Analysis
-
max time kernel
149s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 22:52
Static task
static1
Behavioral task
behavioral1
Sample
51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe
-
Size
408KB
-
MD5
51383c7c9f4cfe066f6bd3e15fdb8350
-
SHA1
096604bb529df309413de18e9d73dc44b0d9e354
-
SHA256
51b8bf52d450563fc722145b188822b15bd1cffe1de08df5f91533d6dcbd0b10
-
SHA512
b040fed68829f5b9ff3a08f840da16eac22def314a49409d319aec9fcfe564f1f9881c8f03c4c36c848926ebfb8188c7263ac23009f9a632909c63675176f1cd
-
SSDEEP
6144:4jlYKRF/LReWAsUyaWwDKb8fc7H8rRyYyOmfhzhepNbl8Awlo:4jauDReWKKb8fc7clM9ep9lnwlo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
kcrhvk.exepid process 4088 kcrhvk.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kcrhvk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\kcrhvk.exe" kcrhvk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exedescription pid process target process PID 1812 wrote to memory of 4088 1812 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe kcrhvk.exe PID 1812 wrote to memory of 4088 1812 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe kcrhvk.exe PID 1812 wrote to memory of 4088 1812 51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe kcrhvk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\51383c7c9f4cfe066f6bd3e15fdb8350_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\kcrhvk.exe"C:\ProgramData\kcrhvk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings .exeFilesize
408KB
MD56a24e855f5dc593bc89a964cb9596270
SHA1db23cea6c51bc9bf12c3f645a6bacba2f6036da5
SHA2564208f8743cb99b2397d39c3cb5ce3893ff72c75cb9f4ed2bf966ae635f957fd6
SHA512488845b962f07cfbc2b45bdd32ff27419b528c63d85cbb73e17cade6405a19c0f2d2d1bbbd38be19e767e1d318930ef9d5e0961a0d18f3b859ac7ddd34a7935c
-
C:\ProgramData\Saaaalamm\Mira.hFilesize
136KB
MD5cb4c442a26bb46671c638c794bf535af
SHA18a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf
SHA256f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25
SHA512074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3
-
C:\ProgramData\kcrhvk.exeFilesize
271KB
MD5d920e673adb3eebac77d53799381315f
SHA1ff193f55d8dbd5b4d34d9992145d7d515b460362
SHA2565f7697b7c3e51e8a3491eea7b338800f96865d957331b0bed5b798d39d1f62fc
SHA51224c3f8734c460a6abf3edabf3b0e22a6bab4d9ea7346d431980b1b1b7764da759d37d5ac9be581a9b10822abb09ae1a80b33bf2eec92ab8136b8e4681df49eb9
-
memory/1812-0-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1812-1-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1812-8-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/4088-130-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB