de76512dec5f4a6f14c9240d1f69c20a5f5b4a94751b5a84f2ecd9f34832d4fa

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe
Size

59KB
MD5

dc6b2136949d11869c54f0b11cce7c10
SHA1

a8b1b1301dcb621c7f4ac68e7aac1c129370fb17
SHA256

de76512dec5f4a6f14c9240d1f69c20a5f5b4a94751b5a84f2ecd9f34832d4fa
SHA512

0b08f0fd95bdfa22e78b6875c9e96c5fee9a0a36ab246542fccbf1f2588b2fc88989f968761b2b21c34e57fd0de6ed125bbd8758b1c504035be3795b8cd9e94c
SSDEEP

768:NLhcSDgpxUueqk230wHmIOdic+AvALExifcdNOjEOM65tmVPEL1:NLhcRLleqk4rTOdbvAw9NO58V+1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2168	codecupdate.exe

Loads dropped DLL 1 IoCs

pid	Process
2232	dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2168	2232	dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2168	2232	dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2168	2232	dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2168	2232	dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2168	2232	dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2168	2232	dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe	28
PID 2232 wrote to memory of 2168	2232	dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dc6b2136949d11869c54f0b11cce7c10_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\codecupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\codecupdate.exe"
  2⤵
  - Executes dropped EXE
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\codecupdate.exe

Filesize
59KB

MD5
5b2af77a685f67e416fec70edb4f20b2

SHA1
40146588ec20cb12d908fded3754ff48efec64f3

SHA256
87439234b8b4ee5e497fa72934f45a65bb3d0831a6fca634828e357cb8107802

SHA512
011f831699ee1e3cd7fb26356f42344b79ab5cf61bba776a7fef2f2e945e940b01702987b075d6c1f07ee07478e0474342bcae61e087e5bf2aa30c6e5226cf54

Download Submit
memory/2168-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2232-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download