db2ac1a9475a243d6de8147c8082a86e2a6237870c4c61e00f02d198ed070583

Analysis

max time kernel
128s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe
Size

2.6MB
MD5

41c6927a623a6a5d3f8b365096124480
SHA1

bcb7d52997d28b917a306e5b83d45c362cf37f2c
SHA256

db2ac1a9475a243d6de8147c8082a86e2a6237870c4c61e00f02d198ed070583
SHA512

ea2aa7e0ae95663baae9d0f91747f8511b91be6b0a6db104d715971d34cac848f08daaec0db0e650b4a266007253d694b1dbd3dbd34378afa22de2d86511b247
SSDEEP

49152:+qe3f6aSzD7+H98AHaCfu6FCHCL+WuTmuKwEI:vSinD7E9vBunHCK5NKXI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

pid process

1928 41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

Loads dropped DLL 3 IoCs

Processes:

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

pid	process
1928	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
1928	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
1928	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

pid process

1928 41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe

description	pid	process	target process
PID 820 wrote to memory of 1928	820	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
PID 820 wrote to memory of 1928	820	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
PID 820 wrote to memory of 1928	820	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

C:\Users\Admin\AppData\Local\Temp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\is-EJO3S.tmp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EJO3S.tmp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp" /SL5="$A0046,1785071,899584,C:\Users\Admin\AppData\Local\Temp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-EJO3S.tmp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

Filesize
3.0MB

MD5
eaf2c9683c1424abb77a6104b339fda5

SHA1
82fe536dc66036a759f620003f324bc726192da0

SHA256
a2c20488f11814b0bb8eb471f364c58d8f16a34fb526b84ccb97d15b98450d9a

SHA512
49d9482bb2f41aa87654d22f3ffc31abed183ac68545cef87125de932cf745f8c68a31d17e142c4a4f0f21e2bf1edab8cda59ba2b1b1827f8c84837352196bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEFG3.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEFG3.tmp\loader.gif

Filesize
3KB

MD5
d35d95fc6bd8be33d3ce5da2630b90bd

SHA1
be2fb4098a151f6c77a85ce8c274a3054a61178b

SHA256
dfa608be394c8f6d19aff352185917720f04072ac0412a8cab1174fec4939c08

SHA512
078fa3cf9c08c8bdaa554a52b153a159f537de3ee0ba923d64928cdd99b4f2528b4eb229c1b2352b946ef417efd478b453588a6cda1afc91b374e709afc730e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UEFG3.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
memory/820-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/820-0-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/820-20-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/820-33-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1928-6-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1928-21-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1928-25-0x0000000003790000-0x000000000379F000-memory.dmp

Filesize
60KB

Download
memory/1928-31-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download