Malware Analysis Report

2024-10-24 20:03

Sample ID 240531-el2acsfe45
Target 763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe
SHA256 26f7319e044c6297555844672e3eebde61407231c8baa067977807af7312e744
Tags
backdoor dropper trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26f7319e044c6297555844672e3eebde61407231c8baa067977807af7312e744

Threat Level: Known bad

The file 763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor dropper trojan berbew

Malware Dropper & Backdoor - Berbew

Berbew family

Loads dropped DLL

Deletes itself

Executes dropped EXE

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 04:02

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 04:02

Reported

2024-05-31 04:05

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe

Network

N/A

Files

memory/2020-0-0x0000000000400000-0x0000000000441000-memory.dmp

\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe

MD5 c9eba9dd241bfbd0c76ee893f813eae1
SHA1 9c89c4505d1a4880338f48b631634f1bea0e1ae6
SHA256 a13bceb47395a3f08b9b9a3b1e6e0e56778e265c521dba23378b30877dddf7f0
SHA512 ad0a2dc74656f3c77ce6fb9d64817d8426673c8415fd9d442cf2cf93b764ddce5b5d29e683d114f3633500f79e50336481d7b2b2a5c0714e64282a189b7d7e1e

memory/2020-6-0x0000000000130000-0x0000000000171000-memory.dmp

memory/2020-10-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2212-12-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2212-16-0x00000000001B0000-0x00000000001F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 04:02

Reported

2024-05-31 04:05

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 392 -ip 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 396

C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3996 -ip 3996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 364

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/392-0-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe

MD5 006e91a929de8999dd65891c9ac59d8c
SHA1 faaefb517bc1153ad47960aa6bf83aa8e8408f5a
SHA256 b463a5ebb12c065720f705cf2361f572ed2e71a6fa45c0ff359226980a1a230d
SHA512 7969c9be3e4cc15680d253f3d980364e9c628792f78d9c141387a971a7b71ca112836f83f677c5215366621295e004ee8c2334ff32a47bd799fd95f2d3bc6a00

memory/392-6-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3996-7-0x0000000000400000-0x0000000000441000-memory.dmp

memory/3996-8-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3996-13-0x00000000014C0000-0x0000000001501000-memory.dmp