8311ffaf5a1cf17705351dfcfd5a21298f740a33a33060c291e0030c3d80813f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b7feea4525d0d7776ea12bdd5216630_NeikiAnalytics.exe
Size

138KB
MD5

3b7feea4525d0d7776ea12bdd5216630
SHA1

c69f7cadfe1af3518d751831449f4a9d488511a6
SHA256

8311ffaf5a1cf17705351dfcfd5a21298f740a33a33060c291e0030c3d80813f
SHA512

0b287baeea6fc7228c4830d2d85475012f245b8cc52f2ef19900f78abd7a51cd33546c1d523e9f6112249938a35012ed9fb49550f276cd0fa0b097e5536c9904
SSDEEP

3072:BVMfMIbIow3J9tCII06DZWYIYpx+BC3K5eqU+BC3K5eqYroGSZ:cfMminCII06VWwpbK70K7zZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2496	racmzae.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\racmzae.exe	3b7feea4525d0d7776ea12bdd5216630_NeikiAnalytics.exe
File created	C:\PROGRA~3\Mozilla\ttbtowf.dll	racmzae.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2496	2788	taskeng.exe	29
PID 2788 wrote to memory of 2496	2788	taskeng.exe	29
PID 2788 wrote to memory of 2496	2788	taskeng.exe	29
PID 2788 wrote to memory of 2496	2788	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\3b7feea4525d0d7776ea12bdd5216630_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3b7feea4525d0d7776ea12bdd5216630_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:2916

C:\Windows\system32\taskeng.exe
taskeng.exe {F1600066-3CA8-44E8-8BD2-C4826F3D9BD4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\PROGRA~3\Mozilla\racmzae.exe
  C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\racmzae.exe

Filesize
138KB

MD5
8185cfa01c76d115127a547df0d7b1aa

SHA1
8aea050089e121459835fad0bbda4c7e413c7d6e

SHA256
788631cceadf324c18d4cf0a0ccf4ad1d08b1e1c2d2d08fabd27d9169394cdd6

SHA512
903aab9b3e5c25983b01474844cb8d1cb475884b4dd5be3539713c5456ae442cfe76ee242c2ace8ef02da986ae74786d09503ba8d639b9f28b63e26233e025f7

Download Submit