Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 02:02
Behavioral task
behavioral1
Sample
296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe
-
Size
384KB
-
MD5
296676abd5bf566947f9292a3d689bb0
-
SHA1
d276a3e6d1eaf4122fd64daeb2c12a04ac8f5294
-
SHA256
773bd6f37bd8703faffedb3b5be6f248f11b41f73681e4131cfaab56a63bc703
-
SHA512
768dcb1acb069caa45fa62e8ff41565e5c6cfceb29c4aea3b46f23a50b9f9572daca809be2b34c057eadd3012e63eb1816d503c6619b51fc4fbe8287d75d2928
-
SSDEEP
6144:Ql6cUbD+nhLDEDCh10kEjiPISUOgW9X+hOGzC/NM:Ql6coinhLDEDnkmZzcukG2/
Malware Config
Signatures
-
Malware Dropper & Backdoor - Berbew 1 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
Processes:
resource yara_rule \Windows\SysWOW64\BICSE.exe family_berbew -
Executes dropped EXE 1 IoCs
Processes:
BICSE.exepid process 2608 BICSE.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2068 cmd.exe 2068 cmd.exe -
Drops file in System32 directory 3 IoCs
Processes:
296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exedescription ioc process File created C:\windows\SysWOW64\BICSE.exe 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe File opened for modification C:\windows\SysWOW64\BICSE.exe 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe File created C:\windows\SysWOW64\BICSE.exe.bat 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exeBICSE.exepid process 2548 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe 2608 BICSE.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exeBICSE.exepid process 2548 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe 2548 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe 2608 BICSE.exe 2608 BICSE.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.execmd.exedescription pid process target process PID 2548 wrote to memory of 2068 2548 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe cmd.exe PID 2548 wrote to memory of 2068 2548 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe cmd.exe PID 2548 wrote to memory of 2068 2548 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe cmd.exe PID 2548 wrote to memory of 2068 2548 296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe cmd.exe PID 2068 wrote to memory of 2608 2068 cmd.exe BICSE.exe PID 2068 wrote to memory of 2608 2068 cmd.exe BICSE.exe PID 2068 wrote to memory of 2608 2068 cmd.exe BICSE.exe PID 2068 wrote to memory of 2608 2068 cmd.exe BICSE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\296676abd5bf566947f9292a3d689bb0_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\windows\system32\BICSE.exe.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\BICSE.exeC:\windows\system32\BICSE.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\BICSE.exe.batFilesize
74B
MD505d19e9ca2da82b9ee1187ead56e8582
SHA15be1e2c3cd4ad84ece9bfa9db7e68b8ae8b73678
SHA2564a0d8a9598549f838ee38b5c1c12f8810ce9738761c1980b5b08c4b7a897d973
SHA512f1ac6bfcdf349923452d867e857946202932fbf89e8d8f4d662760fc5f5dc892acd519987e966764e35a35431f875d5ba79f73d1debad3bbbca90f69bc842843
-
\Windows\SysWOW64\BICSE.exeFilesize
384KB
MD595838ad6635305b884dd9bf90e5d4f37
SHA129115396afafb96b6394e41afb9744574e752e63
SHA256facd3da3e90ae64f64f7c74ec5042f288ae9da332e64cf302ac1e1f2db0c933b
SHA512d3dbe96b73f194c17a59043fd953b6bfe19773cab8b70fd0f67fafdf974d744f1c1547180a1a628f8990391517a27329f67928ffd81fd93e2dcccab4bcccae0b
-
memory/2548-0-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2548-12-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2608-18-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2608-19-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB