Analysis

  • max time kernel
    148s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    18/05/2024, 13:49

General

  • Target

    d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe

  • Size

    355KB

  • MD5

    d1522c355d1ec4696eea35498389ad80

  • SHA1

    277b214fb3c635fe4ab3d57fc31a50e719df6e39

  • SHA256

    fc7722f549ca808898965510f3b39a288314c7913204fef1f1f43b1b3de150d4

  • SHA512

    466df8010620aac5d690195930d119a837987fa438024cb6334c7a18b9a1f757694a8fc5b574ead9642d21ffbfa6040c74ff56b6df0e0ad2b0939367827ac21f

  • SSDEEP

    6144:/qvk3Q5ibjnNuuXckaL7pbRBkce97aw/N4L7og:/qvMQ5ibjnwka3pbRC19Gw/Nsog

Score
10/10

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d1522c355d1ec4696eea35498389ad80_NeikiAnalytics.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\Systemhgijj.exe
      "C:\Users\Admin\AppData\Local\Temp\Systemhgijj.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2564

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Systemhgijj.exe

          Filesize

          355KB

          MD5

          be4a5bac28bebe9ffd2ea6ad65099e1b

          SHA1

          8621fb34d4bae60864fc642ab4738255e908c6dd

          SHA256

          948d44d32dbd3cd44ca7a79693a2e04ae340c81aa732997dec9a34ca348c38e0

          SHA512

          e252d6bbbdb10a6b62d3f4f0be78c322a59566abd584817c7acca2155533938142d0a4c5b96088de6e11e40d965a693e0953c8ee9288464fd4b152c0ba11eb78

        • C:\Users\Admin\AppData\Local\Temp\fpath.ini

          Filesize

          85B

          MD5

          cac8f47d93a5cca20160366f21cc5589

          SHA1

          76b39ae065f3fe14863f843a5bac5e1e1c4eef66

          SHA256

          e1615f5084bb8bca90b68a128348356e9b0c04ee1f91ae31bbc74b8823f6a502

          SHA512

          6c6c2b1f0e9a09c2ea4f70272c9e8f31a8c9e810f73a6c8e41d85986819416d7e360b2ac29f1efbd4c1a055551b9d6f37711ad3e598365994a922c98f6d46320