311dfc1e29fbaf7cc087998bedcae9449ff76dada180c5b447c872e552daa759

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 13:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe
Size

27KB
MD5

077f97ac950b46ea3274909498a5b850
SHA1

05148370d96d1bd76d3f793873566cb5d20b9ab0
SHA256

311dfc1e29fbaf7cc087998bedcae9449ff76dada180c5b447c872e552daa759
SHA512

a9337b91302287820dc3217834dccf567c56fa553006408f63dc9151a9f8ac168442cb11b6b8c32d6b28aa365f940d7cf00f627f553f32bebfc660249c0816bc
SSDEEP

384:uhLCP1R8XnzvuwT0pZwBeH7lQDizU11u54TV0LT9R:cCcvuwU6eHhQDi41U4TGLT9R

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3060	codecupdater.exe

Loads dropped DLL 1 IoCs

pid	Process
2584	077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 3060	2584	077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe	28
PID 2584 wrote to memory of 3060	2584	077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe	28
PID 2584 wrote to memory of 3060	2584	077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe	28
PID 2584 wrote to memory of 3060	2584	077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe	28
PID 2584 wrote to memory of 3060	2584	077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe	28
PID 2584 wrote to memory of 3060	2584	077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe	28
PID 2584 wrote to memory of 3060	2584	077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\077f97ac950b46ea3274909498a5b850_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\codecupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\codecupdater.exe"
  2⤵
  - Executes dropped EXE
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\codecupdater.exe

Filesize
27KB

MD5
5501d81ca86cc1dbc8b3fe56413d7e61

SHA1
2b0a01e53daf70b4bb3afc52dec58a3fd4daa3f8

SHA256
08b2738936805a56935aff487563fd9bc9a9d7376302356d3169962a7ec842eb

SHA512
0c74b9fa0cee8bb5859e5a384a7f9b2c6dedbeaf971af8808445efcc57ac935c1092e6b87199675f7bc00c1758399f04d67181723535096e34ea0f2f2baf8b09

Download Submit
memory/2584-1-0x00000000002D1000-0x00000000002D3000-memory.dmp

Filesize
8KB

Download
memory/3060-8-0x0000000000111000-0x0000000000113000-memory.dmp

Filesize
8KB

Download