b311f0ad6efaea64cd8400e4756d611cdb553608975049cae476709c74028e5a

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
Size

282KB
MD5

32facde47575d88303a6deceae2454a0
SHA1

8541b6145a3b4c5d594bfd8e9afda2b45764e25b
SHA256

b311f0ad6efaea64cd8400e4756d611cdb553608975049cae476709c74028e5a
SHA512

687bdbfe674cdd0e108cc51c858237e7c125ca90add07a4bf1bc5a16a95830e0379819c52d687a8d55a82d209880aeb5a3e4eaa9b2dd98dd9d4e40ff2dad66b4
SSDEEP

6144:kYXEmup2uytWBvAnk3jys/kEjiPISUOgW9X+hOGzC/:knmusWBgWjPkmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\windows\SysWOW64\POHL.exe	family_berbew

Executes dropped EXE 1 IoCs

Processes:

POHL.exe

pid process

2660 POHL.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

3060 cmd.exe
3060 cmd.exe

pid	process
2660	POHL.exe

pid	process
3060	cmd.exe
3060	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe

description	ioc	process
File created	C:\windows\SysWOW64\POHL.exe	32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
File opened for modification	C:\windows\SysWOW64\POHL.exe	32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\POHL.exe.bat	32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

32facde47575d88303a6deceae2454a0_NeikiAnalytics.exePOHL.exe

pid process

1452 32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
2660 POHL.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

32facde47575d88303a6deceae2454a0_NeikiAnalytics.exePOHL.exe

pid process

1452 32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
1452 32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
2660 POHL.exe
2660 POHL.exe

pid	process
1452	32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
2660	POHL.exe

pid	process
1452	32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
1452	32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
2660	POHL.exe
2660	POHL.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

32facde47575d88303a6deceae2454a0_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 1452 wrote to memory of 3060	1452	32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe	cmd.exe
PID 1452 wrote to memory of 3060	1452	32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe	cmd.exe
PID 1452 wrote to memory of 3060	1452	32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe	cmd.exe
PID 1452 wrote to memory of 3060	1452	32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe	cmd.exe
PID 3060 wrote to memory of 2660	3060	cmd.exe	POHL.exe
PID 3060 wrote to memory of 2660	3060	cmd.exe	POHL.exe
PID 3060 wrote to memory of 2660	3060	cmd.exe	POHL.exe
PID 3060 wrote to memory of 2660	3060	cmd.exe	POHL.exe

C:\Users\Admin\AppData\Local\Temp\32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\32facde47575d88303a6deceae2454a0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\POHL.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\windows\SysWOW64\POHL.exe
    C:\windows\system32\POHL.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\POHL.exe.bat

Filesize
72B

MD5
b1bb413e6c6a4a0c715e9e53082d9b67

SHA1
8ccdd727ad3adcc563f67e39517f2e68a1c30b6d

SHA256
0c9a01464c965b930488f272fcf59c7bb268296fa5c733595edcc17fa227bffb

SHA512
d1093ca46845a87d242a6b0126a20250331668cbb6134da80c751f3cac89b9806a1c385ce55fe81ea16489ae77c9c1bd6c130c99cb28c91358c7c9284ac1f97f

Download Submit
C:\windows\SysWOW64\POHL.exe

Filesize
282KB

MD5
62e5ad27d2975d76e8ef7e05b863b790

SHA1
a54b539c113f66b21dd3ed707e85acd642dd35fd

SHA256
ed60c9e89614128409da38be042436a6e4d9d4ac3c8e616bd978cabcdcd1ad27

SHA512
b671f3b65571d893a35d766c843fcf82850768c3b5684d6a9d59ac8a4beafa28c838d2922d0db97698c7105698d57f65bd8eb6d6caaa743c7adf7df60abf7b1b

Download Submit
memory/1452-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1452-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-20-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2660-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3060-17-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download
memory/3060-18-0x0000000000170000-0x00000000001A9000-memory.dmp

Filesize
228KB

Download