Malware Analysis Report

2024-10-16 05:00

Sample ID 240603-ae26vsdd24
Target 88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe
SHA256 08895d88864c7115ffe03d2476da448936089dca9686d615e7e9fae210643fb9
Tags
backdoor trojan dropper berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

08895d88864c7115ffe03d2476da448936089dca9686d615e7e9fae210643fb9

Threat Level: Known bad

The file 88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew

Berbew family

Malware Dropper & Backdoor - Berbew

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Program crash

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-03 00:08

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 00:08

Reported

2024-06-03 00:11

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe

Network

N/A

Files

memory/2632-17-0x0000000000210000-0x0000000000249000-memory.dmp

memory/2632-13-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2632-11-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2240-10-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe

MD5 be4b8747bb92814ad6f985fa2682bc7d
SHA1 b2014bc6fdfe2116059b7a652d2509e72c526122
SHA256 95a12dee335410d7dc050fb5137e4dd6239e185f2cf2765aba2431e1f38f7ce2
SHA512 a5590759185c82368e29cc840552b3d79a63a68891b06ce6f2a4d0fefac4cda46f021de10bb0bb64b5fcd7d6ee05fc85e92782974cdc0cd750c24f9f7efd8162

memory/2240-6-0x0000000002C70000-0x0000000002CA9000-memory.dmp

memory/2240-0-0x0000000000400000-0x0000000000439000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 00:08

Reported

2024-06-03 00:10

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 4992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 400

C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1888 -ip 1888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 380

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4992-0-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88c8c88cae175dad78e5568222fe6230_NeikiAnalytics.exe

MD5 7e651a5d16a12df8a8f71f1aa2dcace0
SHA1 992b6ffe490ac4286fd3150ea68ad9a4d006f24c
SHA256 ad37083355c259a24ef23fb15b28b87ee89cd78baff3ae312c7070c49a74df2b
SHA512 091bd4e93f76bfd5a36fa0244b55b4c90e9a04c06b6745f9836d8a672f9fa15dfcf5e32900738f627ccf9f297fc584bcb2cba161404cce7f20c61c0440cc5e8d

memory/4992-6-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1888-7-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1888-8-0x0000000000400000-0x000000000041A000-memory.dmp

memory/1888-13-0x0000000001650000-0x0000000001689000-memory.dmp