Analysis Overview
SHA256
43705c7d3c4baf61f146e949d8ecbda72a297ad7a7b5ca3df6bafb990596f40d
Threat Level: Known bad
The file 76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Berbew family
Malware Dropper & Backdoor - Berbew
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-31 04:12
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-31 04:12
Reported
2024-05-31 04:14
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
149s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4546.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4546.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4852 wrote to memory of 860 | N/A | C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\4546.tmp |
| PID 4852 wrote to memory of 860 | N/A | C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\4546.tmp |
| PID 4852 wrote to memory of 860 | N/A | C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\4546.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\4546.tmp
"C:\Users\Admin\AppData\Local\Temp\4546.tmp" --pingC:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe BC5F2279AA85E17A6918DAEF259C247DEFB5E5A4EBF13259B8DCFEEEA4029A7336F1542340C6C5777DFECA5B0B87C4EE0996637088570316E324F5C8B436DEBC
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4852-0-0x0000000000400000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4546.tmp
| MD5 | 6805bb46ce7caf4aeca111034ed256bb |
| SHA1 | f54ca0beb4cc11281eab2ed320052bcaf22b395f |
| SHA256 | bf5e9a0b0d1e6c3d87bb610d3cd46a6f2693c3ad55e3225be2724ecbf244a45b |
| SHA512 | 5cc093917c5329fc18eeabdd55e2531efba84156f3c5881e188b7ce7a9ccb2e3d235a3c26af454023b3d8816458064c83b6eef9a89979929696f18799c39bb40 |
memory/4852-3-0x0000000000400000-0x0000000000489000-memory.dmp
memory/860-6-0x0000000000400000-0x0000000000489000-memory.dmp
memory/860-7-0x0000000000400000-0x0000000000489000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-31 04:12
Reported
2024-05-31 04:14
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1371.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1371.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2088 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\1371.tmp |
| PID 2088 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\1371.tmp |
| PID 2088 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\1371.tmp |
| PID 2088 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\1371.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\1371.tmp
"C:\Users\Admin\AppData\Local\Temp\1371.tmp" --pingC:\Users\Admin\AppData\Local\Temp\76a02ca2695f0e82fee03da54f04a8f0_NeikiAnalytics.exe AC2B3D31B8E54D9ADE6032A704B0F10B9B8832CEE158841D3D6DE1504C545363025A5223AA47ADDFF4DE80AA2BEA2662D5E786F7CD0157898DF585AD17B0C063
Network
Files
memory/2088-0-0x0000000000400000-0x0000000000489000-memory.dmp
\Users\Admin\AppData\Local\Temp\1371.tmp
| MD5 | 434fc90e974ca04d6cd6a3c1b345c94c |
| SHA1 | 07eeb7f340ff775999a4092cc7cc9aa1c423d5fa |
| SHA256 | 6c2b17bff7d8bec200a69ac518cc20ad87ca84fdf372222fd1e5af9ea681707b |
| SHA512 | f51e62245f9aed68580b5bce4b1dbf4a1ac3120d84721874c0ee72fb31fc7285be208e22ae704f789c873f2ab720e7cd9ac8a8dba1967681a0d51a9b70257fdb |
memory/2088-4-0x0000000000490000-0x0000000000519000-memory.dmp
memory/2088-7-0x0000000000400000-0x0000000000489000-memory.dmp
memory/2964-8-0x0000000000400000-0x0000000000489000-memory.dmp
memory/2964-9-0x0000000000400000-0x0000000000489000-memory.dmp