Analysis Overview
SHA256
4580a0495028fbc93d2693bd37a0e1e3331e826486fcafb2c94713cb50312fb4
Threat Level: Known bad
The file 93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Malware Dropper & Backdoor - Berbew
Berbew family
Deletes itself
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 01:08
Signatures
Berbew family
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 01:08
Reported
2024-06-03 01:11
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe |
| PID 2180 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe |
| PID 2180 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe |
| PID 2180 wrote to memory of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
Files
memory/2180-0-0x0000000000400000-0x00000000004EF000-memory.dmp
\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
| MD5 | 9732487797121856853c794451761594 |
| SHA1 | bb8c8f5e93342fd84d7d6ac00a9da750130c1951 |
| SHA256 | 73a6249f23c25784271540867e010c16ae26515b790c22faa1570caad3a8062c |
| SHA512 | 402931dba0ed1022b356c3cf90e32eda6e7f4e9f2411f24c1e876a03d9183481e89351a41ae62e5c73800cdc3944d728e5a208bf3c2fc0cf98e4ed8ddbbd5158 |
memory/2180-6-0x0000000003170000-0x000000000325F000-memory.dmp
memory/2180-8-0x0000000000400000-0x00000000004EF000-memory.dmp
memory/3052-10-0x0000000000400000-0x00000000004EF000-memory.dmp
memory/3052-12-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/3052-17-0x0000000002E60000-0x0000000002F4F000-memory.dmp
memory/3052-33-0x0000000000400000-0x0000000000443000-memory.dmp
memory/3052-39-0x000000000EE30000-0x000000000EED3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 01:08
Reported
2024-06-03 01:11
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
158s
Command Line
Signatures
Malware Dropper & Backdoor - Berbew
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3176 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe |
| PID 3176 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe |
| PID 3176 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3176 -ip 3176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 344
C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1672
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 640
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/3176-0-0x0000000000400000-0x00000000004EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\93367f560856ee3d14c28cd1278ffbd0_NeikiAnalytics.exe
| MD5 | 346aa279de2bed47b1707a128bef400b |
| SHA1 | e9ea2eece4c2d876607c9082a48baddd099b87a1 |
| SHA256 | 5e1af114bd12f1ab3fdfd244fb1be6452cd976b860ca3e7d71b47d405af71b89 |
| SHA512 | 0e2e6b33cc53e90f53a0a1f3e8bc4d9bb70b6ed187bebb8383da1a695626aecf8ececf6a3fb284923a60aec9c3eed2a444ad3d28fc356495d3970205cc9b6a36 |
memory/3176-6-0x0000000000400000-0x00000000004EF000-memory.dmp
memory/2392-7-0x0000000000400000-0x00000000004EF000-memory.dmp
memory/2392-8-0x0000000005040000-0x000000000512F000-memory.dmp
memory/2392-9-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2392-21-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2392-27-0x000000000B970000-0x000000000BA13000-memory.dmp