Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 00:40

General

  • Target

    6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe

  • Size

    448KB

  • MD5

    6fa5b6efe1c0d617763be525ca9e1ae0

  • SHA1

    8516bd6e9137c637b3c7f6557c7850afbb7294c8

  • SHA256

    1e8d069ef4f60038201de6d82eae18114ba134740ceaae7b905afafe953ef38c

  • SHA512

    178479b796ba9ddbed46f8b31da74064d9dfab74cce5eee2c42af66b381ac4319a228e7be666850d1732757c2430ebf94af5e6f59142f5c63b835fcea42d4901

  • SSDEEP

    6144:KonNLIc1+9D9BA+pC95vvKAUOeTUF1em5sjR5jfaVPhpkEjiPISUOgW9X+hOGzCq:p+pC95vSALgUF1em5s1ukmZzcukG2/

Score
10/10

Malware Config

Signatures

  • Malware Dropper & Backdoor - Berbew 1 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\6fa5b6efe1c0d617763be525ca9e1ae0_NeikiAnalytics.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\system32\TIXIEV.exe.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\windows\SysWOW64\TIXIEV.exe
        C:\windows\system32\TIXIEV.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\TIXIEV.exe.bat

    Filesize

    76B

    MD5

    36f507fc95f1649271cc66af82a00418

    SHA1

    5ac5aa18215911ba8bb0280a844524962c9bd28d

    SHA256

    e89af3fd9adaa2784f35cd4c3d545b8cd7c58562ae32b91c8050890a01efc622

    SHA512

    2882c3c5fd16fd4b6ef54461a94471d237c874b3ba5d652e48fc39bb55374a2669c3aad0982b6a6e97895303162a887f23481babd40dab4471f177f1cee21a32

  • \Windows\SysWOW64\TIXIEV.exe

    Filesize

    448KB

    MD5

    810ad89c962132a587c198452dee996d

    SHA1

    43319ff8dda9962689e70b6759aee1c1b250063b

    SHA256

    02e69b84aa26b9f96245a2a13259dab30f441a305ffa3ca54e6d0b9f53557e46

    SHA512

    a3250fa36b528c94df3f74d408d6d5e544aa6c10b4095fb630a699e275b5a23d9c0cd6f73310d2379bb7516d73f20a390536075aacdc7cbd41b117e8db5a8c94

  • memory/2136-18-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2136-19-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2180-0-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB

  • memory/2180-12-0x0000000000400000-0x0000000000439000-memory.dmp

    Filesize

    228KB