2328ec15cf52cee965f8b5a5ed41b1cc230a2a88c3f4a327c34ecf3aec95a03f

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed1f84ea9104c6d44fa117e3db2d7050_NeikiAnalytics.exe
Size

410KB
MD5

ed1f84ea9104c6d44fa117e3db2d7050
SHA1

0de0261d18e8819eb28f744cc4cfb70c145c1335
SHA256

2328ec15cf52cee965f8b5a5ed41b1cc230a2a88c3f4a327c34ecf3aec95a03f
SHA512

07ec573fbe93ec66a5378cf5958fee8811a2ac4ef3139f376b3ca9c32348362e38a29ac7052cbe31b2ae8973cf9bfea8ad16e7e5bcb816d81f2777a6cda41a46
SSDEEP

6144:6BxIK3CTW8TMjp41u6nyHwnZcvEz/yD5gCqRqoSEQzSYgIJf3V:CxIK9V14ImyHYbuD5gCqooSEQzSYgIBF

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2912	jrmmq.exe

Loads dropped DLL 2 IoCs

pid	Process
1244	ed1f84ea9104c6d44fa117e3db2d7050_NeikiAnalytics.exe
1244	ed1f84ea9104c6d44fa117e3db2d7050_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\jrmmq.exe"	jrmmq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2912	1244	ed1f84ea9104c6d44fa117e3db2d7050_NeikiAnalytics.exe	28
PID 1244 wrote to memory of 2912	1244	ed1f84ea9104c6d44fa117e3db2d7050_NeikiAnalytics.exe	28
PID 1244 wrote to memory of 2912	1244	ed1f84ea9104c6d44fa117e3db2d7050_NeikiAnalytics.exe	28
PID 1244 wrote to memory of 2912	1244	ed1f84ea9104c6d44fa117e3db2d7050_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\ed1f84ea9104c6d44fa117e3db2d7050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ed1f84ea9104c6d44fa117e3db2d7050_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244
- C:\ProgramData\jrmmq.exe
  "C:\ProgramData\jrmmq.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
410KB

MD5
87f01bf1d4f07c6be94e92a69a989277

SHA1
ee44c18856486be42e24d0e2577721ac192c6000

SHA256
d85f36fb4b05411787b570cc5c0351fa0e812e8136c1e7d18c8f0305c316b22b

SHA512
79931449a9eebda12a8c8c8a3ed8f4c307448bd1eea82efe079db7f515dd4f7de5642f1d509b626a00d3a9993512b1911cc0db8f38dc462d9de8e1f6575dd8c8

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
150KB

MD5
aef10b9ba25f907727558514f2dfbab0

SHA1
d67383ef1b23d4da72339d66de9541c2e1efaf53

SHA256
f5e77ddc706f6dffe056dc2f8a88adece36e0e4552bc70a85f36b1e01fe547ad

SHA512
5e607a70ca3fa489897f8df0c96570709839364cd8cabd5f76386dfff01ca2986d50c120cf82926dff950c7d7b6ec833ea7558b64ec8f0dfe2e5070abf1da103

Download Submit
\ProgramData\jrmmq.exe

Filesize
259KB

MD5
f340f2156a33adbbaaf631ad9fbef198

SHA1
9399ba0565e1dda1430e6c6e0a61d3a043fb1069

SHA256
e0260253606e2d10de5008808207e2356ef212ec2e488f753c33f2ce7e657cda

SHA512
fc30c638d8a4446bcdd7bc514c59274532ac4791ff79c9789aabb7e85864ec270404d2907c1a9c90776767f7084ab49946f8a10c61853eccaa40321922c5c2ee

Download Submit
memory/1244-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1244-1-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1244-12-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2912-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads