Overview

overview

10

Static

static

3

8590279f6e...cs.exe

windows7-x64

10

8590279f6e...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 16:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8590279f6e6ae10cd77e7c3d47f85200_NeikiAnalytics.exe

  • Size

    43KB

  • MD5

    8590279f6e6ae10cd77e7c3d47f85200

  • SHA1

    23d67a42f896a29a1ade8770942c2d7619a82d7a

  • SHA256

    4560d83c549911318ea82cf9592a57d84a34716799a1d8180f1e2930d0156d38

  • SHA512

    874351be287097b138716b50e6f327841c4e3722a8391da5bfcd335f8ddeb117391d6775c6983968bae33412be8d0bd47c97e492a6fa7653a530caba86c5d594

  • SSDEEP

    768:qflivXrVKpVhKvtxwYHwVFoeAQVmucwU2AXWdt:8lqrVKprVuQV5

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8590279f6e6ae10cd77e7c3d47f85200_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\8590279f6e6ae10cd77e7c3d47f85200_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Program Files (x86)\c8fc4291\jusched.exe
      "C:\Program Files (x86)\c8fc4291\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\c8fc4291\c8fc4291
    Filesize

    13B

    MD5

    f253efe302d32ab264a76e0ce65be769

    SHA1

    768685ca582abd0af2fbb57ca37752aa98c9372b

    SHA256

    49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

    SHA512

    1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

    Download Submit

  • C:\Program Files (x86)\c8fc4291\jusched.exe
    Filesize

    43KB

    MD5

    5f2574e93c47054f261bb875ddadc50a

    SHA1

    03bf3388a42e83144f94a1c4b11e14bdb91c06ad

    SHA256

    9b2cb10b44c2cb8b4f54a54bc0cf2968316c8a7efe4a008d6e6269d6b0ce98f9

    SHA512

    da334b0fa9a200cd5a5cdb7227458e2419ddff6ed29dd6a7c51b5548c3329c06c8d4efb50f7203fa8739c129a5c1db56038e8994f80822e6280edddf2d3ac96a

    Download Submit

  • memory/3324-11-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3940-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3940-10-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download