10e91233f0e62cbba0c8221cf57e05b6219f3370709dc2330c2de7d971fbb8c7

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe
Size

2.8MB
MD5

5fb96aafe860802a6785ace980989ac0
SHA1

b22d251bac3b0058ac61b0596d0dcf34c828491f
SHA256

10e91233f0e62cbba0c8221cf57e05b6219f3370709dc2330c2de7d971fbb8c7
SHA512

c76b36a389c94609fe9eff3777ae6cf4a312f1382ffa704891830d88b26e0947353e9c4ff2498826cfe1fa165e204ded1ffe297b0bbca98222081a74b8729f13
SSDEEP

49152:GnvR8t4T3Dv5/4QgxBRKwpVjkr4sUz3H4fd/EknDbcwLmNQX1SYCgXJqeWwx:tkhDwpXlTHApEkDbcwLY8UYC/Z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
304	SETUP.EXE
2900	VIS32X.EXE

Loads dropped DLL 10 IoCs

pid	Process
912	5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe
912	5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe
304	SETUP.EXE
304	SETUP.EXE
304	SETUP.EXE
304	SETUP.EXE
2900	VIS32X.EXE
2900	VIS32X.EXE
2900	VIS32X.EXE
2900	VIS32X.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ViSetupInitProcess.log	SETUP.EXE
File created	C:\Windows\temp.000	SETUP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2900	VIS32X.EXE
2900	VIS32X.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 304	912	5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe	28
PID 912 wrote to memory of 304	912	5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe	28
PID 912 wrote to memory of 304	912	5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe	28
PID 912 wrote to memory of 304	912	5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe	28
PID 912 wrote to memory of 304	912	5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe	28
PID 912 wrote to memory of 304	912	5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe	28
PID 912 wrote to memory of 304	912	5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe	28
PID 304 wrote to memory of 2900	304	SETUP.EXE	29
PID 304 wrote to memory of 2900	304	SETUP.EXE	29
PID 304 wrote to memory of 2900	304	SETUP.EXE	29
PID 304 wrote to memory of 2900	304	SETUP.EXE	29
PID 304 wrote to memory of 2900	304	SETUP.EXE	29
PID 304 wrote to memory of 2900	304	SETUP.EXE	29
PID 304 wrote to memory of 2900	304	SETUP.EXE	29

C:\Users\Admin\AppData\Local\Temp\5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5fb96aafe860802a6785ace980989ac0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912
- C:\Users\Admin\AppData\Local\Temp\VIEXPAND\SETUP.EXE
  "C:\Users\Admin\AppData\Local\Temp\VIEXPAND\SETUP.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Users\Admin\AppData\Local\Temp\VISETUP\VIS32X.EXE
    C:\Users\Admin\AppData\Local\Temp\VISETUP\VIS32X.EXE C:\Users\Admin\AppData\Local\Temp\VIEXPAND
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FSa02420\_ad46C.adx

Filesize
8KB

MD5
698a09de25d0c0e633bffaeaf720bff8

SHA1
2fdd72220ec1e651c6e712df740a5946c89ababc

SHA256
a630014395f8bc6efd368b446ff72f80b23f4c751e617511bd4b139fbb87a795

SHA512
190d1cc76b5fa1ea89741a2ea0c18b65bab103da16b33b71f1fcb5a6ae025625c382db865f8167d5b45644e167790ccb5c1428c1805d9d0781a26d856f467365

Download Submit
C:\Users\Admin\AppData\Local\Temp\FSa02420\_ad46C.rtp

Filesize
409B

MD5
a78a97db31e02a88a628ce4bdb983fe3

SHA1
d292ce578cb9ee4d7220514959500677e45199fb

SHA256
26723593e234c27348bf325f18c1d7e105f552cb51414281589dbe783d6bae39

SHA512
0d86faa5d11c3104c1be569e6fc4d2de52376be8560066253323cc6e44b4594af00797530c7c2f6d272143856d26f4304c1e9b337b03bc4530ac2506faf668ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\DUNZIP32.DLL

Filesize
108KB

MD5
040ff964d8e643010fdc1a084d091e8e

SHA1
ad95d17eac0e535d944c052b1c087e76162ddc23

SHA256
bce5281d9875c5492db38371bb3e911dae7383594c6afe3908a06cfb69a35c2c

SHA512
54f226dff9f4d5a269917151de1f736af54a0747bfe7cc0352579c8ba830710e39144abb708c19619aeb60ed4b9a29fcb3ff291bb909b833432020ad29781597

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\ENGLISH.LNG

Filesize
7KB

MD5
16c9f62d4118e533a534c264012043bc

SHA1
ecef298e08b70da522ae91535206792653881b66

SHA256
fb7a5ea2ba0bdc624a85316ffd06bf2647fdccca0cb5bff05deeaccc78d42bf6

SHA512
9a0e73bea4987a369dc0ffd904a8fdbc0a06fea8989695e68e1f7b14b874e9a646d08718751864b0735b2b8bb0acfef0ecfc3db7a1886b6d7ece9eaa85bbaa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\FILELIST.INF

