6631e114e6c397cb1dcf79d390ffb9bc73ea3afc8f01715f1f64879200bb859c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21afd206a3af5be17a3eb1418f5912e4_NeikiAnalytics.exe
Size

33KB
MD5

21afd206a3af5be17a3eb1418f5912e4
SHA1

d57d4ab8c5f05b60a3a697ef3bc8c0261607548c
SHA256

6631e114e6c397cb1dcf79d390ffb9bc73ea3afc8f01715f1f64879200bb859c
SHA512

c5bec1062478cac3249dfd31cd6ecfbf161ec480d0249356b9b7e0de374bf3a1b1c41b7599064ed1c0c7c16cce3b62a6f3dbd164408d349980e805aae977e172
SSDEEP

768:/qPJtHA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhZ:/qnA6C1VqaqhtgVRNToV7TtRu8rM0wY5

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4928	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
4928	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	21afd206a3af5be17a3eb1418f5912e4_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	21afd206a3af5be17a3eb1418f5912e4_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4928	4788	21afd206a3af5be17a3eb1418f5912e4_NeikiAnalytics.exe	83
PID 4788 wrote to memory of 4928	4788	21afd206a3af5be17a3eb1418f5912e4_NeikiAnalytics.exe	83
PID 4788 wrote to memory of 4928	4788	21afd206a3af5be17a3eb1418f5912e4_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\21afd206a3af5be17a3eb1418f5912e4_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\21afd206a3af5be17a3eb1418f5912e4_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
33KB

MD5
76ea361b5ffddb77bf0d200a4de354d3

SHA1
0bf9210407e4224200eebbfda932bada7efcbf90

SHA256
68aedf170d4af398eda027150efe10c4f0fcb552142eb2c6410f089bab3cb2a8

SHA512
2ebe449d5f21c7343d4427fa69e034880c6f454a5e7ad40df442168dfbe78caee20a00ce08279359a2d2e157fac4667e72f4fda6c5eacc085d2f7b3c0156e014

Download Submit
memory/4788-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4788-4-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads