b7699bd94ac32dd08a7c85d9e8e7a604c432b894e75940232d47682d1d277fa8

General

Target

42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe
Size

669KB
MD5

42a680b85c567565f16edbbece7edcc0
SHA1

f02c4fb8a1ab8c5bb45414673d84fc167eab59d5
SHA256

b7699bd94ac32dd08a7c85d9e8e7a604c432b894e75940232d47682d1d277fa8
SHA512

ca215131d2ddb54dd0ae00a99458d9608961fe4bc009ddec2e136787144d698c7e65e42f013bf8a68611eb0166d91b1a97f3fb56b746c907a63ca3ffba147027
SSDEEP

12288:2d/v8b0btTsU6B0KIoRTr9CmZZS2CsNFqek2ScxFfI+LfEF/RrW1sIaLcMfrvf6a:svntrdKIoRT7rS2CYqek2ScxhhorW1tU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2436	eFaxView.exe

Loads dropped DLL 2 IoCs

pid	Process
1636	42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe
2436	eFaxView.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CAP00001.TMP	42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe
File opened for modification	C:\Windows\CAP00001.TMP	42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.efx	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HOTFileType\DefaultIcon	eFaxView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HOTFileType\DefaultIcon\ = "C:\\Windows\\eFaxView.exe,1"	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HOTFileType\shell\open	eFaxView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hot\ = "HOTFileType"	eFaxView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EFXFileType\ = "eFax Document"	eFaxView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EFXFileType\DefaultIcon\ = "C:\\Windows\\eFaxView.exe,1"	eFaxView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.efx\Content Type = "image/efax"	eFaxView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HOTFileType\ = "HotSend Document"	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hot	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EFXFileType	eFaxView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EFXFileType\shell\open\command\ = "C:\\Windows\\eFaxView.exe \"%1\""	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EFXFileType\shell	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EFXFileType\shell\open	eFaxView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.efx\ = "EFXFileType"	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HOTFileType	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HOTFileType\shell\open\command	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HOTFileType\shell	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EFXFileType\DefaultIcon	eFaxView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EFXFileType\shell\open\command	eFaxView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HOTFileType\shell\open\command\ = "C:\\Windows\\eFaxView.exe \"%1\""	eFaxView.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hot\Content Type = "image/efax"	eFaxView.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2436	1636	42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe	31
PID 1636 wrote to memory of 2436	1636	42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe	31
PID 1636 wrote to memory of 2436	1636	42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe	31
PID 1636 wrote to memory of 2436	1636	42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\eFaxView.exe
  "C:\Windows\eFaxView.exe" C:\Users\Admin\AppData\Local\Temp\42a680b85c567565f16edbbece7edcc0_NeikiAnalytics.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\eFaxView.exe

Filesize
398KB

MD5
b6ed96e1f1e9915660f5297c7ee7156a

SHA1
ec1573110857fddc485bdb9a2d036bf6d71b244f

SHA256
f771790f90397ea83770930619a9b1b292e5262bd29161dffd885f6598fc5b94

SHA512
019b77553ad96f0ff50e88c2ee900316c2ca639275938f8584922237dde576fdfe0daaa76fab3f7c24d46f5755eabbdbf409d6f2a35fc1207acb59b91688a3c8

Download Submit
\Users\Admin\AppData\Local\Temp\CAPTDR73\~PURVOC7.TMP

Filesize
182KB

MD5
9fafa3938561e715684ac01aeb2a8d9b

SHA1
8594b78b40e811bc2c3e4b4c7b8a2a136391af58

SHA256
f691fc3943bdbf87e6b241bab81f1a09d446c40e1c8a93de4897be46f1714fdc

SHA512
1c60ad700a5ec7c25a7a72cbf1104e673596b09ae2f1e0ca1b46dc249041fe46eb636c6e3182225072eb906b7f20d16b5daa11aad27d948ada7b71d144e33fae

Download Submit
memory/1636-0-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1636-10-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/1636-12-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1636-21-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/1636-18-0x0000000001F50000-0x0000000001F60000-memory.dmp

Filesize
64KB

Download
memory/2436-20-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2436-25-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2436-27-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/2436-28-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download

Analysis

Sharing