NMEZMM.exe.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\NMEZMM.exeC:\windows\system32\NMEZMM.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\NMEZMM.exe.batFilesize
76B
MD5ddb91bbe9a4c53d7b628b8be7b05d202
SHA1b71b9c0d8b2c3b114fd6427b64f3c6865d98428a
SHA256ee0ed99313dcc31fc7716f82bf2008667f26c01cf038d69cc1394f30dfb58471
SHA5129c33d43c23d88ae4abe43544f1b5a93797375585a6ef068aa96e1f15b660bfd989305ec619bc44a2e2a1a1d66c311e6b0b58589a9a27c55f03024410b8ea018e
-
\Windows\SysWOW64\NMEZMM.exeFilesize
448KB
MD5d24834a03a3569d375e1d5e60ea8fca6
SHA1adef85479096600c9cd74146302ea79156fde386
SHA25610b3117192f546f2841a5df603d20ae3bf3cb34a5097496be38156a12209ca58
SHA5128a192b1e2e03616c62fcd72eb29c6402affee692cf7a757a5c3546519e333c94434c0bf2b989d7150842c2e6043caef49c09c79a5180d1149975ed2ca5ab8bcc
-
memory/1856-0-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/1856-12-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2660-20-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2660-21-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2952-16-0x0000000000170000-0x00000000001A9000-memory.dmpFilesize
228KB
-
memory/2952-18-0x0000000000170000-0x00000000001A9000-memory.dmpFilesize
228KB