Malware Analysis Report

2024-10-16 04:07

Sample ID 240603-bhfmpsdf9y
Target 93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
SHA256 4580a0495028fbc93d2693bd37a0e1e3331e826486fcafb2c94713cb50312fb4
Tags
backdoor trojan dropper berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4580a0495028fbc93d2693bd37a0e1e3331e826486fcafb2c94713cb50312fb4

Threat Level: Known bad

The file 93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor trojan dropper berbew

Malware Dropper & Backdoor - Berbew

Berbew family

Deletes itself

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 01:08

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 01:08

Reported

2024-06-03 01:11

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp

Files

memory/2180-0-0x0000000000400000-0x00000000004EF000-memory.dmp

\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe

MD5 9732487797121856853c794451761594
SHA1 bb8c8f5e93342fd84d7d6ac00a9da750130c1951
SHA256 73a6249f23c25784271540867e010c16ae26515b790c22faa1570caad3a8062c
SHA512 402931dba0ed1022b356c3cf90e32eda6e7f4e9f2411f24c1e876a03d9183481e89351a41ae62e5c73800cdc3944d728e5a208bf3c2fc0cf98e4ed8ddbbd5158

memory/2180-6-0x0000000003170000-0x000000000325F000-memory.dmp

memory/2180-8-0x0000000000400000-0x00000000004EF000-memory.dmp

memory/3052-10-0x0000000000400000-0x00000000004EF000-memory.dmp

memory/3052-12-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/3052-17-0x0000000002E60000-0x0000000002F4F000-memory.dmp

memory/3052-33-0x0000000000400000-0x0000000000443000-memory.dmp

memory/3052-39-0x000000000EE30000-0x000000000EED3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 01:08

Reported

2024-06-03 01:11

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3176 -ip 3176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 344

C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 640

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/3176-0-0x0000000000400000-0x00000000004EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe

MD5 346aa279de2bed47b1707a128bef400b
SHA1 e9ea2eece4c2d876607c9082a48baddd099b87a1
SHA256 5e1af114bd12f1ab3fdfd244fb1be6452cd976b860ca3e7d71b47d405af71b89
SHA512 0e2e6b33cc53e90f53a0a1f3e8bc4d9bb70b6ed187bebb8383da1a695626aecf8ececf6a3fb284923a60aec9c3eed2a444ad3d28fc356495d3970205cc9b6a36

memory/3176-6-0x0000000000400000-0x00000000004EF000-memory.dmp

memory/2392-7-0x0000000000400000-0x00000000004EF000-memory.dmp

memory/2392-8-0x0000000005040000-0x000000000512F000-memory.dmp

memory/2392-9-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/2392-21-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2392-27-0x000000000B970000-0x000000000BA13000-memory.dmp