02a2bb3a771f4517f04900e23cb73f4b94d7d8190152fa2fd337efd774cd2d46

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 19:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe
Size

111KB
MD5

4f4ca1c6d591e04bc6994de0a5e2f650
SHA1

417552b2b510e2e7496a26d38376dcf3e2404a05
SHA256

02a2bb3a771f4517f04900e23cb73f4b94d7d8190152fa2fd337efd774cd2d46
SHA512

6b141b56a0627c09021bb02b212f5b28b59d7e0850a77ba4b606514a351efe444a59acce916aa2a736a1c730def1423a70c748aeb88de0a5fad1eca359278bc5
SSDEEP

1536:ELNIW39SaZTbFARlq7jC1OZstZu0TSVEdUJWTWd18ff:ELlbZTZX3BAtTSVEdUJWTWd18ff

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3068	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2332	guifx.exe

Loads dropped DLL 1 IoCs

pid	Process
1752	4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1752-0-0x0000000000950000-0x000000000096C000-memory.dmp	upx
behavioral1/files/0x0034000000015d07-2.dat	upx
behavioral1/memory/2332-7-0x0000000000080000-0x000000000009C000-memory.dmp	upx
behavioral1/memory/1752-8-0x0000000000950000-0x000000000096C000-memory.dmp	upx
behavioral1/memory/1752-10-0x0000000000950000-0x000000000096C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graphics = "\"C:\\ProgramData\\Graphics\\guifx.exe\" /run"	4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2332	1752	4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe	28
PID 1752 wrote to memory of 2332	1752	4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe	28
PID 1752 wrote to memory of 2332	1752	4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe	28
PID 1752 wrote to memory of 2332	1752	4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe	28
PID 1752 wrote to memory of 3068	1752	4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe	29
PID 1752 wrote to memory of 3068	1752	4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe	29
PID 1752 wrote to memory of 3068	1752	4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe	29
PID 1752 wrote to memory of 3068	1752	4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752
- C:\ProgramData\Graphics\guifx.exe
  "C:\ProgramData\Graphics\guifx.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\4f4ca1c6d591e04bc6994de0a5e2f650_NeikiAnalytics.exe" >> NUL
  2⤵
  - Deletes itself
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Graphics\guifx.exe

Filesize
111KB

MD5
6b14c587256355442ea2e8344d6fe886

SHA1
f1dae5a610290781abd982fce685e36860f3a523

SHA256
4aacb05544716ff6898656c0453e003ec9f18d29ff9ce223d68d7938701ec1f5

SHA512
f6a3cb99e0567b089e09a48dc4e3fb7f0110991d69a6b7aba45c3067ed00b9c519b9e7a135f366ab12de03d93be71cc26f9cc2a2c8c00e8c08d9b01ecbb89580

Download Submit
memory/1752-0-0x0000000000950000-0x000000000096C000-memory.dmp

Filesize
112KB

Download
memory/1752-6-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/1752-8-0x0000000000950000-0x000000000096C000-memory.dmp

Filesize
112KB

Download
memory/1752-9-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download
memory/1752-10-0x0000000000950000-0x000000000096C000-memory.dmp

Filesize
112KB

Download
memory/2332-7-0x0000000000080000-0x000000000009C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads