Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 11:31
Static task
static1
Behavioral task
behavioral1
Sample
dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe
-
Size
131KB
-
MD5
dcbca8277341b00dac3599b06b67ca20
-
SHA1
d7089c4fe9646850c554b806e251bfafd28a264e
-
SHA256
082ff2d6dbbdaeb8fa6b96f0d0be87daf8f28a709d8e90fb204a3a4138e792fc
-
SHA512
a795b5ff11cacb411e5164ac2bc0c2aac53c67875ed81e8dad71688d8c8d55f806707fcb3284ab1d1be61883ead3b329cda62a7ef71cf7a989b41bc8859dfc3c
-
SSDEEP
3072:88VVMCh33UW0BoHA6NQuO8flJWbI1G9UKqCcrdLB3oKdGCH:5IC33BOev/39I
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000c00000001227e-2.dat aspack_v212_v242 behavioral1/memory/1728-10-0x00000000003D0000-0x00000000003D9000-memory.dmp aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2864 BNyMUH.exe -
Loads dropped DLL 2 IoCs
pid Process 1728 dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe 1728 dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE BNyMUH.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe BNyMUH.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe BNyMUH.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE BNyMUH.exe File opened for modification C:\Program Files\7-Zip\7z.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe BNyMUH.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe BNyMUH.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE BNyMUH.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe BNyMUH.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe BNyMUH.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe BNyMUH.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE BNyMUH.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe BNyMUH.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE BNyMUH.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe BNyMUH.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe BNyMUH.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe BNyMUH.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2864 1728 dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe 29 PID 1728 wrote to memory of 2864 1728 dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe 29 PID 1728 wrote to memory of 2864 1728 dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe 29 PID 1728 wrote to memory of 2864 1728 dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe 29 PID 2864 wrote to memory of 2676 2864 BNyMUH.exe 30 PID 2864 wrote to memory of 2676 2864 BNyMUH.exe 30 PID 2864 wrote to memory of 2676 2864 BNyMUH.exe 30 PID 2864 wrote to memory of 2676 2864 BNyMUH.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\dcbca8277341b00dac3599b06b67ca20_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\BNyMUH.exeC:\Users\Admin\AppData\Local\Temp\BNyMUH.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\13121d83.bat" "3⤵PID:2676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H09CVCL3\k2[1].rar
Filesize4B
MD5d3b07384d113edec49eaa6238ad5ff00
SHA1f1d2d2f924e986ac86fdf7b36c94bcdf32beec15
SHA256b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
SHA5120cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6
-
Filesize
187B
MD58ec61506c804c7f274b93f998bf202ee
SHA1b2c491c667c44bad14859a29cafc199c9219ec93
SHA25663a2963eb58734c8c0e2e4d8c4ef3391e3d3f65e7965069056ff6c8e40d257fd
SHA5121775ac5e288ec15a1a8d4d9f7e7c23764c84c2fb9ec57b2fd5c252fefe098e2ce73a6363af0f1f68caad375194dac204979f2b261b08b75d01d27a431997257d
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e