a5ab2b8f1e4f21a6111f0b339f941a67691437ae7ccdf2a6f9747a570d6d7057

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe
Size

65KB
MD5

84316725f6fd82f641bbd035804b0170
SHA1

a3b68fb8a71c494973b6feecbea5c6f1a9d6b504
SHA256

a5ab2b8f1e4f21a6111f0b339f941a67691437ae7ccdf2a6f9747a570d6d7057
SHA512

6e4f87f1bc5198d1c7d886ee9fe5a36004589091907a74cbca78f39e8905a35a2d16f1f7cec249d2375c3f331ca1095b3c26a7700832d00776b6cbafd35eaf46
SSDEEP

768:2/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLJ:2RsvcdcQjosnvnZ6LQ1EJ

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1880	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2168	84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe
2168	84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe
1880	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 1880	2168	84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 1880	2168	84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 1880	2168	84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe	28
PID 2168 wrote to memory of 1880	2168	84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\84316725f6fd82f641bbd035804b0170_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
65KB

MD5
fc26dd92b1ebb5a1632886f96bf7499c

SHA1
100dfd86e501d351dcc590fde61df7b5b2927027

SHA256
1d496103438231f01253e2bd334f2dd427712256aaf1f7b1c2e4af585c747cf2

SHA512
ac466c521ff8c2dda72ad6791bcb825151c735d72cbebdb68dfd5cea70241b052f2a0d5ad3b924714aa09c7d8036a1bb79843de2c8dbf0eedbe9b438a6e0e228

Download Submit
memory/1880-13-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1880-14-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2168-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2168-11-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download