Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 18:39
Behavioral task
behavioral1
Sample
179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe
-
Size
440KB
-
MD5
179a3747b82b58a9c3589974e145adf0
-
SHA1
80af51f31d6492945a846bd19f773005717f5c2c
-
SHA256
d67dd66d7f97cca8e9091c6f59e8bc9b4973d73df1f5fdc13fd7e68211679d32
-
SHA512
09aff14d940db5c491bba80e46f93ba2251505c092eb8b915f6da1b0b7d81b39a81041cfbe8e5685bf500460f15ebbbd777864f84869d6242b17b1ced4721fe2
-
SSDEEP
6144:xozXQKqfmiiyWwuiFOLeyOV0R7YRXxMSaAt:xgXQKSLpOCtV0R8xMSaAt
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Syslemkyrfz.exe family_blackmoon -
Deletes itself 1 IoCs
Processes:
Syslemkyrfz.exepid process 1044 Syslemkyrfz.exe -
Executes dropped EXE 1 IoCs
Processes:
Syslemkyrfz.exepid process 1044 Syslemkyrfz.exe -
Loads dropped DLL 2 IoCs
Processes:
179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exepid process 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exeSyslemkyrfz.exepid process 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe 1044 Syslemkyrfz.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exedescription pid process target process PID 2512 wrote to memory of 1044 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe Syslemkyrfz.exe PID 2512 wrote to memory of 1044 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe Syslemkyrfz.exe PID 2512 wrote to memory of 1044 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe Syslemkyrfz.exe PID 2512 wrote to memory of 1044 2512 179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe Syslemkyrfz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\179a3747b82b58a9c3589974e145adf0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\Syslemkyrfz.exe"C:\Users\Admin\AppData\Local\Temp\Syslemkyrfz.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85B
MD554d41c70346c63fe3c979fde34619245
SHA167b3fb2513cb6139cc59fc2f3e8d2a7dda90075e
SHA25678bdb350a85957d40c526bcac8ee71f821376600c40c8d21b08628a38b5f4797
SHA51250f6e2acc57cd9793d20503d842736b9b97802082872d50d0c293d5551b79e805a2c7c213df6de3dca5306bfa497f03a64fda3c902158c2236b189242e0e4df8
-
Filesize
440KB
MD5b2ede206ef0949852fcf8f3d0fffad8c
SHA1e098e0682ee31177972a5867fc3f6c6d1c1066fb
SHA256e90f15174bd9137bb44db7f169962dae846cf58a69a71e40131fcc6b034f5c1b
SHA5126272644ed1995a6eb1fa5db962d04675406cdefbe46e2b95c3a5cfff4dcdc09683020070d244787a9bd1dea330d12d40215840bf9e40703bdb95e1310da05701