51b8bf52d450563fc722145b188822b15bd1cffe1de08df5f91533d6dcbd0b10

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe
Size

408KB
MD5

51383c7c9f4cfe066f6bd3e15fdb8350
SHA1

096604bb529df309413de18e9d73dc44b0d9e354
SHA256

51b8bf52d450563fc722145b188822b15bd1cffe1de08df5f91533d6dcbd0b10
SHA512

b040fed68829f5b9ff3a08f840da16eac22def314a49409d319aec9fcfe564f1f9881c8f03c4c36c848926ebfb8188c7263ac23009f9a632909c63675176f1cd
SSDEEP

6144:4jlYKRF/LReWAsUyaWwDKb8fc7H8rRyYyOmfhzhepNbl8Awlo:4jauDReWKKb8fc7clM9ep9lnwlo

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

kgrkh.exe

pid process

2704 kgrkh.exe
Loads dropped DLL 2 IoCs

Processes:

51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe

pid process

1028 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe
1028 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe

pid	process
2704	kgrkh.exe

pid	process
1028	51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe
1028	51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kgrkh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\kgrkh.exe"	kgrkh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe

description	pid	process	target process
PID 1028 wrote to memory of 2704	1028	51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe	kgrkh.exe
PID 1028 wrote to memory of 2704	1028	51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe	kgrkh.exe
PID 1028 wrote to memory of 2704	1028	51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe	kgrkh.exe
PID 1028 wrote to memory of 2704	1028	51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe	kgrkh.exe

C:\Users\Admin\AppData\Local\Temp\51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028

C:\ProgramData\kgrkh.exe
"C:\ProgramData\kgrkh.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2704

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe
Filesize
408KB

MD5
31563b220e2a3e6a5a6edd6eeab70f44

SHA1
b58c6a3940fd9e7aa69f6892bd51722ea2d326c3

SHA256
99699d37b40b9313ed3c7cd1125195cd011ba6ea2381b5d2205a26864ef2f10a

SHA512
4824970b50808a0570897c1b42339c0c6de94ca43f74cc5dd3247e38134696ad6898c86b5adb4b08e7fe7946ba7e8436b7fa49925d2946ffd3281ad87546608d

Download Submit
C:\ProgramData\Saaaalamm\Mira.h
Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
\ProgramData\kgrkh.exe
Filesize
271KB

MD5
d920e673adb3eebac77d53799381315f

SHA1
ff193f55d8dbd5b4d34d9992145d7d515b460362

SHA256
5f7697b7c3e51e8a3491eea7b338800f96865d957331b0bed5b798d39d1f62fc

SHA512
24c3f8734c460a6abf3edabf3b0e22a6bab4d9ea7346d431980b1b1b7764da759d37d5ac9be581a9b10822abb09ae1a80b33bf2eec92ab8136b8e4681df49eb9

Download Submit
memory/1028-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1028-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1028-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2704-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2704-688-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads