8eabea45c19ae6bf11906b539c523dc40ac1669cba70b0259e444778b2b90f49

Analysis

max time kernel
134s
max time network
135s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe
Size

361KB
MD5

44024b79e2cad4ea7d0c34c1ecbed5e0
SHA1

eb05f296ec18b093d1d8159441575736aba92588
SHA256

8eabea45c19ae6bf11906b539c523dc40ac1669cba70b0259e444778b2b90f49
SHA512

7075a175935c87ada3ae214c48c8800d6c1ee25db7a08ddc2b836146f2d0ff62530bc81e850aab222306ebc9582adfae376bfdd76ac3e62c976dd10e67cc3367
SSDEEP

1536:g7pZtfgkAqJlV+n1EgGHo7P1YPx28W10uAQBFRY:OpHgkZl0nt/P1YPxZu3FRY

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2076	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2192	44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe
2192	44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-0-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x0035000000014171-5.dat	upx
behavioral1/memory/2192-7-0x0000000002A20000-0x0000000002A7A000-memory.dmp	upx
behavioral1/memory/2192-13-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2076-14-0x0000000000400000-0x000000000045A000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\95279e52\jusched.exe	44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\95279e52\95279e52	44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2076	2192	44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2076	2192	44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2076	2192	44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe	28
PID 2192 wrote to memory of 2076	2192	44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44024b79e2cad4ea7d0c34c1ecbed5e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Program Files (x86)\95279e52\jusched.exe
  "C:\Program Files (x86)\95279e52\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\95279e52\95279e52

Filesize
17B

MD5
80e7928b124479791c52c09d831495f6

SHA1
94c8cb5ce4b1c1e70a2802efc22395c1003fc8bd

SHA256
a6bb92ad6bdd253818b2660e9befc8e3689b3bee61233f7a67a6ca0695acab12

SHA512
5183e48a8dc4f64277b7a0303f97b704ffa63dcc7256aaddb69994ef108f2f2922d9ec9a62eda403eed6c4f66dd719297c9d24e997f662eded63a49810493d2d

Download Submit
\Program Files (x86)\95279e52\jusched.exe

Filesize
361KB

MD5
80d98954d3ac8913450f5ed7d5941dde

SHA1
8850955e7d8cead6ad23b02395a753706e43fc7c

SHA256
eef05e31d1392187bcd37cb88ed4be33cf6762d50165614be30610ba5ba0b12a

SHA512
a22add2df0874323cc8b58a1448bbc71f3cb08d1856b9101fa409ab433bed0849bf998e73c5936060308bbae5e4801c7c07fa89e24a6ff50a099fc1e1682da98

Download Submit
memory/2076-14-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2192-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2192-7-0x0000000002A20000-0x0000000002A7A000-memory.dmp

Filesize
360KB

Download
memory/2192-13-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download