11e5e06df2e6fbf29947e9157436b5fb933b5ca8897d040f905020b271e79fbd

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

696b32619485cd29639eec31e7223540_NeikiAnalytics.exe
Size

410KB
MD5

696b32619485cd29639eec31e7223540
SHA1

ee00c37cbcab78c556f65e97c07d8c6c1031574e
SHA256

11e5e06df2e6fbf29947e9157436b5fb933b5ca8897d040f905020b271e79fbd
SHA512

d5d126a01ab78a37de5ea1c26029d67de03e79073264b190095285148003c3c55dc7b0547aea79cb3c12b4613012d7db4bdeb03507225fc8e80bf1ac5f6de6f1
SSDEEP

12288:CxIK9V14ImyHYog7YYbt/uzyZguOTx76BDNlhDJN6yRvLX:CJEyYt7YJb7676yRvz

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

csyri.exe

pid process

3000 csyri.exe
Loads dropped DLL 2 IoCs

Processes:

696b32619485cd29639eec31e7223540_NeikiAnalytics.exe

pid process

1580 696b32619485cd29639eec31e7223540_NeikiAnalytics.exe
1580 696b32619485cd29639eec31e7223540_NeikiAnalytics.exe

pid	process
3000	csyri.exe

pid	process
1580	696b32619485cd29639eec31e7223540_NeikiAnalytics.exe
1580	696b32619485cd29639eec31e7223540_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

csyri.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\csyri.exe"	csyri.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

696b32619485cd29639eec31e7223540_NeikiAnalytics.exe

description	pid	process	target process
PID 1580 wrote to memory of 3000	1580	696b32619485cd29639eec31e7223540_NeikiAnalytics.exe	csyri.exe
PID 1580 wrote to memory of 3000	1580	696b32619485cd29639eec31e7223540_NeikiAnalytics.exe	csyri.exe
PID 1580 wrote to memory of 3000	1580	696b32619485cd29639eec31e7223540_NeikiAnalytics.exe	csyri.exe
PID 1580 wrote to memory of 3000	1580	696b32619485cd29639eec31e7223540_NeikiAnalytics.exe	csyri.exe

C:\Users\Admin\AppData\Local\Temp\696b32619485cd29639eec31e7223540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\696b32619485cd29639eec31e7223540_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580
- C:\ProgramData\csyri.exe
  "C:\ProgramData\csyri.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
410KB

MD5
d916f2ee2aec5dc790c874714baa0401

SHA1
77ca605d9899952947c9231768a98eaed2e0b884

SHA256
b31d44b66d583781118ec9abbb919a406a260578c3ed61ff8cd9df22cb160a52

SHA512
4ba14816151d832957d4cfc5d21a368ae804d7b74f39d1a14265254f01bb6aea99050259ddf30125ad7d667093645b1f78276ee9fcb72c043b21eb7640166af0

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
150KB

MD5
aef10b9ba25f907727558514f2dfbab0

SHA1
d67383ef1b23d4da72339d66de9541c2e1efaf53

SHA256
f5e77ddc706f6dffe056dc2f8a88adece36e0e4552bc70a85f36b1e01fe547ad

SHA512
5e607a70ca3fa489897f8df0c96570709839364cd8cabd5f76386dfff01ca2986d50c120cf82926dff950c7d7b6ec833ea7558b64ec8f0dfe2e5070abf1da103

Download Submit
\ProgramData\csyri.exe

Filesize
259KB

MD5
e34821240404a8b9b07f3406653a8ac9

SHA1
d04a2b60f95d06e0dfefcd9472bf604e19925438

SHA256
c36568373cb7b7c79f441078458a299aaad196bd9174ff35c1af1947d5914c69

SHA512
e24b83a03065d561cb681e787fda20cb9509c79181c545710ab77d9cbb15d3488411df1ea7662dbeb46e9445589b1ba69a2a15bc8ad7dd36dfdd8b7e6ffec42c

Download Submit
memory/1580-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1580-1-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1580-11-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3000-135-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download