Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 22:14
Behavioral task
behavioral1
Sample
017467335df194176bc1b39851b55970_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
017467335df194176bc1b39851b55970_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
017467335df194176bc1b39851b55970_NeikiAnalytics.exe
-
Size
300KB
-
MD5
017467335df194176bc1b39851b55970
-
SHA1
bf002946e5d0a206a6b2ff8e31ab187daaa33985
-
SHA256
9fe500bb17dc286aa7fbda0e3b161215452d6a2e28bea6397b15b38a12ac4de8
-
SHA512
db5ec10fef957dd8a86f8a7d2219079df34688cfe9bdaa2be3f9c7ecac21e26c51debc64bc3765bbd197b1b084d582b7a4b032df8c6788125bc58f970fe598a1
-
SSDEEP
6144:1W+8dV2GqufhcmoZjwszeXmr8SeNpgdyuH1l+/Wd:k+6pymCjb87g4/c
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs
Processes:
017467335df194176bc1b39851b55970_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 017467335df194176bc1b39851b55970_NeikiAnalytics.exe -
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule C:\Windows\SysWOW64\Nkcmohbg.exe family_berbew -
Executes dropped EXE 1 IoCs
Processes:
Nkcmohbg.exepid process 4308 Nkcmohbg.exe -
Drops file in System32 directory 3 IoCs
Processes:
017467335df194176bc1b39851b55970_NeikiAnalytics.exedescription ioc process File created C:\Windows\SysWOW64\Nkcmohbg.exe 017467335df194176bc1b39851b55970_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe 017467335df194176bc1b39851b55970_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Hnibdpde.dll 017467335df194176bc1b39851b55970_NeikiAnalytics.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3268 4308 WerFault.exe Nkcmohbg.exe -
Modifies registry class 6 IoCs
Processes:
017467335df194176bc1b39851b55970_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 017467335df194176bc1b39851b55970_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
017467335df194176bc1b39851b55970_NeikiAnalytics.exedescription pid process target process PID 2676 wrote to memory of 4308 2676 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Nkcmohbg.exe PID 2676 wrote to memory of 4308 2676 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Nkcmohbg.exe PID 2676 wrote to memory of 4308 2676 017467335df194176bc1b39851b55970_NeikiAnalytics.exe Nkcmohbg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\017467335df194176bc1b39851b55970_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\017467335df194176bc1b39851b55970_NeikiAnalytics.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe2⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 4003⤵
- Program crash
PID:3268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4308 -ip 43081⤵PID:620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
300KB
MD595394a1c91dcd325d1714cba879cd79e
SHA15fd7c4a40da4cf32fce8a0d259abc2602402763f
SHA256b286cbcf369bb955147b93393cf71c5a4ad6334040a7b01d674fc1cc0b794390
SHA512e7c0946b42b1b61fdda5ff17137e4eaa3ef109a2f7e7439d5591078e85e690e0e174a0f1d7217276d2f13a44d915ba602739772e805bf4ba236385c061336717