Analysis
-
max time kernel
129s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 14:13
Behavioral task
behavioral1
Sample
f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe
-
Size
288KB
-
MD5
f0c92d9c09e40a216df4554d38ff01c0
-
SHA1
291650447b5f5d0142accf0e15046e6b3550f874
-
SHA256
085161cbf3871e40c71ddecd09bf520041cc17ad3dcea76553962ebf8dcc14e3
-
SHA512
643a4ce4a61579efad65388539c79f68347676608631c5146f96efc1bfa9b6f823902b78d38d8bda8c22920f688b3806f4795b7d5edb09c90a011efee4854b02
-
SSDEEP
6144:faa11Le8nDLDrX91yFtXhzQUMIz9oVtdW/sEM+rW+0gM7uRw0sNV:311qQLD51KXhzQUMQ9oVtdW/sEzrWtHp
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe family_berbew -
Deletes itself 1 IoCs
Processes:
f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exepid process 2096 f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
Processes:
f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exepid process 2096 f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3028 968 WerFault.exe f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe 1944 2096 WerFault.exe f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exepid process 968 f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exepid process 2096 f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exedescription pid process target process PID 968 wrote to memory of 2096 968 f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe PID 968 wrote to memory of 2096 968 f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe PID 968 wrote to memory of 2096 968 f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 3962⤵
- Program crash
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\f0c92d9c09e40a216df4554d38ff01c0_NeikiAnalytics.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2096 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 3643⤵
- Program crash
PID:1944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 968 -ip 9681⤵PID:2752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2096 -ip 20961⤵PID:5112
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD52a11ace9c315ce46eba260e06a2b3a83
SHA1a5ea3afdcb02d10b090d01d346adc4476b0573fd
SHA25690f17324e9014760128a7bbd12d642caeba2ddfdb0ed7e862a5fa43e3ef80ec9
SHA512f75f2c53405731f900edae687e777b28eca2755b931173226f4a4901c91b49247cd5b93f4faa03624c1228816712485f051ad57b091200fa8eb2e6bf8eae7395