Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 13:09
Behavioral task
behavioral1
Sample
175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
175cebdfa0a4e4a347058d2bcf60a350
-
SHA1
7b9a1c4d47e4c3c4e5e183496fdb20d9ec417a51
-
SHA256
ab3f7d350da24e9d26687636e54a8ecd4f77676be7fde7e50f9c4a4e34aef2c5
-
SHA512
0b688754d105ee097870e93231c6f422104a0a6eb193de3374f30045041abc56e925e5ea1236918fbf94b2ea69f22d7ba2ba5c0b9af6907eb127357741c042d8
-
SSDEEP
24576:+D4aJeXfcRYghOYaxO+cJZHFzo3Qgka/ZSqa/JX3gK6BbK077Lv+f6T8f//1:+veXUx/axO+cFmQgkgpg2XB+0bGH1
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe family_berbew -
Deletes itself 1 IoCs
Processes:
175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exepid process 628 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exepid process 628 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Program crash 16 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4012 1264 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 4480 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 592 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 4960 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 3608 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 4104 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 3840 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 4456 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 4588 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 1108 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 4520 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 4080 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 60 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 1900 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 4412 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 2412 628 WerFault.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exepid process 628 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 628 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exepid process 1264 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exepid process 628 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exedescription pid process target process PID 1264 wrote to memory of 628 1264 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe PID 1264 wrote to memory of 628 1264 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe PID 1264 wrote to memory of 628 1264 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe 175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 3482⤵
- Program crash
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\175cebdfa0a4e4a347058d2bcf60a350_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 3443⤵
- Program crash
PID:4480 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 6283⤵
- Program crash
PID:592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 6363⤵
- Program crash
PID:4960 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 6363⤵
- Program crash
PID:3608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 7203⤵
- Program crash
PID:4104 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 9883⤵
- Program crash
PID:3840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 14083⤵
- Program crash
PID:4456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 14083⤵
- Program crash
PID:4588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 16483⤵
- Program crash
PID:1108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 14523⤵
- Program crash
PID:4520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 15283⤵
- Program crash
PID:4080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 17123⤵
- Program crash
PID:60 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 17283⤵
- Program crash
PID:1900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 15443⤵
- Program crash
PID:4412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 10403⤵
- Program crash
PID:2412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1264 -ip 12641⤵PID:4412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 628 -ip 6281⤵PID:4676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 628 -ip 6281⤵PID:3096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 628 -ip 6281⤵PID:4856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 628 -ip 6281⤵PID:2344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 628 -ip 6281⤵PID:2468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 628 -ip 6281⤵PID:4980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 628 -ip 6281⤵PID:3316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 628 -ip 6281⤵PID:4064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 628 -ip 6281⤵PID:4312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 628 -ip 6281⤵PID:4516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 628 -ip 6281⤵PID:3764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 628 -ip 6281⤵PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 628 -ip 6281⤵PID:4852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 628 -ip 6281⤵PID:3596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 628 -ip 6281⤵PID:404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD52135b203b2ae49c664a2ec4aaec8383f
SHA17750bfae530baf7f8b2b7fbe389ac7493a8bcef3
SHA25669b2018acf9779308f1116beb6882bc005b553f1905904e010c2ef7289347305
SHA5126dc6bfe66a3cc57b351d2fe56edcdeafb36466857c32243b860726b66a2420f10aa1f4faaac88e2c43c226e4dfd005926960c00b610d888eb23d59e75b9caf18