43ebbd5b638066aaa2ecd07ae285167ef518493c1d95b0970fcc88cecbef8988

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe
Size

221KB
MD5

7fc59cec4e07273f6628a8b9d6c93490
SHA1

eb07b6495084546cd5afd68417ec42a9c39e7ae4
SHA256

43ebbd5b638066aaa2ecd07ae285167ef518493c1d95b0970fcc88cecbef8988
SHA512

66a80dadfbcea681c0cd5e5961df47941de641a5878f36cd9a2bf81dbbc25a9cc4faa57ae6c778e39fac13f8a9d46a98671d8150403d5399b3b2d5d01f0bfb87
SSDEEP

3072:WfQgicdlGvILcU9KQ2BBAkJaPx5IIolEL:0icdlG5WKQ2BjGx5J

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2632	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe
1976	7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\aa4d8f2\jusched.exe	7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe
File created	C:\Program Files (x86)\aa4d8f2\aa4d8f2	7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2632	1976	7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 2632	1976	7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 2632	1976	7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe	28
PID 1976 wrote to memory of 2632	1976	7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7fc59cec4e07273f6628a8b9d6c93490_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files (x86)\aa4d8f2\jusched.exe
  "C:\Program Files (x86)\aa4d8f2\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\aa4d8f2\aa4d8f2

Filesize
17B

MD5
552bb86ed2797d3fd12ac0d273afaf75

SHA1
6e8633f9c24590779acbd3dd14c60f856320bc0a

SHA256
3ef9ff5da8272fd1b14c83f12c8d28fd9dbf32d56bcb714921032b02557fe789

SHA512
dab57227de02f4667cc8e2ec47566088b473caa0387caffbdfde37f3400da7d4f67dd222e83a4fa93592694bbcff7c52a2bcec074868baf221bc47d9370c8d2c

Download Submit
\Program Files (x86)\aa4d8f2\jusched.exe

Filesize
221KB

MD5
cd5246f37f92063cb9cd0d4987c4f4f5

SHA1
c961cc23ceb67dd454e484b4489d5eb0f82318a5

SHA256
0105dcdb35c32713fad50183d035b0cec5493fc3a65ab32a31dd96c286159334

SHA512
648890f7289ced19cd2c6b5a49907b2f2955ab94c40c0081f9e05418592b8c845ebcb788b2a4063d17beef6708871f912c2845458f60099bd88c3f02e264bd05

Download Submit
memory/1976-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1976-7-0x0000000002820000-0x000000000287B000-memory.dmp

Filesize
364KB

Download
memory/1976-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2632-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download