Malware Analysis Report

2024-10-24 20:05

Sample ID 240531-esmqjsef5z
Target 76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe
SHA256 43705c7d3c4baf61f146e949d8ecbda72a297ad7a7b5ca3df6bafb990596f40d
Tags
backdoor dropper trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43705c7d3c4baf61f146e949d8ecbda72a297ad7a7b5ca3df6bafb990596f40d

Threat Level: Known bad

The file 76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor dropper trojan berbew

Berbew family

Malware Dropper & Backdoor - Berbew

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-31 04:12

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 04:12

Reported

2024-05-31 04:14

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4546.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4546.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\4546.tmp

"C:\Users\Admin\AppData\Local\Temp\4546.tmp" --pingC:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe BC5F2279AA85E17A6918DAEF259C247DEFB5E5A4EBF13259B8DCFEEEA4029A7336F1542340C6C5777DFECA5B0B87C4EE0996637088570316E324F5C8B436DEBC

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4852-0-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4546.tmp

MD5 6805bb46ce7caf4aeca111034ed256bb
SHA1 f54ca0beb4cc11281eab2ed320052bcaf22b395f
SHA256 bf5e9a0b0d1e6c3d87bb610d3cd46a6f2693c3ad55e3225be2724ecbf244a45b
SHA512 5cc093917c5329fc18eeabdd55e2531efba84156f3c5881e188b7ce7a9ccb2e3d235a3c26af454023b3d8816458064c83b6eef9a89979929696f18799c39bb40

memory/4852-3-0x0000000000400000-0x0000000000489000-memory.dmp

memory/860-6-0x0000000000400000-0x0000000000489000-memory.dmp

memory/860-7-0x0000000000400000-0x0000000000489000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 04:12

Reported

2024-05-31 04:14

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1371.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1371.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\1371.tmp

"C:\Users\Admin\AppData\Local\Temp\1371.tmp" --pingC:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe AC2B3D31B8E54D9ADE6032A704B0F10B9B8832CEE158841D3D6DE1504C545363025A5223AA47ADDFF4DE80AA2BEA2662D5E786F7CD0157898DF585AD17B0C063

Network

N/A

Files

memory/2088-0-0x0000000000400000-0x0000000000489000-memory.dmp

\Users\Admin\AppData\Local\Temp\1371.tmp

MD5 434fc90e974ca04d6cd6a3c1b345c94c
SHA1 07eeb7f340ff775999a4092cc7cc9aa1c423d5fa
SHA256 6c2b17bff7d8bec200a69ac518cc20ad87ca84fdf372222fd1e5af9ea681707b
SHA512 f51e62245f9aed68580b5bce4b1dbf4a1ac3120d84721874c0ee72fb31fc7285be208e22ae704f789c873f2ab720e7cd9ac8a8dba1967681a0d51a9b70257fdb

memory/2088-4-0x0000000000490000-0x0000000000519000-memory.dmp

memory/2088-7-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2964-8-0x0000000000400000-0x0000000000489000-memory.dmp

memory/2964-9-0x0000000000400000-0x0000000000489000-memory.dmp