95d74cc23e6c59e2416ea59aa8931ee0161fc82528ac16f424cac6f2de423565

General

Target

8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe
Size

1.2MB
MD5

8bf937f49a545a21e8e87dd621e3caa0
SHA1

d64b37624f2c1014c61ddff3ca7cdc693762ceaf
SHA256

95d74cc23e6c59e2416ea59aa8931ee0161fc82528ac16f424cac6f2de423565
SHA512

7c5edc99e6985eedb29ad678f55449171c554130c9265eee2f0549f555edbfea4781f81181c4c09a851d5cf75cf85b0a678a75b3e7a94b127a880a4101164d2e
SSDEEP

24576:O5yFgTfZuvJ23m1WQuqp3ccot7a/ZSua/JXINkDbC77Lv+f6T8ytUmmlD:OEgIB2TqpscYgRg6NkDObltUt

Score

10^/10

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000a0000000233f5-5.dat	family_berbew

Deletes itself 1 IoCs

pid	Process
4608	8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
4608	8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
13	pastebin.com
14	pastebin.com

Program crash 15 IoCs

pid	pid_target	Process	procid_target
3908	3004	WerFault.exe	81
4236	4608	WerFault.exe	89
4348	4608	WerFault.exe	89
4396	4608	WerFault.exe	89
724	4608	WerFault.exe	89
2860	4608	WerFault.exe	89
4584	4608	WerFault.exe	89
4724	4608	WerFault.exe	89
332	4608	WerFault.exe	89
3380	4608	WerFault.exe	89
3684	4608	WerFault.exe	89
4032	4608	WerFault.exe	89
880	4608	WerFault.exe	89
3200	4608	WerFault.exe	89
2748	4608	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4608	8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe
4608	8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3004	8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4608	8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 4608	3004	8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe	89
PID 3004 wrote to memory of 4608	3004	8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe	89
PID 3004 wrote to memory of 4608	3004	8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe	89

C:\Users\Admin\AppData\Local\Temp\8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 344
  2⤵
  - Program crash
  PID:3908
- C:\Users\Admin\AppData\Local\Temp\8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 348
    3⤵
    - Program crash
    PID:4236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 628
    3⤵
    - Program crash
    PID:4348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 628
    3⤵
    - Program crash
    PID:4396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 660
    3⤵
    - Program crash
    PID:724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 660
    3⤵
    - Program crash
    PID:2860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1012
    3⤵
    - Program crash
    PID:4584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1416
    3⤵
    - Program crash
    PID:4724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1456
    3⤵
    - Program crash
    PID:332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1500
    3⤵
    - Program crash
    PID:3380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1464
    3⤵
    - Program crash
    PID:3684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1700
    3⤵
    - Program crash
    PID:4032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1500
    3⤵
    - Program crash
    PID:880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1484
    3⤵
    - Program crash
    PID:3200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 632
    3⤵
    - Program crash
    PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3004 -ip 3004
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4608 -ip 4608
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4608 -ip 4608
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4608 -ip 4608
1⤵
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4608 -ip 4608
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4608 -ip 4608
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4608 -ip 4608
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4608 -ip 4608
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4608 -ip 4608
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4608 -ip 4608
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4608 -ip 4608
1⤵
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4608 -ip 4608
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4608 -ip 4608
1⤵
PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4608 -ip 4608
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4608 -ip 4608
1⤵
PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8bf937f49a545a21e8e87dd621e3caa0_NeikiAnalytics.exe

Filesize
1.2MB

MD5
833aeba72575ea84ba99adc997fbe747

SHA1
f980f5898aad49f3005112893ac595311d9d7fd5

SHA256
7535a0d215de1acb6e279aecf703312ab232aa47c34c59ecfc3ee6e2749285d3

SHA512
1d3b6862a14aa24774b2dd15ec94e00fc922a930dc713b1895a289f9b9e257e6532d5f05b2889d147619e82a8219b01f95467212e7d86a0cec6ba5fa89761451

Download Submit
memory/3004-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3004-6-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4608-7-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4608-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4608-14-0x0000000004FE0000-0x00000000050F7000-memory.dmp

Filesize
1.1MB

Download
memory/4608-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4608-27-0x000000000B9A0000-0x000000000BA43000-memory.dmp

Filesize
652KB

Download
memory/4608-28-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing