38b789b60ee0ab93cdc42afa157e7e337f8f699d07a81e1dbd5e1a629b84cadf

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a2083dd51476d9f5d6d17a66e2367a0_NeikiAnalytics.exe
Size

32KB
MD5

5a2083dd51476d9f5d6d17a66e2367a0
SHA1

747aac4ca14cb547de3606983e2cdc21442eec4b
SHA256

38b789b60ee0ab93cdc42afa157e7e337f8f699d07a81e1dbd5e1a629b84cadf
SHA512

d948a2e4568d6d0ad4f7ae81f3b08cb2348927b1d5d77ff6e40dc4fd2ad9b743c7d037a8d1f4bca886a2e9ac5e265c5fe207639439f610235868ad9645fa0919
SSDEEP

768:/qPJtHA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhW:/qnA6C1VqaqhtgVRNToV7TtRu8rM0wY2

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1612	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
1612	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	5a2083dd51476d9f5d6d17a66e2367a0_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	5a2083dd51476d9f5d6d17a66e2367a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 1612	1924	5a2083dd51476d9f5d6d17a66e2367a0_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 1612	1924	5a2083dd51476d9f5d6d17a66e2367a0_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 1612	1924	5a2083dd51476d9f5d6d17a66e2367a0_NeikiAnalytics.exe	28
PID 1924 wrote to memory of 1612	1924	5a2083dd51476d9f5d6d17a66e2367a0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\5a2083dd51476d9f5d6d17a66e2367a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a2083dd51476d9f5d6d17a66e2367a0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
32KB

MD5
b525f7c9406b32f0714824dcaa8eede3

SHA1
39a411003915ba713df1b1c4810db2443f5638ab

SHA256
0bcdbf394f015a8412f76039eafc296f0e160b7686459ae9973fbad6c6d94db6

SHA512
dd278bf3a0f1e92d43d85131b3055dd8bfa8bae09172cb01a5994dcff4ca3f68be93adbb73996586916de757beb25c7db49a2329cdc8c0705a714788671b3885

Download Submit
memory/1924-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1924-6-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads