Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 22:14

General

  • Target

    017467335df194176bc1b39851b55970_NeikiAnalytics.exe

  • Size

    300KB

  • MD5

    017467335df194176bc1b39851b55970

  • SHA1

    bf002946e5d0a206a6b2ff8e31ab187daaa33985

  • SHA256

    9fe500bb17dc286aa7fbda0e3b161215452d6a2e28bea6397b15b38a12ac4de8

  • SHA512

    db5ec10fef957dd8a86f8a7d2219079df34688cfe9bdaa2be3f9c7ecac21e26c51debc64bc3765bbd197b1b084d582b7a4b032df8c6788125bc58f970fe598a1

  • SSDEEP

    6144:1W+8dV2GqufhcmoZjwszeXmr8SeNpgdyuH1l+/Wd:k+6pymCjb87g4/c

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
  • Malware Dropper & Backdoor - Berbew 1 IoCs

    Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\017467335df194176bc1b39851b55970_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\017467335df194176bc1b39851b55970_NeikiAnalytics.exe"
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\Nkcmohbg.exe
      C:\Windows\system32\Nkcmohbg.exe
      2⤵
      • Executes dropped EXE
      PID:4308
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 400
        3⤵
        • Program crash
        PID:3268
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4308 -ip 4308
    1⤵
      PID:620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Nkcmohbg.exe

      Filesize

      300KB

      MD5

      95394a1c91dcd325d1714cba879cd79e

      SHA1

      5fd7c4a40da4cf32fce8a0d259abc2602402763f

      SHA256

      b286cbcf369bb955147b93393cf71c5a4ad6334040a7b01d674fc1cc0b794390

      SHA512

      e7c0946b42b1b61fdda5ff17137e4eaa3ef109a2f7e7439d5591078e85e690e0e174a0f1d7217276d2f13a44d915ba602739772e805bf4ba236385c061336717

    • memory/2676-0-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/2676-5-0x0000000000432000-0x0000000000433000-memory.dmp

      Filesize

      4KB

    • memory/2676-11-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/4308-9-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

    • memory/4308-10-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB