d4afef898d74d36ca2567eb56102aefda524571b5292f8a0bdf6a843fb1ffaa6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe
Size

309KB
MD5

3f28bddb83b121d49d726306fa3c0c20
SHA1

faa1bfae0eebc745eca4a811f9c78bffcd71d5e1
SHA256

d4afef898d74d36ca2567eb56102aefda524571b5292f8a0bdf6a843fb1ffaa6
SHA512

7aa279af17d1748a87417bc6616dd915c15ad8eaab0d0a35182d8d7356952acf03be240adf46d80a2933b741aefe7d87d87eec9a4d15c916d6d14ef1ac3e24cf
SSDEEP

6144:27OsazH+zowJbn9cpQrOma+TLIXLBmtJhRyG2BJbZZuwkg0hefTc6KAfH5GowhmL:27OfzH0oQKpQLTLIXLBqAXbZZuwkfo6w

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\popup.sed	family_berbew

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.execmd.exeiexpress.exe

description	pid	process	target process
PID 3828 wrote to memory of 444	3828	3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe	cmd.exe
PID 3828 wrote to memory of 444	3828	3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe	cmd.exe
PID 3828 wrote to memory of 444	3828	3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe	cmd.exe
PID 444 wrote to memory of 3240	444	cmd.exe	iexpress.exe
PID 444 wrote to memory of 3240	444	cmd.exe	iexpress.exe
PID 444 wrote to memory of 3240	444	cmd.exe	iexpress.exe
PID 3240 wrote to memory of 4740	3240	iexpress.exe	makecab.exe
PID 3240 wrote to memory of 4740	3240	iexpress.exe	makecab.exe
PID 3240 wrote to memory of 4740	3240	iexpress.exe	makecab.exe

C:\Users\Admin\AppData\Local\Temp\3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3DE4.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\3f28bddb83b121d49d726306fa3c0c20_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\SysWOW64\iexpress.exe
iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
3⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\SysWOW64\makecab.exe
C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
4⤵
PID:4740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3DE4.tmp\1.bat
Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed
Filesize
309KB

MD5
08e32731d4346de77e6727704bf6668e

SHA1
f437a628b3cfd6dd991517b64ccdd20e77c0e699

SHA256
ef8e1e50987de6f5177eba222642e58fffc2592a365e0b7ae18578df4b30c4cf

SHA512
1e984904cdd927f16385ab2d8cd5bdd709d8f4cbab0c2b08170e3d693fb0a0af95a1c0276de0ef230b88e76e2bae9df27f7f51b3428967617994b2602c67cbd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF
Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit
memory/3828-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3828-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download