Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 10:16
Behavioral task
behavioral1
Sample
da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe
-
Size
391KB
-
MD5
da38401f466916b9b1fad24d2628e560
-
SHA1
51c308d8632ff052737ff1950fac0cbcc8d195df
-
SHA256
5f0bc350b5a7f4bb23b518a3674d7a4a731c6bfdfa0cab0f149ddd8565e92f6c
-
SHA512
b0d790c33124daa00134e99942d546f400b4f3a24b25078ba6ebdde05e1659c1cf32ec0ed48279abb5714b41a418c3efdd42ac9e710a50859af21ada0607645c
-
SSDEEP
6144:eQiWreSUbn8y5+l/bRzBiw5G4DrA3vpt6t3tj5xC6qpbb+18:eMr6bwzRF75G44vpt6XjCKq
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
resource yara_rule behavioral1/files/0x000d000000014817-36.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2568 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 2504 lyson.exe 1280 seyshe.exe 860 afhuz.exe -
Loads dropped DLL 5 IoCs
pid Process 2964 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 2964 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 2504 lyson.exe 2504 lyson.exe 1280 seyshe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe 860 afhuz.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2964 wrote to memory of 2504 2964 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2504 2964 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2504 2964 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2504 2964 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 28 PID 2964 wrote to memory of 2568 2964 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 29 PID 2964 wrote to memory of 2568 2964 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 29 PID 2964 wrote to memory of 2568 2964 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 29 PID 2964 wrote to memory of 2568 2964 da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe 29 PID 2504 wrote to memory of 1280 2504 lyson.exe 31 PID 2504 wrote to memory of 1280 2504 lyson.exe 31 PID 2504 wrote to memory of 1280 2504 lyson.exe 31 PID 2504 wrote to memory of 1280 2504 lyson.exe 31 PID 1280 wrote to memory of 860 1280 seyshe.exe 34 PID 1280 wrote to memory of 860 1280 seyshe.exe 34 PID 1280 wrote to memory of 860 1280 seyshe.exe 34 PID 1280 wrote to memory of 860 1280 seyshe.exe 34 PID 1280 wrote to memory of 764 1280 seyshe.exe 35 PID 1280 wrote to memory of 764 1280 seyshe.exe 35 PID 1280 wrote to memory of 764 1280 seyshe.exe 35 PID 1280 wrote to memory of 764 1280 seyshe.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\lyson.exe"C:\Users\Admin\AppData\Local\Temp\lyson.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\seyshe.exe"C:\Users\Admin\AppData\Local\Temp\seyshe.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\afhuz.exe"C:\Users\Admin\AppData\Local\Temp\afhuz.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:860
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:764
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306B
MD5b0ea948c370acb40d26aea807d4fea21
SHA1b76acfdd09d4f7276e68414b1efc2686c89c546b
SHA25672fe00a86a95404247763982b8f6086e93886fb118b068567e03460f8a868055
SHA5122bc8df94b22c43d77f1eb516c01dd837a57c161823af8096ffa5c5dc885d5da4821faaf06931873a17c8febee51d364a2274d9ca005ad4c01fea7a782ccf8ed2
-
Filesize
224B
MD5cb6f862baabf073eab7783dd54ac73ce
SHA1e02d1d39cdf8f8b0e1978b137ede7d0ce77ff636
SHA2568e20c83d3ea79852ed968dfb34ee009ab7e5d672eab092ab36c981a28ae080a1
SHA512c799bb1229a6e046c9ee90a099f2022ac1fd244042a69936fe3eaa0e13ab308d59f54a5ebfe2b6731fafd5604a211ba3c2270129aac7cafebfe0a28903996302
-
Filesize
512B
MD565ec518d859f428da88baf44e8ea3a13
SHA10935e6eebd910b57e3625017211013bb62c3f523
SHA25689e077ddcbd1347c5f47bc422517cbb0f883bf4dc89b514ff3987c22b976edd1
SHA512d07bb56ea73ac9f0d0d93efca473afd7a56e9563f8a6cb24bd494fc77e7314f56c3078685ca7c00d037dd5d306d64a45b765212755892b535dd528a22ea44760
-
Filesize
221KB
MD5b3a355ab001ab50c337513c70eaf2304
SHA1c8b2e36a0de12e9842f9c5ca4c5c452ec5e6ef34
SHA2561a08def20c99aa9bb136a6c1a370f14cecfa8e4af2e81ca85e4676026fea2e91
SHA51225ca3c00e0a0665b8e43db90b7f430b703918343a6c817956d74770e57e7ab934a9733a0608e515717f6a6f7c269599574228ded80e9d34310cc43faccca2887
-
Filesize
391KB
MD59ec569aaee1eb60d5e0a5228a7a719e3
SHA130d40b996786e09998dd39313deafe3f4e237418
SHA256764f83336894a4b2509abba114f4134f3847b153a873c647ec9ad6efac0eee10
SHA512652c804305555819db1cfcfd12ebb84b41b0c92ad6c79fc66a05dcc453aa74888039834a0767e588e35513374ba8f98f1971bd2036adaa5921cf0da008240dc2