d9ef2c516e74ce8d597255c5d29570909394ff3f2f4a8778c00fddaaca79045c

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 23:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3504126f5879cb606d7f09f2f5ec1a00_NeikiAnalytics.exe
Size

34KB
MD5

3504126f5879cb606d7f09f2f5ec1a00
SHA1

cb0d24852203fa11d979a75fbeb9e6b87fbd55c2
SHA256

d9ef2c516e74ce8d597255c5d29570909394ff3f2f4a8778c00fddaaca79045c
SHA512

4163cf8d7f7aff644075d5bedad5af51f4f0e43d5c9b59336795596c05c48ddec390ac89553221128999fe39e0b819d5ed6fea9b530f3c30e3ba1e3c336f2a8f
SSDEEP

768:/qPJtHA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhg:/qnA6C1VqaqhtgVRNToV7TtRu8rM0wY

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	3504126f5879cb606d7f09f2f5ec1a00_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	3504126f5879cb606d7f09f2f5ec1a00_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2852	1688	3504126f5879cb606d7f09f2f5ec1a00_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2852	1688	3504126f5879cb606d7f09f2f5ec1a00_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2852	1688	3504126f5879cb606d7f09f2f5ec1a00_NeikiAnalytics.exe	28
PID 1688 wrote to memory of 2852	1688	3504126f5879cb606d7f09f2f5ec1a00_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\3504126f5879cb606d7f09f2f5ec1a00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3504126f5879cb606d7f09f2f5ec1a00_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
34KB

MD5
38aee43b72aa21fbf18eeb5cd29e6ded

SHA1
0af8901f95bfc532abb73ff6e719cf673443c354

SHA256
a339d6fe313bf9f7a00e480d3c095279dc8b6092e6e2173ace2ad395df0848bd

SHA512
aea526309934bacd5173a13f4a3fa76f0ee325edc31ceb530f82e8289b5d94fff38fc032bf4d808a5556bde5937a734804dae5be615847976ca4973d9b0592fc

Download Submit
memory/1688-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1688-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2852-8-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads