Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 23:36
Static task
static1
Behavioral task
behavioral1
Sample
5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe
-
Size
1.5MB
-
MD5
5942abe6e2b4af65c3c0cbc90d9be600
-
SHA1
e2f7165f78bc48fe5f73cd64dee8cf3ff09d8dce
-
SHA256
5d30bc82954f11f3349c6e211dc8f8a410736a3d96d6b7a944cd52d99fb0aa90
-
SHA512
2ead42421f7c08d8b421d497b8f5d35f5244fad0f02896783383e6dd2746ef2263ed8ec9afe6544de942423c1ce635b99d65dbbff6f0d9789b0e5e86b76f78c6
-
SSDEEP
12288:wAiP72eSMIO74u8k7UtnzPgGeB0dPoIlaNyF/ofCVGGfX134R9kMKy:wAi72et/HU9zPjeidP1Yi/dGyA
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
alg.exepid process 480 2176 alg.exe -
Drops file in System32 directory 2 IoCs
Processes:
5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exealg.exedescription ioc process File opened for modification C:\Windows\System32\alg.exe 5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ff6bc77e56fe8faa.bin alg.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3020 2988 WerFault.exe 5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exedescription pid process Token: SeTakeOwnershipPrivilege 2988 5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exedescription pid process target process PID 2988 wrote to memory of 3020 2988 5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe WerFault.exe PID 2988 wrote to memory of 3020 2988 5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe WerFault.exe PID 2988 wrote to memory of 3020 2988 5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe WerFault.exe PID 2988 wrote to memory of 3020 2988 5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5942abe6e2b4af65c3c0cbc90d9be600_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 3522⤵
- Program crash
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\System32\alg.exeFilesize
1.5MB
MD54f2ee1a8243ad638129d78fd48c85def
SHA11d2463f0873769750f67bfc95895f81e67fbf2bf
SHA25640d6e10588936af42859915f971f568a4b56481deec432cc6ec3f3bf00ea0ea9
SHA512204a228b13ecd4851d3f790ee0fecab5e9e2bc5810a6c5d1761e21254cbb1e2c8afbb8e0755813b48948355d8f56c0b11e3a13c9f22c91a029be4e9dabd92b2d
-
memory/2176-13-0x0000000000450000-0x00000000004B0000-memory.dmpFilesize
384KB
-
memory/2176-22-0x0000000000450000-0x00000000004B0000-memory.dmpFilesize
384KB
-
memory/2176-21-0x0000000100000000-0x000000010017D000-memory.dmpFilesize
1.5MB
-
memory/2176-25-0x0000000100000000-0x000000010017D000-memory.dmpFilesize
1.5MB
-
memory/2988-7-0x0000000030000000-0x000000003018C000-memory.dmpFilesize
1.5MB
-
memory/2988-0-0x0000000000520000-0x0000000000587000-memory.dmpFilesize
412KB
-
memory/2988-8-0x0000000000520000-0x0000000000587000-memory.dmpFilesize
412KB
-
memory/2988-24-0x0000000030000000-0x000000003018C000-memory.dmpFilesize
1.5MB