27d1c4a9f793615c46c3d284bbf6d2deec7838dce9f41f25a34f68389462f9f0

Analysis

max time kernel
149s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7a06d7530f6f2d4e206ab99338e6470_NeikiAnalytics.exe
Size

31KB
MD5

e7a06d7530f6f2d4e206ab99338e6470
SHA1

6ebf59382094cb763a00a70f2d850bfbe57744b1
SHA256

27d1c4a9f793615c46c3d284bbf6d2deec7838dce9f41f25a34f68389462f9f0
SHA512

633ee7b2b45b7ec1b8d7a4606d79b25cc5847f2a145eb3f3858e51a3c41477d9170024eca43a8e454e49aac5b1100e6e78b6474e67b4d9b1351ac8434f9a9234
SSDEEP

768:/qPJtHA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhl:/qnA6C1VqaqhtgVRNToV7TtRu8rM0wYF

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2936	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2936	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	e7a06d7530f6f2d4e206ab99338e6470_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	e7a06d7530f6f2d4e206ab99338e6470_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2936	2204	e7a06d7530f6f2d4e206ab99338e6470_NeikiAnalytics.exe	82
PID 2204 wrote to memory of 2936	2204	e7a06d7530f6f2d4e206ab99338e6470_NeikiAnalytics.exe	82
PID 2204 wrote to memory of 2936	2204	e7a06d7530f6f2d4e206ab99338e6470_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\e7a06d7530f6f2d4e206ab99338e6470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e7a06d7530f6f2d4e206ab99338e6470_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
32KB

MD5
a5bf857f82040b4a5dd6fe5ad3feafb3

SHA1
a658117fe8af85853e3991faaa49eb86dc7cf221

SHA256
3ae277a4d6942f2a0ec960d43d2c6ee2c18852b4c929c80d4d1c088e260526ec

SHA512
c1506f090d170b583ee8737fdf86bb8fa4a663a22a9a249f9d30f10daf00fa1fa54b7663115c0324db4de1042e31fa9c3085c2a63e802af64b709cbde0d547c4

Download Submit
memory/2204-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2204-4-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads