5b16d0a79784c13822e0c636ca09358ac89985eb522708f2225a40edfeb44b6a

Analysis

max time kernel
137s
max time network
139s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe
Size

25KB
MD5

4359077919a018bdaa7cfc6b7e53f0c0
SHA1

bb5877a23f1bc8b3590ea035e0f0fa50a4f6ada8
SHA256

5b16d0a79784c13822e0c636ca09358ac89985eb522708f2225a40edfeb44b6a
SHA512

4eca16ea2c2cbe40f386783203a0499d2a37f4d581a9c80480721bc0fde15b22aa02d86fb374791d9dc0368a0c41fa162e2f86393ca4702b4e1bfd9663197fd3
SSDEEP

384:kzFouStKf7l1VRrNSeQc46+G9TTE0TIhuDsAoJ:IouFffo/c4lcTTEgfgAi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1672	codecsupdater.exe

Loads dropped DLL 1 IoCs

pid	Process
1640	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 1672	1640	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 1672	1640	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 1672	1640	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 1672	1640	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 1672	1640	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 1672	1640	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe	28
PID 1640 wrote to memory of 1672	1640	4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4359077919a018bdaa7cfc6b7e53f0c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\codecsupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\codecsupdater.exe"
  2⤵
  - Executes dropped EXE
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab1E1D.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E3F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\codecsupdater.exe

Filesize
25KB

MD5
33b2050517474686fab0e908499ed351

SHA1
bcd81e8371b4b9551d6b8184921d6c4132aaf22d

SHA256
412324aa8b60faf72e80136e38e097fa913c6d7aabc3e8e6f6d3befabe6d5ee7

SHA512
9cf754df2bc5e482b4ed87e5062a8c124a7b0f1b384a4b5e9295a490cbf6eb455950145f67c2b9f6c13f9274993f0579052d76fbec35c6f2c3d54229fe67b512

Download Submit
memory/1640-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1640-2-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/1640-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1672-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1672-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download