74b329f07e18d941245e3900201e28bd6f847090bdea57becec014d88892875d

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-05-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
Size

1.3MB
MD5

4483fa9e96a222c83c1ec2d618de61e0
SHA1

bf597b148ba99e9915ac0a17ff6c120c5d9a31a7
SHA256

74b329f07e18d941245e3900201e28bd6f847090bdea57becec014d88892875d
SHA512

bc6d802f75e0f4d9f0560df2b0308a828837f64cce579ddf629f379ef504c5100d565f73166603d383892a595e463453b49424a3c9fb319097cc43ce301449f2
SSDEEP

24576:DfAEerrf5D+daoyUTIYKE4+j2m/F3Ia/ZSjXuF77Lv+f6T8Qnskb2i6OBKaBWvM:EEy5D+U1YjegGXuFbq4TT+E

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid process

1496 4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid process

1496 4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
Loads dropped DLL 1 IoCs

Processes:

4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid process

2812 4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
4 pastebin.com
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid process

1496 4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid process

2812 4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid process

1496 4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid	process
1496	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid	process
1496	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid	process
2812	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

flow	ioc
3	pastebin.com
4	pastebin.com

pid	process
1496	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid	process
2812	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

pid	process
1496	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

description	pid	process	target process
PID 2812 wrote to memory of 1496	2812	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
PID 2812 wrote to memory of 1496	2812	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
PID 2812 wrote to memory of 1496	2812	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
PID 2812 wrote to memory of 1496	2812	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe	4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Local\Temp\4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\4483fa9e96a222c83c1ec2d618de61e0_NeikiAnalytics.exe
Filesize
1.3MB

MD5
3409043bca4d62fcf0a0fedc9682360b

SHA1
cf31571ccd4edc30927737d1427a9cedc8785b09

SHA256
dba3d8f2a633ec7dd7f67adc274152701d72e4aed062dea276d8da6c007359d8

SHA512
607b158027cb732ce27f29a0b92f7bb829453153a496feb516ccb105ce1d34ecc396301235bdbcf3c53f1ae573fdd0261bdd2fd404a2b75a12f77ebd57954968

Download Submit
memory/1496-9-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1496-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1496-16-0x0000000002EB0000-0x0000000002F9F000-memory.dmp

Filesize
956KB

Download
memory/1496-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1496-38-0x000000000E740000-0x000000000E7E3000-memory.dmp

Filesize
652KB

Download
memory/1496-40-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2812-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2812-7-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2812-39-0x0000000003080000-0x000000000316F000-memory.dmp

Filesize
956KB

Download