df72030f7a75ffcf20c418b7a14f556e75972eae3bfb172c76155ddddce8efbc

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c667d26e8230b83674869ca284ddb0_NeikiAnalytics.exe
Size

661KB
MD5

51c667d26e8230b83674869ca284ddb0
SHA1

b413670dd99931063fb017c4eeccc508eb8cfb52
SHA256

df72030f7a75ffcf20c418b7a14f556e75972eae3bfb172c76155ddddce8efbc
SHA512

854586895e4cf7f3f59b5cf77c7642c9fdefdd266ec763feef6cb3f6a0afe5b2809aa27cd30c88b130851d78c475f51a917a2f1d75f4750d565d437ae5ba5062
SSDEEP

12288:0YCdihe7w88l2sIznXWRkwk05FnAKsA5B7Zbmwfjz+hgTPMquHl6R5:3Sm08wsyGRv5Fd7ZbX/+gTPM2R5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2696	2412	51c667d26e8230b83674869ca284ddb0_NeikiAnalytics.exe	28
PID 2412 wrote to memory of 2696	2412	51c667d26e8230b83674869ca284ddb0_NeikiAnalytics.exe	28
PID 2412 wrote to memory of 2696	2412	51c667d26e8230b83674869ca284ddb0_NeikiAnalytics.exe	28
PID 2412 wrote to memory of 2696	2412	51c667d26e8230b83674869ca284ddb0_NeikiAnalytics.exe	28
PID 2412 wrote to memory of 2696	2412	51c667d26e8230b83674869ca284ddb0_NeikiAnalytics.exe	28
PID 2412 wrote to memory of 2696	2412	51c667d26e8230b83674869ca284ddb0_NeikiAnalytics.exe	28
PID 2412 wrote to memory of 2696	2412	51c667d26e8230b83674869ca284ddb0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\51c667d26e8230b83674869ca284ddb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51c667d26e8230b83674869ca284ddb0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 C:\Users\Admin\AppData\Local\Temp\lzhauto.000\copyext.dll,Install C:\Users\Admin\AppData\Local\Temp\lzhauto.000\copyext.inf
  2⤵
  - Loads dropped DLL
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lzhauto.000\COPYEXTW.EXE

Filesize
100KB

MD5
92737cd97ae1575e4b6cafefab961d02

SHA1
ec00805bcf13273927383fc7d775866c134029ad

SHA256
52acd3ab8ad940f946dd78a7b50b535178207bcc30fdad0e5dd4074369353606

SHA512
5854e6999d333027a086bbb61068e7b8835e070d4a611de24e94f63f915c83701f21be96b61e113eb2a3916e29773dee5229c556a6d0545b85fb478f2d5a62bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lzhauto.000\copyext.dll

Filesize
380KB

MD5
e7768c29e5257a3d79a48aeb60c49fcf

SHA1
7ba3b53bea937d478bb7afdc25fd6a9736d7b0f0

SHA256
add1493060425c9894afc17088c950e2c33ed1049378ba75628a660562fe0b06

SHA512
6b3abd6020603629bfc117c45dd84bebcaee941b917ff49167718ee7381d9148303a70ff5450afd733dbb02159c11aedcb51241936c56b63bc75be72ad6328b9

Download Submit
memory/2412-35-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2412-64-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download