bdcce21ea0efef74d25ffe7a659fb0f338e66f63a935020bdc2a0b509e642881

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe
Size

42KB
MD5

73e1f37f4a8d47f433a1e1c19ec46d50
SHA1

2108d0777db4b543096dc4dda4fd1124c39ca8d6
SHA256

bdcce21ea0efef74d25ffe7a659fb0f338e66f63a935020bdc2a0b509e642881
SHA512

293a50f09f9419584ba33a5c46c531a532ff3aa578850578e8d40b7ee59528b56808e12b0d6531caa900174746bdfe4997bf5256ebdfaa6e589bc88327a1005a
SSDEEP

768:xIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77DPQ1TTGfGYh6KZq:xI0OGrOy6NvSpMZrQ1JBKZq

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2212	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe
2824	73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe
2212	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2212	2824	73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe	28
PID 2824 wrote to memory of 2212	2824	73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe	28
PID 2824 wrote to memory of 2212	2824	73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe	28
PID 2824 wrote to memory of 2212	2824	73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\73e1f37f4a8d47f433a1e1c19ec46d50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
42KB

MD5
fafa8ed4b2030790c3218287cbf9e95a

SHA1
f8e9ff84f04d9f4db9c721d6bd5794f343f37817

SHA256
8b90f71e99e31a8ae6184827b9a1530172e6bfa85f5638eae1685da6b0c5e9af

SHA512
b9838d7af08f32e95d396e4230c1496b9fe293ee4cf20902d8a402651f05e717406ab01cccf4c54be7b088921166383e2001dc057da9adbbc136b48195dba36c

Download Submit
memory/2212-15-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2212-21-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2212-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2824-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2824-7-0x00000000041E0000-0x0000000004253000-memory.dmp

Filesize
460KB

Download
memory/2824-14-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download