Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 00:40
Behavioral task
behavioral1
Sample
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe
-
Size
448KB
-
MD5
6fa5b6efe1c0d617763be525ca9e1ae0
-
SHA1
8516bd6e9137c637b3c7f6557c7850afbb7294c8
-
SHA256
1e8d069ef4f60038201de6d82eae18114ba134740ceaae7b905afafe953ef38c
-
SHA512
178479b796ba9ddbed46f8b31da74064d9dfab74cce5eee2c42af66b381ac4319a228e7be666850d1732757c2430ebf94af5e6f59142f5c63b835fcea42d4901
-
SSDEEP
6144:KonNLIc1+9D9BA+pC95vvKAUOeTUF1em5sjR5jfaVPhpkEjiPISUOgW9X+hOGzCq:p+pC95vSALgUF1em5s1ukmZzcukG2/
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\TIXIEV.exe family_berbew -
Executes dropped EXE 1 IoCs
Processes:
TIXIEV.exepid process 2136 TIXIEV.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2896 cmd.exe 2896 cmd.exe -
Drops file in System32 directory 3 IoCs
Processes:
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exedescription ioc process File created C:\windows\SysWOW64\TIXIEV.exe.bat 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe File created C:\windows\SysWOW64\TIXIEV.exe 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe File opened for modification C:\windows\SysWOW64\TIXIEV.exe 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exeTIXIEV.exepid process 2180 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe 2136 TIXIEV.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exeTIXIEV.exepid process 2180 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe 2180 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe 2136 TIXIEV.exe 2136 TIXIEV.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.execmd.exedescription pid process target process PID 2180 wrote to memory of 2896 2180 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe cmd.exe PID 2180 wrote to memory of 2896 2180 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe cmd.exe PID 2180 wrote to memory of 2896 2180 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe cmd.exe PID 2180 wrote to memory of 2896 2180 6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe cmd.exe PID 2896 wrote to memory of 2136 2896 cmd.exe TIXIEV.exe PID 2896 wrote to memory of 2136 2896 cmd.exe TIXIEV.exe PID 2896 wrote to memory of 2136 2896 cmd.exe TIXIEV.exe PID 2896 wrote to memory of 2136 2896 cmd.exe TIXIEV.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\TIXIEV.exe.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\windows\SysWOW64\TIXIEV.exeC:\windows\system32\TIXIEV.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD536f507fc95f1649271cc66af82a00418
SHA15ac5aa18215911ba8bb0280a844524962c9bd28d
SHA256e89af3fd9adaa2784f35cd4c3d545b8cd7c58562ae32b91c8050890a01efc622
SHA5122882c3c5fd16fd4b6ef54461a94471d237c874b3ba5d652e48fc39bb55374a2669c3aad0982b6a6e97895303162a887f23481babd40dab4471f177f1cee21a32
-
Filesize
448KB
MD5810ad89c962132a587c198452dee996d
SHA143319ff8dda9962689e70b6759aee1c1b250063b
SHA25602e69b84aa26b9f96245a2a13259dab30f441a305ffa3ca54e6d0b9f53557e46
SHA512a3250fa36b528c94df3f74d408d6d5e544aa6c10b4095fb630a699e275b5a23d9c0cd6f73310d2379bb7516d73f20a390536075aacdc7cbd41b117e8db5a8c94