Overview

overview

10

Static

static

3

0483909a7b...cs.exe

windows7-x64

10

0483909a7b...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0483909a7ba88c9bb131c1210df13640_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    0483909a7ba88c9bb131c1210df13640

  • SHA1

    b77a68a17037e86390ecd095f76cb36ae352de8a

  • SHA256

    9e6c99fcdb431ee0f0b7899d0848fdec15687f21ab96ccd43af40271a02e67c1

  • SHA512

    1fc371b5ac850f3b0645b621ebe0fa7f4472fb666dee05011d1d17be161b0c7adec226ed119999b957d0ceaa2170636c6ecb9d1ace7a672d8c1840c3fc1a2a88

  • SSDEEP

    768:zIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77NPQ1TTGfGYy6Kw:zI0OGrOy6NvSpMZVQ1J4Kw

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0483909a7ba88c9bb131c1210df13640_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0483909a7ba88c9bb131c1210df13640_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    45KB

    MD5

    2bd0c010c6384d41c05118f107537ad1

    SHA1

    9b8417874166421537842a315994a982843b88bd

    SHA256

    65a0010481a8325c1ea5f2795b5adc0c132131f968bf9b96936293ccafb9daa3

    SHA512

    17de5ee197f9caa2ec0d470ea558560e975428580e597feb399d7397f2be6a1f1e57f85d071fe602255a3e514622f4dbc23d386d2b47d0f89038f030fe8d70b3

    Download Submit

  • memory/228-0-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/228-13-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1604-11-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1604-14-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1604-19-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1604-20-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download