Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 04:12
Behavioral task
behavioral1
Sample
76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe
-
Size
640KB
-
MD5
76a02ca2695f0e82fee03da54f04a8f0
-
SHA1
d23c8db597a19a7a6f4cfc8066fb5230d3af54c5
-
SHA256
43705c7d3c4baf61f146e949d8ecbda72a297ad7a7b5ca3df6bafb990596f40d
-
SHA512
278e2ee12a53cc1cb4f32b368ad0192c214b65b9bdcef6566b9610f99cd9bafd0ffaa3107449b2c0b3532f0f653c27278aabc6eea2b8338b65c407112803365f
-
SSDEEP
12288:HWBm+95nHfF2mgewFx5rPTvnpQ/HPv+EKxfn1kfgjdkAnUKkD57lc0fzEV/d9RIj:HWBz95ndbgfx5LbpavvKQgjTnUKkD57B
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\1371.tmp family_berbew -
Deletes itself 1 IoCs
Processes:
1371.tmppid process 2964 1371.tmp -
Executes dropped EXE 1 IoCs
Processes:
1371.tmppid process 2964 1371.tmp -
Loads dropped DLL 1 IoCs
Processes:
76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exepid process 2088 76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exedescription pid process target process PID 2088 wrote to memory of 2964 2088 76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe 1371.tmp PID 2088 wrote to memory of 2964 2088 76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe 1371.tmp PID 2088 wrote to memory of 2964 2088 76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe 1371.tmp PID 2088 wrote to memory of 2964 2088 76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe 1371.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\1371.tmp"C:\Users\Admin\AppData\Local\Temp\1371.tmp" --pingC:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe AC2B3D31B8E54D9ADE6032A704B0F10B9B8832CEE158841D3D6DE1504C545363025A5223AA47ADDFF4DE80AA2BEA2662D5E786F7CD0157898DF585AD17B0C0632⤵
- Deletes itself
- Executes dropped EXE
PID:2964
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
MD5434fc90e974ca04d6cd6a3c1b345c94c
SHA107eeb7f340ff775999a4092cc7cc9aa1c423d5fa
SHA2566c2b17bff7d8bec200a69ac518cc20ad87ca84fdf372222fd1e5af9ea681707b
SHA512f51e62245f9aed68580b5bce4b1dbf4a1ac3120d84721874c0ee72fb31fc7285be208e22ae704f789c873f2ab720e7cd9ac8a8dba1967681a0d51a9b70257fdb