301512a8af81aa938a179680aa7bcf1e33e3f00e9027ca87c9cb4361d740445b

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f0ddf3ac839c4bd835576d23fd405b0_NeikiAnalytics.exe
Size

24KB
MD5

9f0ddf3ac839c4bd835576d23fd405b0
SHA1

bf0c5c53163740ac0b4d246195509075e5424c42
SHA256

301512a8af81aa938a179680aa7bcf1e33e3f00e9027ca87c9cb4361d740445b
SHA512

f90f6a131d9a35c2e868c139ff7c35dd00ddcffc216d9dad1fb4a2f3d87b75bb8500b3c717486af176004e2529ce1d472e0e7d1c746539d82f20d73332400c8f
SSDEEP

96:kedXTinK84xB9ILZemAhwC5l8eItL5Xf93NrcA+WOBZeGKoix1nQcET00:lTingBSomAhpuV9Q3KJdQ9TV

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	samhe.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	9f0ddf3ac839c4bd835576d23fd405b0_NeikiAnalytics.exe
1972	9f0ddf3ac839c4bd835576d23fd405b0_NeikiAnalytics.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-0-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0009000000016176-3.dat	upx
behavioral1/memory/1972-12-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2308-13-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2308	1972	9f0ddf3ac839c4bd835576d23fd405b0_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2308	1972	9f0ddf3ac839c4bd835576d23fd405b0_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2308	1972	9f0ddf3ac839c4bd835576d23fd405b0_NeikiAnalytics.exe	28
PID 1972 wrote to memory of 2308	1972	9f0ddf3ac839c4bd835576d23fd405b0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\9f0ddf3ac839c4bd835576d23fd405b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9f0ddf3ac839c4bd835576d23fd405b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\samhe.exe
  "C:\Users\Admin\AppData\Local\Temp\samhe.exe"
  2⤵
  - Executes dropped EXE
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\samhe.exe

Filesize
24KB

MD5
3c3c0338118976c006a8db06e436bddb

SHA1
39916515ba4f3f4ff8dd11170717ea21eebba4e6

SHA256
5b476b22092555e3b7187ada9ed31033b0068aec8d595b0197f908bc6dab77e4

SHA512
71d22cca6ff983b9cd1397a2e5c32d2b35611651ba3c8e5b4e563a42772d1144c928124da933a78eda434a2e907b693f212df90db5b76c874309d3a5da4b2578

Download Submit
memory/1972-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1972-5-0x0000000002040000-0x000000000204A000-memory.dmp

Filesize
40KB

Download
memory/1972-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2308-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download