0c8f51dfd58caae81a9020107236b533d5b17e741607d8368e03648d748da105

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 23:59 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2605559e1f0c163e2414cf7eb965d0b0_NeikiAnalytics.exe
Size

180KB
MD5

2605559e1f0c163e2414cf7eb965d0b0
SHA1

d876618c9f1bf9c4666ff9f6f1a491487520f728
SHA256

0c8f51dfd58caae81a9020107236b533d5b17e741607d8368e03648d748da105
SHA512

0adb5a74ff7e591299837ceef19d25253a3b3c4f75be145647dd1929a1beae8cdb287523187fd91f4fe3e601e21811a304f4f48a58ce66dca63aaeaf331a0a1a
SSDEEP

3072:1bFZBpiJrsZnWdErsjzlp8fWrBCYQupyttsMvTrUSEJH/86DVJAkn42LHUw:1bF3pSwxraz8fGxQGMvTrPE3TJX

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2664	racmzae.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\racmzae.exe	2605559e1f0c163e2414cf7eb965d0b0_NeikiAnalytics.exe
File created	C:\PROGRA~3\Mozilla\ttbtowf.dll	racmzae.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1728	2605559e1f0c163e2414cf7eb965d0b0_NeikiAnalytics.exe
2664	racmzae.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2664	2592	taskeng.exe	29
PID 2592 wrote to memory of 2664	2592	taskeng.exe	29
PID 2592 wrote to memory of 2664	2592	taskeng.exe	29
PID 2592 wrote to memory of 2664	2592	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\2605559e1f0c163e2414cf7eb965d0b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2605559e1f0c163e2414cf7eb965d0b0_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {9D1EE57F-530E-45DA-BE78-14560FADE3C9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\PROGRA~3\Mozilla\racmzae.exe
  C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\racmzae.exe

Filesize
180KB

MD5
c6c1e55739c058297b4b2b7e8a336158

SHA1
b23fa87ef33e80e6fa5321ccf09cafb162296521

SHA256
cd6b20a2ed04ade4ce57073c0435143f7ad2e5ded325abbf4765d452192e43f6

SHA512
9133ab6a66e2324260311d307d65408d6f1343216dca7330ac0cfa876fd695286ffa668c24b8233ec3caadedb771cdbceaa0aa0a480c13ca761094beaac311b9

Download Submit
memory/1728-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1728-1-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/1728-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1728-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2664-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2664-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2664-8-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2664-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download