Malware Analysis Report

2024-10-16 05:00

Sample ID 240603-cys4eagb2y
Target 9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe
SHA256 fc9ee5b057723b6cf104e28f7711960e896578caf37a8f7184d5cf822d59a115
Tags
backdoor dropper trojan berbew
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc9ee5b057723b6cf104e28f7711960e896578caf37a8f7184d5cf822d59a115

Threat Level: Known bad

The file 9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

backdoor dropper trojan berbew

Berbew family

Malware Dropper & Backdoor - Berbew

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Uses Volume Shadow Copy WMI provider

Suspicious behavior: RenamesItself

Modifies registry class

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 02:29

Signatures

Berbew family

berbew

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 02:29

Reported

2024-06-03 02:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\323B.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\323B.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\323B.tmp N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\323B.tmp N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\323B.tmp

"C:\Users\Admin\AppData\Local\Temp\323B.tmp" --pingC:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe C135FEFA7819192B371F8C0E6DA8BC59FBD04E7D94A936B3A2D09EED33D6846021BF0A35FE0564559738AD8BA7FC8BD36991ACD34639CC14BCFC68CEE5773B99

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.docx" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\323B.tmp

MD5 734f5b7724587e41ea0b5e190e82d235
SHA1 84561305c452ac0f44ebd856fd0d88b83f29d4fe
SHA256 ae1e4b68c4b449e746c931fab02818edf1ebda83582eb7c7e7d97a0dd87439aa
SHA512 5e6b6f413b083930dcee1d69e03d0d39aa7fe6eae9727b5e93d2ed4aef2853436f6e045dcb5e8f931529b27b032883adbd2708f045813c3dde8d3afd8284e51a

C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.docx

MD5 7079891932a64f097abafd233055a1e9
SHA1 246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256 c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA512 6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

memory/4008-9-0x00007FFC452D0000-0x00007FFC452E0000-memory.dmp

memory/4008-10-0x00007FFC452D0000-0x00007FFC452E0000-memory.dmp

memory/4008-11-0x00007FFC452D0000-0x00007FFC452E0000-memory.dmp

memory/4008-14-0x00007FFC85250000-0x00007FFC85445000-memory.dmp

memory/4008-13-0x00007FFC452D0000-0x00007FFC452E0000-memory.dmp

memory/4008-15-0x00007FFC452D0000-0x00007FFC452E0000-memory.dmp

memory/4008-12-0x00007FFC852ED000-0x00007FFC852EE000-memory.dmp

memory/4008-16-0x00007FFC85250000-0x00007FFC85445000-memory.dmp

memory/4008-19-0x00007FFC85250000-0x00007FFC85445000-memory.dmp

memory/4008-20-0x00007FFC85250000-0x00007FFC85445000-memory.dmp

memory/4008-18-0x00007FFC85250000-0x00007FFC85445000-memory.dmp

memory/4008-17-0x00007FFC85250000-0x00007FFC85445000-memory.dmp

memory/4008-21-0x00007FFC43180000-0x00007FFC43190000-memory.dmp

memory/4008-22-0x00007FFC43180000-0x00007FFC43190000-memory.dmp

memory/4008-38-0x00007FFC85250000-0x00007FFC85445000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 02:29

Reported

2024-06-03 02:32

Platform

win7-20240221-en

Max time kernel

144s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe"

Signatures

Malware Dropper & Backdoor - Berbew

backdoor trojan dropper
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1287.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1287.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\1287.tmp

"C:\Users\Admin\AppData\Local\Temp\1287.tmp" --pingC:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.exe 9A6864CD1D7C0D9C7AF94D36F39AC36AB22622CA4D780527864BC7A22F06D5275844F2F2C0E1775445923EB189CEE2AC056BC5D0F6D2D55088BB7EEDA1356008

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.docx"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\1287.tmp

MD5 63b702b351f855eae4b9d30bb0b990ea
SHA1 851cb0b7f46c6c32a4b238a56e8c079806e0e2d9
SHA256 dee1f546cd50b225a3506fcf898dc9af58df7d2f8049a906c1f60506c1fa0d39
SHA512 cc4863d224ec06e1378145b5b664edf09847f88951ba21cb3d674b2fb81d5de62dcaa0e29519439beb273eacf4ddb6a447b3e226396628557cbb4b6a885e21a4

memory/2628-7-0x000000002F371000-0x000000002F372000-memory.dmp

memory/2628-8-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2628-9-0x00000000709FD000-0x0000000070A08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9843e847ca1a1a98f8924c37cea4a380_NeikiAnalytics.docx

MD5 7079891932a64f097abafd233055a1e9
SHA1 246d95feafe67689d49a5a4cadba18d3ac1914e5
SHA256 c97189b50e5e92be09966d4732b6d61a2e435b2935d60c09989e555ae442e7a1
SHA512 6e9ee6427d7cc2474dc634b088cf3f35d06dfb734d2b63fbbc794f4083b4b5754379daff4804bf5024b1b430aa5e50fa6d839d3473ceeed3043d373c85e9862a

memory/2628-13-0x00000000709FD000-0x0000000070A08000-memory.dmp