Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 18:20
Behavioral task
behavioral1
Sample
10e49d7a6d0f28d4df4daef4a18bb2e0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
10e49d7a6d0f28d4df4daef4a18bb2e0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
10e49d7a6d0f28d4df4daef4a18bb2e0_NeikiAnalytics.exe
-
Size
137KB
-
MD5
10e49d7a6d0f28d4df4daef4a18bb2e0
-
SHA1
8decb06097dec03f73ab720f1af592a4dbcfc3f7
-
SHA256
8f7a764de18278e0f04c27022134a99045caf6b1932c6306fdb5707416f8ab34
-
SHA512
29aadfb2ac974dd84d26cdb234dac2d941f27f1670f9d7c1f3aeaccf48dab823cfc2d782fd6430f04200d31dd7c724bbcea9d587494d47ddb559d17ae5e5a2c2
-
SSDEEP
3072:AE9ByF5wP7Ht99mbaa+vKAzWvSVJSwpi6Ds9Q:7907wTr9mea+i6WKQG
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
resource yara_rule behavioral1/files/0x0030000000016cb2-7.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2880 racmzae.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\racmzae.exe 10e49d7a6d0f28d4df4daef4a18bb2e0_NeikiAnalytics.exe File created C:\PROGRA~3\Mozilla\ttbtowf.dll racmzae.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1540 10e49d7a6d0f28d4df4daef4a18bb2e0_NeikiAnalytics.exe 2880 racmzae.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2880 1924 taskeng.exe 29 PID 1924 wrote to memory of 2880 1924 taskeng.exe 29 PID 1924 wrote to memory of 2880 1924 taskeng.exe 29 PID 1924 wrote to memory of 2880 1924 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\10e49d7a6d0f28d4df4daef4a18bb2e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\10e49d7a6d0f28d4df4daef4a18bb2e0_NeikiAnalytics.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1540
-
C:\Windows\system32\taskeng.exetaskeng.exe {3B6883A8-18C4-45F1-8480-EDE00F100C2E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\PROGRA~3\Mozilla\racmzae.exeC:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2880
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD58d2d82fcb9b44972716b5f7f39684502
SHA1921840eec40070db779f61b243c4528e0eda5dd0
SHA2561a2f3a4d5cea37cd598177d84428bdb5e11cd6e525dd2d30b623cead33fe439d
SHA512a8dd35bde5f60598d62e66e3f90082eea99b2318e27796df84bc81f04666ecbf53d5b2a5ee6c5c8f792aacac8e2c44af331404ed126918f6553954444034cb69