5ad7895a3dfb5cdec30ead4ddb2574ea10ab50fd23e8506cece03c9caed0a3f9

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 17:48

Target

b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe
Size

289KB
MD5

b06ab67b29448cb230ec8cf37b546ff0
SHA1

bce511c7ef929be8b8ab8ff6f82a09e34b93b630
SHA256

5ad7895a3dfb5cdec30ead4ddb2574ea10ab50fd23e8506cece03c9caed0a3f9
SHA512

0f860d08ee7e07b60db35ecfdc61c532a2322f09394f2e6837bbb64e74692eee52d1af2c24d0c8f385d5cb60ce9bc4bfe0c6ee08e0d19d8a18a6400aca8e11aa
SSDEEP

3072:bjoYk+xGI8U1XLS+PdLfL1zlGMoekBoge4pLthECQT68VMJLaQljVvzUpz:HoYkvIHffLWKumkECzJLaQVbU5

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2148	LMF.exe

Loads dropped DLL 2 IoCs

pid	Process
3020	cmd.exe
3020	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\LMF.exe	b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe
File opened for modification	C:\windows\SysWOW64\LMF.exe	b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe
File created	C:\windows\SysWOW64\LMF.exe.bat	b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2896	b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe
2148	LMF.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2896	b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe
2896	b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe
2148	LMF.exe
2148	LMF.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3020	2896	b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 3020	2896	b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 3020	2896	b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe	28
PID 2896 wrote to memory of 3020	2896	b06ab67b29448cb230ec8cf37b546ff0_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2148	3020	cmd.exe	30
PID 3020 wrote to memory of 2148	3020	cmd.exe	30
PID 3020 wrote to memory of 2148	3020	cmd.exe	30
PID 3020 wrote to memory of 2148	3020	cmd.exe	30

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\SysWOW64\LMF.exe.bat

Filesize
70B

MD5
4ef96a153cf11e5d784522c5b233260e

SHA1
0b963b3032184374edcd581e8f1ea2f83b4bc9de

SHA256
62201f0a54265eb5c766307a3599dc3f5a2fcda8241f163ef20b957fc5fcd70d

SHA512
7270a38142293482d1d3172e1494dd2e8b43c3d12f94e0a72237ff3e8b25f727b3ea220d086cd2d25c5342d2713c8e656072f97e4d2d91702315a7ca185f5c6f

Download Submit
\Windows\SysWOW64\LMF.exe

Filesize
289KB

MD5
e1c304dd685920c348b4808612e06b99

SHA1
27dd1266466871add3ed7546c054225bcf650d62

SHA256
9997a1b8b05f414e880865208f68767727ac0b9c16606fc4d4f2f1528481f2f9

SHA512
79c27a0bf21c9f5c4cb59edd13c0ce86d2eb967deaa49a6d610332dd32d9f44febaf574639608b503d8186f9d85bc9bb892af02eb6d107a83797932e0fcd0be7

Download Submit
memory/2148-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2896-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2896-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3020-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download