935e90c328141c893c30d89dafe0a6fb4df75733f86189faf7bd1c950e6af26a

Analysis

max time kernel
127s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 11:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe
Size

32KB
MD5

c3e41f042afbcd99bdfac1b452d4ef30
SHA1

c9a54a439ee5bcb7cb5a37802257b8abcb1a8034
SHA256

935e90c328141c893c30d89dafe0a6fb4df75733f86189faf7bd1c950e6af26a
SHA512

bc77ffdc35af801fe3a2dc842fd5eed7bc7530f9d08c1a33d5dfb268e8cfde654c7d4355508bcc9e6c7dd054328dac171a5e37c39ecd67dc2f4c717364da77ec
SSDEEP

192:GAGqjRFGKMh9ED/IDExeorm9+Dfp0GjW5sH2t3AIa6abHa5tGbFORoYN:PVR8iQLoFx1jW5sIZR5tGwh

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2700	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1244	Initech.exe

Loads dropped DLL 2 IoCs

pid	Process
1192	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe
1192	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Graphics = "\"C:\\ProgramData\\Initech\\Initech.exe\" /run"	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1244	1192	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 1244	1192	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 1244	1192	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 1244	1192	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe	28
PID 1192 wrote to memory of 2700	1192	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe	29
PID 1192 wrote to memory of 2700	1192	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe	29
PID 1192 wrote to memory of 2700	1192	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe	29
PID 1192 wrote to memory of 2700	1192	c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192
- C:\ProgramData\Initech\Initech.exe
  "C:\ProgramData\Initech\Initech.exe" /run
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\c3e41f042afbcd99bdfac1b452d4ef30_NeikiAnalytics.exe" >> NUL
  2⤵
  - Deletes itself
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Initech\Initech.exe

Filesize
32KB

MD5
445b31de2f8ed8397f252b23676536d7

SHA1
1dc2fb23f43580967367a5fe9d0193fb7737ad99

SHA256
fa9ce75605e6eaf772de538d2028c6a01d8a55979a10f73dbb33bfb9ad011851

SHA512
09242a8166f825e222252c16a45b9ae75446122a37d9f27531fcbdfe01f33330739e3b2ebfc5487a1cffdb2130d40a2fb09e8be0350fcb3a3d3183995bdfe12c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads