Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 13:49
Behavioral task
behavioral1
Sample
d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe
-
Size
355KB
-
MD5
d1522c355d1ec4696eea35498389ad80
-
SHA1
277b214fb3c635fe4ab3d57fc31a50e719df6e39
-
SHA256
fc7722f549ca808898965510f3b39a288314c7913204fef1f1f43b1b3de150d4
-
SHA512
466df8010620aac5d690195930d119a837987fa438024cb6334c7a18b9a1f757694a8fc5b574ead9642d21ffbfa6040c74ff56b6df0e0ad2b0939367827ac21f
-
SSDEEP
6144:/qvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7og:/qvMQ5ibjnwka3pbRC19Gw/Nsog
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/files/0x00090000000146b8-13.dat family_blackmoon -
Deletes itself 1 IoCs
pid Process 2564 Systemhgijj.exe -
Executes dropped EXE 1 IoCs
pid Process 2564 Systemhgijj.exe -
Loads dropped DLL 2 IoCs
pid Process 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe 2564 Systemhgijj.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2564 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 29 PID 3044 wrote to memory of 2564 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 29 PID 3044 wrote to memory of 2564 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 29 PID 3044 wrote to memory of 2564 3044 d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\Systemhgijj.exe"C:\Users\Admin\AppData\Local\Temp\Systemhgijj.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
355KB
MD5be4a5bac28bebe9ffd2ea6ad65099e1b
SHA18621fb34d4bae60864fc642ab4738255e908c6dd
SHA256948d44d32dbd3cd44ca7a79693a2e04ae340c81aa732997dec9a34ca348c38e0
SHA512e252d6bbbdb10a6b62d3f4f0be78c322a59566abd584817c7acca2155533938142d0a4c5b96088de6e11e40d965a693e0953c8ee9288464fd4b152c0ba11eb78
-
Filesize
85B
MD5cac8f47d93a5cca20160366f21cc5589
SHA176b39ae065f3fe14863f843a5bac5e1e1c4eef66
SHA256e1615f5084bb8bca90b68a128348356e9b0c04ee1f91ae31bbc74b8823f6a502
SHA5126c6c2b1f0e9a09c2ea4f70272c9e8f31a8c9e810f73a6c8e41d85986819416d7e360b2ac29f1efbd4c1a055551b9d6f37711ad3e598365994a922c98f6d46320