c5812afa52b3c7c256e36316905f691e2adc77ae3a5a7534395cb4c816d419b1

General

Target

08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
Size

991KB
MD5

08619ac1578420c0f0bd4ad406da8110
SHA1

472368b4baca14d20e1cd374db65a2cf26f0ff4e
SHA256

c5812afa52b3c7c256e36316905f691e2adc77ae3a5a7534395cb4c816d419b1
SHA512

f76bdb8808186c4c2f7c57bd97749ecf8287d70f6dc110a816a57be01186f2b725f9862f3b674e77a40a0b2c295dd6aa847821405d92daae07a57994cc2616dc
SSDEEP

24576:BxlQKXIJojIj7qH3QGUONWvgQ0Ha/ZSMQugi8ndZ5G:uKDa2sE00Hg1Qugi8ndZ5G

Score

10^/10

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe	family_berbew

Deletes itself 1 IoCs

Processes:

08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

pid process

4984 08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
Executes dropped EXE 1 IoCs

Processes:

08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

pid process

4984 08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

17 pastebin.com
18 pastebin.com

pid	process
4984	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

pid	process
4984	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

flow	ioc
17	pastebin.com
18	pastebin.com

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1524	1852	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
764	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
4844	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
4892	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
4232	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
992	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
3360	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
2488	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
5108	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
2588	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
2608	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
2372	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
544	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
5112	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
1576	4984	WerFault.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

pid process

4984 08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
4984 08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

pid process

1852 08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

pid process

4984 08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

pid	process
4984	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
4984	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

pid	process
1852	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

pid	process
4984	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

description	pid	process	target process
PID 1852 wrote to memory of 4984	1852	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
PID 1852 wrote to memory of 4984	1852	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
PID 1852 wrote to memory of 4984	1852	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe	08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 352
  2⤵
  - Program crash
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:4984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 344
    3⤵
    - Program crash
    PID:764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 628
    3⤵
    - Program crash
    PID:4844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 636
    3⤵
    - Program crash
    PID:4892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 672
    3⤵
    - Program crash
    PID:4232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 720
    3⤵
    - Program crash
    PID:992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 964
    3⤵
    - Program crash
    PID:3360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1416
    3⤵
    - Program crash
    PID:2488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1416
    3⤵
    - Program crash
    PID:5108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1444
    3⤵
    - Program crash
    PID:2588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1520
    3⤵
    - Program crash
    PID:2608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1500
    3⤵
    - Program crash
    PID:2372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1508
    3⤵
    - Program crash
    PID:544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1528
    3⤵
    - Program crash
    PID:5112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 592
    3⤵
    - Program crash
    PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1852 -ip 1852
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4984 -ip 4984
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4984 -ip 4984
1⤵
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4984 -ip 4984
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4984 -ip 4984
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4984 -ip 4984
1⤵
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4984 -ip 4984
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4984 -ip 4984
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4984 -ip 4984
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4984 -ip 4984
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4984 -ip 4984
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4984 -ip 4984
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4984 -ip 4984
1⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4984 -ip 4984
1⤵
PID:3524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4984 -ip 4984
1⤵
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\08619ac1578420c0f0bd4ad406da8110_NeikiAnalytics.exe

Filesize
991KB

MD5
a9563ecc5e174485285431bac0e7643d

SHA1
3ea0268727b253167524c7d6d177de5a980e4e14

SHA256
352d9dca62524f8e70f1aa4250d3fef282d5146ce8bf1e5283d87edfc359ee88

SHA512
6d1fd8123cb121f41be24f1d423829fc9f38987853d0efe47ca45a9db244a45eba8a4b6099d2d971e4cddabb52e201996a0a2952caec2e4d4970bee7e44221c9

Download Submit
memory/1852-0-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1852-6-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/4984-7-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/4984-8-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4984-14-0x0000000005090000-0x0000000005185000-memory.dmp

Filesize
980KB

Download
memory/4984-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-27-0x000000000B990000-0x000000000BA33000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads