e0fd32068113943a8582201a82d58ba9ec79c5be78c49680a240da2ef6c75f25

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe
Size

94KB
MD5

91970b5fc9e24784d9e9621434a36170
SHA1

2a2a527a9b35f78ec0f9206160c82da965793ad8
SHA256

e0fd32068113943a8582201a82d58ba9ec79c5be78c49680a240da2ef6c75f25
SHA512

df2515768a55cb210d1f0a3172e2badbfc2ad96d193142afe1e8c0f14608e191ed8d74b9e27beea5e6dc8b220ae717f9895034655e2cbee76a1f74c3f13dbeed
SSDEEP

1536:PGYU/W2/HG6QMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7ub:PfU/WF6QMauSuiWNi9CO+WARJrWNZ4

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1028	wuauclt.exe

Loads dropped DLL 1 IoCs

pid	Process
2460	91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1028	2460	91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 1028	2460	91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 1028	2460	91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 1028	2460	91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2688	2460	91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe	29
PID 2460 wrote to memory of 2688	2460	91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe	29
PID 2460 wrote to memory of 2688	2460	91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe	29
PID 2460 wrote to memory of 2688	2460	91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2460
- C:\ProgramData\Update\wuauclt.exe
  "C:\ProgramData\Update\wuauclt.exe" /run
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\91970b5fc9e24784d9e9621434a36170_NeikiAnalytics.exe" >> NUL
  2⤵
  - Deletes itself
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\wuauclt.exe

Filesize
94KB

MD5
848da3d21e696f5675c21978945a64a4

SHA1
012e44a8c3b90aa3e0392759eb9c16040bc340d3

SHA256
1f4eb9e7248ab770168e67ec405a2f2f8085b88ec915c4abcfb420ae1c658e2b

SHA512
ca3c225dbd7110d0ba12d5baf10e7f43967e3c23032f1ad1f2c86aeeca7cfd05b6dd68ba7bc39909228190ed5ffc9c3d20ba5dad993fa28292075d124bc9df35

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads