Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 10:20
Behavioral task
behavioral1
Sample
3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe
-
Size
309KB
-
MD5
3f28bddb83b121d49d726306fa3c0c20
-
SHA1
faa1bfae0eebc745eca4a811f9c78bffcd71d5e1
-
SHA256
d4afef898d74d36ca2567eb56102aefda524571b5292f8a0bdf6a843fb1ffaa6
-
SHA512
7aa279af17d1748a87417bc6616dd915c15ad8eaab0d0a35182d8d7356952acf03be240adf46d80a2933b741aefe7d87d87eec9a4d15c916d6d14ef1ac3e24cf
-
SSDEEP
6144:27OsazH+zowJbn9cpQrOma+TLIXLBmtJhRyG2BJbZZuwkg0hefTc6KAfH5GowhmL:27OfzH0oQKpQLTLIXLBqAXbZZuwkfo6w
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\popup.sed family_berbew -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.execmd.exeiexpress.exedescription pid process target process PID 3828 wrote to memory of 444 3828 3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe cmd.exe PID 3828 wrote to memory of 444 3828 3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe cmd.exe PID 3828 wrote to memory of 444 3828 3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe cmd.exe PID 444 wrote to memory of 3240 444 cmd.exe iexpress.exe PID 444 wrote to memory of 3240 444 cmd.exe iexpress.exe PID 444 wrote to memory of 3240 444 cmd.exe iexpress.exe PID 3240 wrote to memory of 4740 3240 iexpress.exe makecab.exe PID 3240 wrote to memory of 4740 3240 iexpress.exe makecab.exe PID 3240 wrote to memory of 4740 3240 iexpress.exe makecab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3DE4.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\iexpress.exeiexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\makecab.exeC:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"4⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3DE4.tmp\1.batFilesize
1KB
MD502dba5f37067292355c6d01a57d4ef48
SHA17c67ab3f99fbf7a53018dd295d2968c525db83d9
SHA2568b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242
SHA51212201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a
-
C:\Users\Admin\AppData\Local\Temp\popup.sedFilesize
309KB
MD508e32731d4346de77e6727704bf6668e
SHA1f437a628b3cfd6dd991517b64ccdd20e77c0e699
SHA256ef8e1e50987de6f5177eba222642e58fffc2592a365e0b7ae18578df4b30c4cf
SHA5121e984904cdd927f16385ab2d8cd5bdd709d8f4cbab0c2b08170e3d693fb0a0af95a1c0276de0ef230b88e76e2bae9df27f7f51b3428967617994b2602c67cbd8
-
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDFFilesize
724B
MD5c3ca008abd6997c4b036a7e8be75cb2c
SHA105f7a3527bb04c691b08f040f562582035398829
SHA25629ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3
SHA512bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083
-
memory/3828-0-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/3828-12-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB