Analysis
-
max time kernel
134s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 11:37
Static task
static1
Behavioral task
behavioral1
Sample
41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe
-
Size
229KB
-
MD5
1ebed34934afd950c8861ecc0a65f866
-
SHA1
d5e4f3762932a6a388b4eb35c70a0333f21165ea
-
SHA256
41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb
-
SHA512
bb8654d2eb362c8b4e0759eced1fb611dcbebf4ef5d47f279c2fb28f7a9b77e71f7f07514b9c32e06b6bb2bc22a0cd69453d8940352915597fa91395394acb43
-
SSDEEP
6144:rUl132+IcwwtyRfeBgx5uU0jbV555555550:IlbyfeBgzUbq
Malware Config
Extracted
cobaltstrike
http://update.windowsupdate.com.cdn.dnsv1.com:443/FPMz
-
user_agent
User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40 Host: update.windowsupdate.com
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exedescription pid process target process PID 4400 created 2940 4400 41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exepid process 4400 41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe 4400 41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exepid process 4400 41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exedescription pid process target process PID 4400 wrote to memory of 4952 4400 41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe explorer.exe PID 4400 wrote to memory of 4952 4400 41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe explorer.exe PID 4400 wrote to memory of 4952 4400 41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\41644ece96af2c710a353ce39a500929a87b96182e2d0e0cf0bde6fc27f554bb_NeikiAnalytics.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4400-0-0x000002C712D60000-0x000002C712D61000-memory.dmpFilesize
4KB
-
memory/4400-19-0x00007FF76D150000-0x00007FF76D190000-memory.dmpFilesize
256KB
-
memory/4952-18-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/4952-20-0x0000000002F40000-0x0000000003340000-memory.dmpFilesize
4.0MB