d2dc2280ff33dc59c7ae3a27c8cb46252b199cbdaa8f7d9f78949aba92bc9bb0

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

109ead86537dea44d7cd97f1261446c0_NeikiAnalytics.exe
Size

31KB
MD5

109ead86537dea44d7cd97f1261446c0
SHA1

d135737c2a99678c386f78b3c055eebc3b242566
SHA256

d2dc2280ff33dc59c7ae3a27c8cb46252b199cbdaa8f7d9f78949aba92bc9bb0
SHA512

e494479b0246b8604d8f484307965b4d213cb35e93b24fdc52e0fe16cdb8e5033b8e7601b5c1cafd9401cc122863e88f8c1cd06825d3655de71ab8a22ce58f7e
SSDEEP

192:KlApk98m4e0/IDJh/5ZQcvoyne4t/PQ3Pw1C0SluWbiWBNEckcVhJriEcIDY:MApc8m4e0GvQak4JI341C0abnk6hJPQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2756	sal.exe

Loads dropped DLL 2 IoCs

pid	Process
1948	109ead86537dea44d7cd97f1261446c0_NeikiAnalytics.exe
1948	109ead86537dea44d7cd97f1261446c0_NeikiAnalytics.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	109ead86537dea44d7cd97f1261446c0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2756	1948	109ead86537dea44d7cd97f1261446c0_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2756	1948	109ead86537dea44d7cd97f1261446c0_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2756	1948	109ead86537dea44d7cd97f1261446c0_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 2756	1948	109ead86537dea44d7cd97f1261446c0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\109ead86537dea44d7cd97f1261446c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\109ead86537dea44d7cd97f1261446c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1948
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sal.exe

Filesize
31KB

MD5
b39c063598db775e9c9c5793c89fdf9c

SHA1
17939417f5fceea3609b83e7d445a183cffa224b

SHA256
a196aba5bf9a4e6a34073caeaa6ff35e4032e514d7f056540f04afcb77bc09fe

SHA512
02caf8f2cb473d82fb5d19a86281aa7dcc960220dbe48d9be7e6ab85c43863400ffb3ec1f86bc651b47adb2d8bb0a12fe5b48f60ebc35a628d909a6ddceb8bc7

Download Submit
memory/1948-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1948-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2756-12-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download