ff63c92969fd3b760f105c8171f27c2e514280473486187acba7be63c3c6cfd1

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe
Size

34KB
MD5

4b8256fe73c813408292f8da1afedac0
SHA1

03679fd9cd614df782bb02eb646ca9a9b3884293
SHA256

ff63c92969fd3b760f105c8171f27c2e514280473486187acba7be63c3c6cfd1
SHA512

70be5e30553b6be6ea05a1b56787d08d05303a016ef965c3fb9a75e46e87b6df4b35b2c112e4853864fd4521ab29d4b177f29fab783f44bf6f7914833b0afd6a
SSDEEP

768:AGMK5/+4HOj1TStcXu105gEJQhyG+YOFd:HZ5/+kOj1TLvJQhyeOFd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2108	opera_updater.exe

Loads dropped DLL 1 IoCs

pid	Process
2236	4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2108	2236	4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2108	2236	4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2108	2236	4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2108	2236	4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2108	2236	4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2108	2236	4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2108	2236	4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4b8256fe73c813408292f8da1afedac0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\opera_updater.exe
  "C:\Users\Admin\AppData\Local\Temp\opera_updater.exe"
  2⤵
  - Executes dropped EXE
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\opera_updater.exe

Filesize
34KB

MD5
baa91b0eb163ec4b3bfbff15c3b4a7eb

SHA1
c64780f3e9d10ca78f780c87cdf059dc5409ddeb

SHA256
1e11ec49f5a5c0f1f03b5c5fc39f006f1ecf70283746f5aa5b8dfa19c21bfad9

SHA512
1872c2ca6a18786269e1f72b76b9bf2c61c87f7b19e6290316e42c7dca42e6a0e0ed14ad8e9ca86b5bdc8044db3d1ebf2c8299c5e31a050d2080ae9e58c73760

Download Submit
memory/2108-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2236-1-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download