ecc405ec848e933478977981038e6078308ebb5d115b54f0dbca4c48984df744

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe
Size

431KB
MD5

c0cfc961c6f98ac03b6a7df5cade2110
SHA1

a635363003010933e7041e5514ea5f28729ac346
SHA256

ecc405ec848e933478977981038e6078308ebb5d115b54f0dbca4c48984df744
SHA512

46d142b66088eeb0034a88a9541faac8698c2e68664b81355616005ed50aa4b49574c055b5cbcf999077a1900130e36808fd442e6981627cfec0b761fca807d3
SSDEEP

1536:vZ/fgEAqJlV+n1EgGHo7P1YPx28VayonYseB/p:v1gEZl0nt/P1YPx/oni/p

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2696	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1244	c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe
1244	c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\cd1668b3\cd1668b3	c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe
File created	C:\Program Files (x86)\cd1668b3\jusched.exe	c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2696	1244	c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe	28
PID 1244 wrote to memory of 2696	1244	c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe	28
PID 1244 wrote to memory of 2696	1244	c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe	28
PID 1244 wrote to memory of 2696	1244	c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c0cfc961c6f98ac03b6a7df5cade2110_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Program Files (x86)\cd1668b3\jusched.exe
  "C:\Program Files (x86)\cd1668b3\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\cd1668b3\jusched.exe

Filesize
431KB

MD5
6c76e2256ae7a122c9f82c0b57fdb385

SHA1
39f979100d5ad04cc76df4a8937b8c8e8e61b4c4

SHA256
3257a20bf9523415c785b44c759388aabc44862c630efe8a168cca2760911730

SHA512
b8499ea99cbef1f918639acc236abe235c9e1a6010b481f9c29618a5ab388ba27473996c109a613345a4f8bcc8b8189da2a4a2bc4714e076b156974f6e680017

Download Submit
memory/1244-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1244-11-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2696-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download