e22da2889ec7812947f10abba2b034d987659259b354d4fd62e065bf70793781

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe
Size

65KB
MD5

32fe1797f6263597c8697ca6a9b78b10
SHA1

624cb6e4df313b85342f065c3ccef95f09a637f9
SHA256

e22da2889ec7812947f10abba2b034d987659259b354d4fd62e065bf70793781
SHA512

c752a58a444c00e8934747a1b283dbe5a70622f2e7a16fc9d0d454dc4ea1ee2298baf7dbecf451fbfc138d2df7dfa4c813561d1645b2c04581a091f34e238344
SSDEEP

768:b/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLpu:bRsvcdcQjosnvnZ6LQ1Epu

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2012	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1444	32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe
1444	32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe
2012	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2012	1444	32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe	28
PID 1444 wrote to memory of 2012	1444	32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe	28
PID 1444 wrote to memory of 2012	1444	32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe	28
PID 1444 wrote to memory of 2012	1444	32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\32fe1797f6263597c8697ca6a9b78b10_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
65KB

MD5
c5a3edcd2f0e12aeb9a0cbb04a3da54a

SHA1
56136452b90d59db58a4e50df553b1eef7188de1

SHA256
cf54118db4a25768d5a208d5dbecb968d615c6ce3dadc323f1e2323f57162af9

SHA512
d55072921bd4fcd599598e1ba413e282743d55c9e1eb6f5e08f5ed4f844df41328a061b05469143655c0ba150ed46f348835df2a5fae55b8d2c20eb997eb5465

Download Submit