Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 06:36
Behavioral task
behavioral1
Sample
c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe
-
Size
6.0MB
-
MD5
c30741092945f21c04a10f98e9ed1620
-
SHA1
8435f33caa64e6527ea401d48268f45675743871
-
SHA256
5efea9d9fbd802c625eaa80939fd94c228b973d44d181ea8ab11f3d4ef42e90c
-
SHA512
5927f8eb04dc0baf5ceaef13594561a051d332a924ab6eeae097bc8b4072fc523fce868e7c47be9a354482e9e4e7c2a6aee523e7576ab631102c3d03cf38cdfc
-
SSDEEP
98304:lVzPib+sX1ZvbeAyJZ/dJolTlPNs2PKToa1FptF07TcXeZS7uiFpMndH2nkzwTVi:lVzPiCsXDjDyf/dJolpPgToa10/cOMFl
Malware Config
Extracted
metasploit
metasploit_stager
106.53.94.240:6000
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Loads dropped DLL 5 IoCs
Processes:
c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exepid process 3292 c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe 3292 c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe 3292 c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe 3292 c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe 3292 c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exedescription pid process target process PID 3452 wrote to memory of 3292 3452 c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe PID 3452 wrote to memory of 3292 3452 c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c30741092945f21c04a10f98e9ed1620_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
PID:3292
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI34522\VCRUNTIME140.dllFilesize
93KB
MD54a365ffdbde27954e768358f4a4ce82e
SHA1a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA2566a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA51254e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722
-
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_ctypes.pydFilesize
124KB
MD5291a0a9b63bae00a4222a6df71a22023
SHA17a6a2aad634ec30e8edb2d2d8d0895c708d84551
SHA256820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324
SHA512d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09
-
C:\Users\Admin\AppData\Local\Temp\_MEI34522\base_library.zipFilesize
1008KB
MD5c36ac516b6db2b1314bacd5b0f2f443e
SHA1e1bdac2ee9d7d6bce7736a3f1227ac04a50a25b5
SHA256cad7cfc3921fac97b004237f93645bf0344bb3bd0065c08d040846397ae494ff
SHA512fb439ddb3e2198e84e7e5b591a73ccc3db65daa33d5eaf322b40818c7666ab6d58455d94c06a6eb3bdb1d8a147ed37044a7c5c8ba19d94cf144a4ad0bf63373c
-
C:\Users\Admin\AppData\Local\Temp\_MEI34522\libffi-7.dllFilesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
C:\Users\Admin\AppData\Local\Temp\_MEI34522\python38.dllFilesize
4.0MB
MD526ba25d468a778d37f1a24f4514d9814
SHA1b64fe169690557656ede3ae50d3c5a197fea6013
SHA2562f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128
SHA51280471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080
-
C:\Users\Admin\AppData\Local\Temp\_MEI34522\ucrtbase.dllFilesize
1020KB
MD5c9c70e684ca8e1d74fcfa17dbc6eaab4
SHA1956f47dbed9b405687429827f532e5347189f108
SHA256c3c6ff3005623a771cf1642beabb62add5f101782b8f2b60081ab3faf2824cca
SHA5122b3e9f1fe105bd4c08e76e6ac584670735cc459272c34e95dce3db3f58ad392a1a63c2726f3f08e1d35fd6facab92d41b9cb2ac44c0531ce44daf17a9517374a
-
memory/3292-64-0x0000015EE7580000-0x0000015EE7581000-memory.dmpFilesize
4KB