773bd6f37bd8703faffedb3b5be6f248f11b41f73681e4131cfaab56a63bc703

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
Size

384KB
MD5

296676abd5bf566947f9292a3d689bb0
SHA1

d276a3e6d1eaf4122fd64daeb2c12a04ac8f5294
SHA256

773bd6f37bd8703faffedb3b5be6f248f11b41f73681e4131cfaab56a63bc703
SHA512

768dcb1acb069caa45fa62e8ff41565e5c6cfceb29c4aea3b46f23a50b9f9572daca809be2b34c057eadd3012e63eb1816d503c6619b51fc4fbe8287d75d2928
SSDEEP

6144:Ql6cUbD+nhLDEDCh10kEjiPISUOgW9X+hOGzC/NM:Ql6coinhLDEDnkmZzcukG2/

Score

10^/10

backdoor dropper trojan

Malware Config

Signatures

Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
backdoor trojan dropper

Processes:

resource yara_rule

\Windows\SysWOW64\BICSE.exe family_berbew
Executes dropped EXE 1 IoCs

Processes:

BICSE.exe

pid process

2608 BICSE.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2068 cmd.exe
2068 cmd.exe

resource	yara_rule
\Windows\SysWOW64\BICSE.exe	family_berbew

pid	process
2608	BICSE.exe

pid	process
2068	cmd.exe
2068	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe

description	ioc	process
File created	C:\windows\SysWOW64\BICSE.exe	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
File opened for modification	C:\windows\SysWOW64\BICSE.exe	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\BICSE.exe.bat	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exeBICSE.exe

pid process

2548 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
2608 BICSE.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exeBICSE.exe

pid process

2548 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
2548 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
2608 BICSE.exe
2608 BICSE.exe

pid	process
2548	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
2608	BICSE.exe

pid	process
2548	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
2548	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
2608	BICSE.exe
2608	BICSE.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 2548 wrote to memory of 2068	2548	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe	cmd.exe
PID 2548 wrote to memory of 2068	2548	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe	cmd.exe
PID 2548 wrote to memory of 2068	2548	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe	cmd.exe
PID 2548 wrote to memory of 2068	2548	296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe	cmd.exe
PID 2068 wrote to memory of 2608	2068	cmd.exe	BICSE.exe
PID 2068 wrote to memory of 2608	2068	cmd.exe	BICSE.exe
PID 2068 wrote to memory of 2608	2068	cmd.exe	BICSE.exe
PID 2068 wrote to memory of 2608	2068	cmd.exe	BICSE.exe

C:\Users\Admin\AppData\Local\Temp\296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\windows\system32\BICSE.exe.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068

C:\windows\SysWOW64\BICSE.exe
C:\windows\system32\BICSE.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2608

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\BICSE.exe.bat
Filesize
74B

MD5
05d19e9ca2da82b9ee1187ead56e8582

SHA1
5be1e2c3cd4ad84ece9bfa9db7e68b8ae8b73678

SHA256
4a0d8a9598549f838ee38b5c1c12f8810ce9738761c1980b5b08c4b7a897d973

SHA512
f1ac6bfcdf349923452d867e857946202932fbf89e8d8f4d662760fc5f5dc892acd519987e966764e35a35431f875d5ba79f73d1debad3bbbca90f69bc842843

Download Submit
\Windows\SysWOW64\BICSE.exe
Filesize
384KB

MD5
95838ad6635305b884dd9bf90e5d4f37

SHA1
29115396afafb96b6394e41afb9744574e752e63

SHA256
facd3da3e90ae64f64f7c74ec5042f288ae9da332e64cf302ac1e1f2db0c933b

SHA512
d3dbe96b73f194c17a59043fd953b6bfe19773cab8b70fd0f67fafdf974d744f1c1547180a1a628f8990391517a27329f67928ffd81fd93e2dcccab4bcccae0b

Download Submit
memory/2548-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2548-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2608-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2608-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download