Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 22:52
Static task
static1
Behavioral task
behavioral1
Sample
51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe
-
Size
408KB
-
MD5
51383c7c9f4cfe066f6bd3e15fdb8350
-
SHA1
096604bb529df309413de18e9d73dc44b0d9e354
-
SHA256
51b8bf52d450563fc722145b188822b15bd1cffe1de08df5f91533d6dcbd0b10
-
SHA512
b040fed68829f5b9ff3a08f840da16eac22def314a49409d319aec9fcfe564f1f9881c8f03c4c36c848926ebfb8188c7263ac23009f9a632909c63675176f1cd
-
SSDEEP
6144:4jlYKRF/LReWAsUyaWwDKb8fc7H8rRyYyOmfhzhepNbl8Awlo:4jauDReWKKb8fc7clM9ep9lnwlo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
kgrkh.exepid process 2704 kgrkh.exe -
Loads dropped DLL 2 IoCs
Processes:
51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exepid process 1028 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe 1028 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kgrkh.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\kgrkh.exe" kgrkh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exedescription pid process target process PID 1028 wrote to memory of 2704 1028 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe kgrkh.exe PID 1028 wrote to memory of 2704 1028 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe kgrkh.exe PID 1028 wrote to memory of 2704 1028 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe kgrkh.exe PID 1028 wrote to memory of 2704 1028 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe kgrkh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\kgrkh.exe"C:\ProgramData\kgrkh.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache .exeFilesize
408KB
MD531563b220e2a3e6a5a6edd6eeab70f44
SHA1b58c6a3940fd9e7aa69f6892bd51722ea2d326c3
SHA25699699d37b40b9313ed3c7cd1125195cd011ba6ea2381b5d2205a26864ef2f10a
SHA5124824970b50808a0570897c1b42339c0c6de94ca43f74cc5dd3247e38134696ad6898c86b5adb4b08e7fe7946ba7e8436b7fa49925d2946ffd3281ad87546608d
-
C:\ProgramData\Saaaalamm\Mira.hFilesize
136KB
MD5cb4c442a26bb46671c638c794bf535af
SHA18a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3
-
\ProgramData\kgrkh.exeFilesize
271KB
MD5d920e673adb3eebac77d53799381315f
SHA1ff193f55d8dbd5b4d34d9992145d7d515b460362
SHA2565f7697b7c3e51e8a3491eea7b338800f96865d957331b0bed5b798d39d1f62fc
SHA51224c3f8734c460a6abf3edabf3b0e22a6bab4d9ea7346d431980b1b1b7764da759d37d5ac9be581a9b10822abb09ae1a80b33bf2eec92ab8136b8e4681df49eb9
-
memory/1028-0-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1028-1-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1028-12-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/2704-131-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/2704-688-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB