4e2a3160faec418ffb19e7b0217b2eb9454b655ece1627141224b9b0d5a0449f

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 11:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dcf7bcf94b5c931d5b3d7ed53c200760_NeikiAnalytics.exe
Size

138KB
MD5

dcf7bcf94b5c931d5b3d7ed53c200760
SHA1

7d889be875b9158dee4ed2c8d9bed09014683a20
SHA256

4e2a3160faec418ffb19e7b0217b2eb9454b655ece1627141224b9b0d5a0449f
SHA512

9d20f05dbe32e8360cad375d5c8f374244f264a1bb38de5c387b7c3c7a5052d6ce104548a2a4eef20d6ba3ca661a7783157c27de07149e955355e35af7de2cde
SSDEEP

3072:BVMfMIbIow3J9tCII06DZWYIYpx+BC3K5eqU+BC3K5eqYroGSc:cfMminCII06VWwpbK70K7zc

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2112	wrvdfyg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\wrvdfyg.exe	dcf7bcf94b5c931d5b3d7ed53c200760_NeikiAnalytics.exe
File created	C:\PROGRA~3\Mozilla\klztrnd.dll	wrvdfyg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2112	2964	taskeng.exe	29
PID 2964 wrote to memory of 2112	2964	taskeng.exe	29
PID 2964 wrote to memory of 2112	2964	taskeng.exe	29
PID 2964 wrote to memory of 2112	2964	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\dcf7bcf94b5c931d5b3d7ed53c200760_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dcf7bcf94b5c931d5b3d7ed53c200760_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
PID:2008

C:\Windows\system32\taskeng.exe
taskeng.exe {E332A6EF-2BD0-444F-B259-D337A6E5997D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\PROGRA~3\Mozilla\wrvdfyg.exe
  C:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\wrvdfyg.exe

Filesize
138KB

MD5
221df3d8e6b82ba4db5397738515018c

SHA1
a9989becb097d434852802c3a1c155429f6dc9ec

SHA256
79a281de8987ddf2c6126333cf2e84b0326bbbfb2a75215739b85cda80157488

SHA512
6190a8dc22ff20fdf74633a3d6ab674809a19e9d2cf1289e42e0c1f63871d9741c3b1efea81341200abcd3f074bc80824839d7a062cf1ea2edb5ae19ad22d2ce

Download Submit