Analysis Overview
SHA256
26f7319e044c6297555844672e3eebde61407231c8baa067977807af7312e744
Threat Level: Known bad
The file 763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Malware Dropper & Backdoor - Berbew
Berbew family
Loads dropped DLL
Deletes itself
Executes dropped EXE
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-31 04:02
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 04:02
Reported
2024-05-31 04:05
Platform
win7-20240221-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe |
| PID 2020 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe |
| PID 2020 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe |
| PID 2020 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe
Network
Files
memory/2020-0-0x0000000000400000-0x0000000000441000-memory.dmp
\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe
| MD5 | c9eba9dd241bfbd0c76ee893f813eae1 |
| SHA1 | 9c89c4505d1a4880338f48b631634f1bea0e1ae6 |
| SHA256 | a13bceb47395a3f08b9b9a3b1e6e0e56778e265c521dba23378b30877dddf7f0 |
| SHA512 | ad0a2dc74656f3c77ce6fb9d64817d8426673c8415fd9d442cf2cf93b764ddce5b5d29e683d114f3633500f79e50336481d7b2b2a5c0714e64282a189b7d7e1e |
memory/2020-6-0x0000000000130000-0x0000000000171000-memory.dmp
memory/2020-10-0x0000000000400000-0x0000000000441000-memory.dmp
memory/2212-12-0x0000000000400000-0x000000000041A000-memory.dmp
memory/2212-16-0x00000000001B0000-0x00000000001F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 04:02
Reported
2024-05-31 04:05
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | N/A |
Program crash
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 392 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe |
| PID 392 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe |
| PID 392 wrote to memory of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 392 -ip 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 396
C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3996 -ip 3996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 364
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/392-0-0x0000000000400000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\763ba4152f47ead0f3071bf72b57b0b0_NeikiAnalytics.exe
| MD5 | 006e91a929de8999dd65891c9ac59d8c |
| SHA1 | faaefb517bc1153ad47960aa6bf83aa8e8408f5a |
| SHA256 | b463a5ebb12c065720f705cf2361f572ed2e71a6fa45c0ff359226980a1a230d |
| SHA512 | 7969c9be3e4cc15680d253f3d980364e9c628792f78d9c141387a971a7b71ca112836f83f677c5215366621295e004ee8c2334ff32a47bd799fd95f2d3bc6a00 |
memory/392-6-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3996-7-0x0000000000400000-0x0000000000441000-memory.dmp
memory/3996-8-0x0000000000400000-0x000000000041A000-memory.dmp
memory/3996-13-0x00000000014C0000-0x0000000001501000-memory.dmp