Filesize
2KB

MD5
e3ae367b00ff2e40cc9e924560f83649

SHA1
d628967b6b63201e023faca4a2e3f8c671bdcc78

SHA256
bd414ea92432ab851aa80bcd03f90427db437f46ee55f8c8edc2c546a96aabd7

SHA512
ed83d88bc50be4705bf9f181f73186ce564e2d7505b07dc7bc4c77148cdabbe9c97626901c64a34552b13e081f98dccfabc661738adb9643714213f317de3ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\VIS32X.BIN

Filesize
344KB

MD5
63910054d77b012e2ae4492d9997d611

SHA1
495b89af8a7422e6896d1f34c0e5c8e1e4882fd8

SHA256
7259f8199d48ee2642fad56778036f912e2e55139bf34296cd0a48d59d8cc449

SHA512
ce12783b2113f73465beae0a4f15434d159e13fe3d3247141932e40cfab2729888aed8cb4aeada0250c99a2021e1f21b172445d9729a1f9a35fcb8330b625089

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\VISETUP.INF

Filesize
6KB

MD5
45d735c6b93d464e2a293d0f766c8031

SHA1
33557bd4055589504ceedfd96db6e284c10a8e4c

SHA256
e1f4c8eccd8255e1926b7f1a627213694fe39f7ec584629a698a1c37a6170f3c

SHA512
be72c42ea2e1d14ceeaba0ca9f932093245c95a71444f513773ec3b523dec375a6a7826e3decca25ccf7e6552415efe0c77185f05a9ec52df9dae74f8e56f135

Download Submit
C:\Users\Admin\AppData\Local\Temp\VIEXPAND\VIXUNIN.BIN

Filesize
152KB

MD5
288b65894b02eb372cf4e400d87b4268

SHA1
facce8bfecb4b053d2afe332056ebc0bdcdb0e5c

SHA256
70e6b0619dc2a9cb4c17482fbd0db24a1bbea3e5435ec379160830e261ce7d8a

SHA512
a2661179156fe127996a4ae0fe7c30b43e8d5ae20e42b5a33cf29ff7ff21409250c2d097dc5d3d5e5aa3b4c9c761683576590a312b24b8aa2c5cd16f95c2989c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VISETUP\DESOBJ.DAT

Filesize
45KB

MD5
40d09e341cdce1a03936a575998e0518

SHA1
5c3674b1b2acae23f10648ef550846e51459f4f2

SHA256
606dbb8186e71bef39b7c61cdefc568ec62de8381d048746ccd2911c1ca14058

SHA512
2e3854ac9efcebde9bfcda7d6f7c92487e18055948d9bb17e26d9a117da849f9df5f2d55a3c6b305b866722642256b864d5707e5928f30231d71853794543303

Download Submit
C:\Windows\ViSetupInitProcess.log

Filesize
745B

MD5
5c8dc7de2f97a3a1894c0d8c495ba261

SHA1
1cbad318f553e951e1a00d0e3915835e697bedad

SHA256
f3a16c49d643a7efb0bf2b0bb6ed1f4aa2abbdcb0c8e3bfad33a952793f5c0ca

SHA512
bda908eca26a1e4e4506e34bf293e37ec024a0ccebc37624a37a07fb302bf1250efcd2cfc10666b8eba3176c7ba90150da0dfac13ffbdc998961e9aada7b3f2a

Download Submit
C:\Windows\ViSetupInitProcess.log

Filesize
1KB

MD5
4c2215089b4823ecc1670ee76966c67b

SHA1
2c363354ce51ccdeec15da5d7a2c2fc32ed9cd20

SHA256
34cd423fe294d24fe99c7e7e5040341dfb47dc757ac6460635442332bea1868f

SHA512
b336ac9d1d0f0b8498a3e5dc6d75dbe125f0296f9416ec49a88065cf18053bc85ab622ca780ae1225a896975589558663813c5e79445ce47e28d2387f9095854

Download Submit
\Users\Admin\AppData\Local\Temp\VIEXPAND\SETUP.EXE

Filesize
56KB

MD5
856237d4efd4891f28363624d82def3e

SHA1
da33afd849522d963cc96384e1a3e01c19dbf816

SHA256
0646ed494bd9e59976a2534afe525297895b478bc3247f088d109c7f3e8ed93a

SHA512
09b85dc6d757e4225f5359f851ec701d8c49bcde7529e1bcb8dbe2ec46656951da3f936aa95bb51ec29cb75ae7e1abd595cfe161481b72464a095174c7627fa9

Download Submit
\Users\Admin\AppData\Local\Temp\_ad46C.dll

Filesize
75KB

MD5
8d64fa18e26d4e06dfefce76c7d45dd8

SHA1
237b4459b7949949117447ff3d7a094259ebf6bc

SHA256
59fcc793fc77f3e2fbe8fe01c670c0943a7a1087785a1e735f43b0e0800b0412

SHA512
4054e667777d58c3053aabc180668be771480564288a24c5392e62d95bce0bb5e565b8efff538ad149c685679a5a3403dcf8c2836bc0f38e98b2af87ea900aa8

Download Submit
memory/912-248-0x0000000000400000-0x00000000006D4000-memory.dmp

Filesize
2.8MB

Download