5007866c177cda4149bf5d25f2f5925d154952426458b82799bcba2d10591756

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 16:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe
Size

1.0MB
MD5

949c828d8b1f17a913ff7b8649c30910
SHA1

0837c63ee34e4929549b60cf75f240b4b42f9dcd
SHA256

5007866c177cda4149bf5d25f2f5925d154952426458b82799bcba2d10591756
SHA512

ee0daa3a89d39c81c98df73f27506b72b9957683b61cf2eaec8bcb3ba9a13a7be6e2bfe424ff9fe0a93f500604244d038894ee366b3b0f70cc194932a5541b07
SSDEEP

24576:wyVBoonDym54o9P3jLWl6XnTt5VAfQ8a/ZSbH77Lv+f6T8f:wyPbt3vWk5yQ8g4Hbg

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1296	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
1296	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Loads dropped DLL 1 IoCs

pid	Process
2156	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1296	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2156	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1296	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1296	2156	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe	29
PID 2156 wrote to memory of 1296	2156	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe	29
PID 2156 wrote to memory of 1296	2156	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe	29
PID 2156 wrote to memory of 1296	2156	949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe
  C:\Users\Admin\AppData\Local\Temp\949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\949c828d8b1f17a913ff7b8649c30910_NeikiAnalytics.exe

Filesize
1.0MB

MD5
3a2799f5497db9faedfe6fb9a8d1605e

SHA1
eeac305ab44a8c61307b2478353b011f3bd50643

SHA256
96af30854334e441bdbf197ec883c05ce976f893c2c861b8fe508250bf92c3b9

SHA512
a1e57c75bf41b1f43dede097c8ae0c0713aba07180e56beb80e51f81bebb1feb68f6fe9916dfb1f81994e8c18ada7f469ac3dac0b8a30203e01bf39701f18fea

Download Submit
memory/1296-9-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/1296-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1296-16-0x0000000002EB0000-0x0000000002F9D000-memory.dmp

Filesize
948KB

Download
memory/1296-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1296-38-0x000000000D6E0000-0x000000000D783000-memory.dmp

Filesize
652KB

Download
memory/2156-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2156-7-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download