02e383641d1bee1031cb12872c7fa9782b8de3bda07f2cfb1613aa19cadf046e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe
Size

448KB
MD5

d41eac03cf654c9e4657ad9fdc374fd0
SHA1

83a7997fdbeee20cb9991b0770d55539e04d374a
SHA256

02e383641d1bee1031cb12872c7fa9782b8de3bda07f2cfb1613aa19cadf046e
SHA512

98351697d45eba18bc12111f8c2f299e2d0e612ce85eba844a8392810ea24a4f9348adc5a769076ae604cdcedf7c1c8d13a14250ded528ea8650cc2ca20bd927
SSDEEP

6144:5QaQvgqRJLU/UkEjiPISUOgW9X+hOGzC/NM:5jQ1tkmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
\Windows\SysWOW64\DTJQREV.exe	family_berbew

Executes dropped EXE 1 IoCs

Processes:

DTJQREV.exe

pid process

2296 DTJQREV.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1260 cmd.exe
1260 cmd.exe

pid	process
2296	DTJQREV.exe

pid	process
1260	cmd.exe
1260	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe

description	ioc	process
File created	C:\windows\SysWOW64\DTJQREV.exe	d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe
File opened for modification	C:\windows\SysWOW64\DTJQREV.exe	d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\DTJQREV.exe.bat	d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exeDTJQREV.exe

pid process

1728 d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe
2296 DTJQREV.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exeDTJQREV.exe

pid	process
1728	d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe
1728	d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe
2296	DTJQREV.exe
2296	DTJQREV.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 1728 wrote to memory of 1260	1728	d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe	cmd.exe
PID 1728 wrote to memory of 1260	1728	d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe	cmd.exe
PID 1728 wrote to memory of 1260	1728	d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe	cmd.exe
PID 1728 wrote to memory of 1260	1728	d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe	cmd.exe
PID 1260 wrote to memory of 2296	1260	cmd.exe	DTJQREV.exe
PID 1260 wrote to memory of 2296	1260	cmd.exe	DTJQREV.exe
PID 1260 wrote to memory of 2296	1260	cmd.exe	DTJQREV.exe
PID 1260 wrote to memory of 2296	1260	cmd.exe	DTJQREV.exe

C:\Users\Admin\AppData\Local\Temp\d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d41eac03cf654c9e4657ad9fdc374fd0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\DTJQREV.exe.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\windows\SysWOW64\DTJQREV.exe
    C:\windows\system32\DTJQREV.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DTJQREV.exe.bat

Filesize
78B

MD5
985094a7f967258ea79b35300417dff4

SHA1
badee64ff9eff39c228dbdeec171d5cabf147874

SHA256
bddc119d65a92135e2f6a801d45e669dfab28676cb1c54cf4c11ab481debdd9a

SHA512
cd356bd4485d82b5f3e8eaa2ad9697a0fe561c206e7307f1f026c69f486910470e0d62885bdd037cb05c1ccb14e47ea57154cbd514e10409a9fed63ac8ed469e

Download Submit
\Windows\SysWOW64\DTJQREV.exe

Filesize
448KB

MD5
adcda93aad2b0939494e5a16a019f5e6

SHA1
c2b5e4368c8860ca4681251f007c3d54b4db9922

SHA256
cc9026b830e0aafe229af0d8049d9ee0ed0c99228ff6a9e7024e8cdaadd75afb

SHA512
d78ab00de8ccb07706f75297f7c987e59f446f7c32f1aff2e2c17f6f97b99cb56bb457b99cdadc42f02d44088a8385a3cefee4288831b9815568042422ca0441

Download Submit
memory/1728-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1728-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2296-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download