e3e1d817de443abd1a287f12130b236e25064eca464b6d6a54f9a43f04031ec3

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c7a2f78c3eebdee2d1a7bfb40467460_NeikiAnalytics.exe
Size

258KB
MD5

9c7a2f78c3eebdee2d1a7bfb40467460
SHA1

0f85868317534181f4667af44944b0a6a275ca41
SHA256

e3e1d817de443abd1a287f12130b236e25064eca464b6d6a54f9a43f04031ec3
SHA512

813243075724b5335eec9f473f75c179e784b8b3468227b4fc33a12c29adc68cbf8232d5bd96759916e1dbc579a3d3cfb0d0dfb86f01fd4ddb1371dcbcc0d129
SSDEEP

6144:SNBn5rvqq1RqOXn6CRayuQFK2DYRn1oT/u8iYj:Sr5eI9n5RZtFLhxj

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2540	racmzae.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\ttbtowf.dll	racmzae.exe
File created	C:\PROGRA~3\Mozilla\racmzae.exe	9c7a2f78c3eebdee2d1a7bfb40467460_NeikiAnalytics.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2372	9c7a2f78c3eebdee2d1a7bfb40467460_NeikiAnalytics.exe
2540	racmzae.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2540	1668	taskeng.exe	29
PID 1668 wrote to memory of 2540	1668	taskeng.exe	29
PID 1668 wrote to memory of 2540	1668	taskeng.exe	29
PID 1668 wrote to memory of 2540	1668	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\9c7a2f78c3eebdee2d1a7bfb40467460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c7a2f78c3eebdee2d1a7bfb40467460_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2372

C:\Windows\system32\taskeng.exe
taskeng.exe {BE08D22E-D58D-4B45-8657-372ABA2757ED} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\PROGRA~3\Mozilla\racmzae.exe
  C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\racmzae.exe

Filesize
258KB

MD5
5c66ada505d4be9336d42a6049f0af0c

SHA1
7dfccb4322d3604b9da2bb89dabcc3f912fb4100

SHA256
866054569cf2f23b329f78e37a8f20171f119edab3f72dacff087b694c8df697

SHA512
610b697132eef1f7aa4d5555f2b624713ed4e40a764ed8fc971f254ced82661768adcbe459f1f2a8c5863a703c1f67073b239ce1de05647c5f04486ef4fd2f85

Download Submit
memory/2372-0-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/2372-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2372-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2372-4-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/2540-7-0x0000000000520000-0x000000000057B000-memory.dmp

Filesize
364KB

Download
memory/2540-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2540-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download