cdcbc6e46cd00f3227e06cf9d09159f35830af19a1465c89948e9aeae3685e6c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-06-2024 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9353df30a8dfe0fe04b943822a1d3cf0_NeikiAnalytics.exe
Size

319KB
MD5

9353df30a8dfe0fe04b943822a1d3cf0
SHA1

ba865238b6e3c8da2aedf8a17a0c54c162c28cb1
SHA256

cdcbc6e46cd00f3227e06cf9d09159f35830af19a1465c89948e9aeae3685e6c
SHA512

160f57633e236fb1abb0f30f2968742d649ced61214d0df380246267898b767ccfbbfc7f5357cfd8fe470f6f7fb7d773202dd1a402e8c7306bc33b93cabb7783
SSDEEP

6144:gnOoaHSua9t1ldTlnt4mVzSNf+jZJc/zr9Mx4uZGS/VD7/+VAKaoC7jEJdL:gnOziD3dRttSZ+jZe/zr9Mxv/VD7/PK1

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x00070000000233fd-8.dat	family_berbew

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3232	3380	9353df30a8dfe0fe04b943822a1d3cf0_NeikiAnalytics.exe	85
PID 3380 wrote to memory of 3232	3380	9353df30a8dfe0fe04b943822a1d3cf0_NeikiAnalytics.exe	85
PID 3380 wrote to memory of 3232	3380	9353df30a8dfe0fe04b943822a1d3cf0_NeikiAnalytics.exe	85
PID 3232 wrote to memory of 1212	3232	cmd.exe	86
PID 3232 wrote to memory of 1212	3232	cmd.exe	86
PID 3232 wrote to memory of 1212	3232	cmd.exe	86
PID 1212 wrote to memory of 1856	1212	iexpress.exe	87
PID 1212 wrote to memory of 1856	1212	iexpress.exe	87
PID 1212 wrote to memory of 1856	1212	iexpress.exe	87

C:\Users\Admin\AppData\Local\Temp\9353df30a8dfe0fe04b943822a1d3cf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9353df30a8dfe0fe04b943822a1d3cf0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4A76.tmp\1.bat" "C:\Users\Admin\AppData\Local\Temp\9353df30a8dfe0fe04b943822a1d3cf0_NeikiAnalytics.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\iexpress.exe
    iexpress /n /q /m C:\Users\Admin\AppData\Local\Temp\popup.sed
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\SysWOW64\makecab.exe
      C:\Windows\SysWOW64\makecab.exe /f "~%TargetName%.DDF"
      4⤵
      PID:1856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4A76.tmp\1.bat

Filesize
1KB

MD5
02dba5f37067292355c6d01a57d4ef48

SHA1
7c67ab3f99fbf7a53018dd295d2968c525db83d9

SHA256
8b74c812ba9e6c536da7edd4101e7e0dddeab8355e5aff095dd31b3f00560242

SHA512
12201f949ee3198c8f4b39cc8edf90a114ecf42ddd5383ed0b87e4c78053cd517786dc7af83557e63a0483af74f4c0117d5568441ae761ff6958e758704d602a

Download Submit
C:\Users\Admin\AppData\Local\Temp\popup.sed

Filesize
319KB

MD5
1212249eb631696bed8ca6bb479c6c37

SHA1
507d338a1bbcb978e97c29ebb3ddd4d0322ae727

SHA256
43b1542a60c200687e3aebcb6b9d7f5468dfbc03739ac583385c703b6bb795c9

SHA512
a011728ae028d0ac32a9b6a0765037276ca20caf325bd394762db63a3b6b49fa999faa745dc7395ea0cd7d00efa10bffbd93b8a9895879c2e643b429e6eb6cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\~%TargetName%.DDF

Filesize
724B

MD5
c3ca008abd6997c4b036a7e8be75cb2c

SHA1
05f7a3527bb04c691b08f040f562582035398829

SHA256
29ef6bf47dcc8c67f1abe1b269d3518d6a4ebe125daa1ea460779638cb9782a3

SHA512
bee0baf3cb83144239077f99f5ca2a6ca7b618f7f51a53e03613ae697e8bc76fa28f5d006296b469be8e1fffeeb35668b5fe87b260b1380cc003815ea9efb083

Download Submit
memory/3380-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3380-12-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download