764bd7a949c6722f68c8e5ca5919c40e01412da5bb95c698a5955da99b66b7ca

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d687827b4cd0306f877de087e6992ca0_NeikiAnalytics.exe
Size

82KB
MD5

d687827b4cd0306f877de087e6992ca0
SHA1

f4708547ba2b91defc5d2e64c193a79b92e8b30f
SHA256

764bd7a949c6722f68c8e5ca5919c40e01412da5bb95c698a5955da99b66b7ca
SHA512

06bf7dcb57ad2650c34dd66794df9faf7fd426b4d9cf946bc1c79a1605efb13cc67ab3c93d71a7191968faddca8629ca8bbfd7f5fbe5bcc302b5730412ec5a51
SSDEEP

1536:YAowfUJFgjT284U+w2EwRz6OlvaeEpIaCtwUaSvcmGCCCCCHCChCHCCCdg1WCCCz:YAowyFgjTiUkEwt6OlvaeEpIaCtwUaSQ

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2244	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2244	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	d687827b4cd0306f877de087e6992ca0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	d687827b4cd0306f877de087e6992ca0_NeikiAnalytics.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 2244	1592	d687827b4cd0306f877de087e6992ca0_NeikiAnalytics.exe	83
PID 1592 wrote to memory of 2244	1592	d687827b4cd0306f877de087e6992ca0_NeikiAnalytics.exe	83
PID 1592 wrote to memory of 2244	1592	d687827b4cd0306f877de087e6992ca0_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\d687827b4cd0306f877de087e6992ca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d687827b4cd0306f877de087e6992ca0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
82KB

MD5
27008aed4f9ca15eae90e8e4e8b6f00c

SHA1
a9891a7caa6ac3274a3fa3b957f02e47d1dc31c6

SHA256
ed3bebe58d9a2f443cce078bb245125b4f585daa1bea18f366ae245d34fe7031

SHA512
3d128fac5ba1039bd3f78fb2cfee12717f995c81878d6e26397a40cad300739d63b09c6a3dc35f6b85f26231e2c715daf246f0089ed40cd9761a113c620bc1ea

Download Submit
memory/1592-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2244-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2244-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads