0918d2dec622289c197e987da6e6ce1ec01561dacb0e113156f7069a31100765

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe
Size

2.7MB
MD5

3667e4eb3688a1c1973ea66d4bfe0e90
SHA1

9e6a8264f69b5fc41cb51944b99557f45dd91cc8
SHA256

0918d2dec622289c197e987da6e6ce1ec01561dacb0e113156f7069a31100765
SHA512

edad7928694f6986be21bf491613b851376a40b533ab03c0d0fbb10107a6b9c4c7d586d739baebeb177920215a9ae34023663d5a4661ab7681d8df666b979eb5
SSDEEP

49152:aYrC8UsGuTwkA6gn2UkCsOCHdeQKyZURQ1EjT2:w8UsXCC9eQKyZURQ1EjT

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s"	3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2612 AcroRd32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

2612 AcroRd32.exe
2612 AcroRd32.exe
2612 AcroRd32.exe

pid	process
2612	AcroRd32.exe

pid	process
2612	AcroRd32.exe
2612	AcroRd32.exe
2612	AcroRd32.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe

description	pid	process	target process
PID 2204 wrote to memory of 2612	2204	3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe	AcroRd32.exe
PID 2204 wrote to memory of 2612	2204	3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe	AcroRd32.exe
PID 2204 wrote to memory of 2612	2204	3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe	AcroRd32.exe
PID 2204 wrote to memory of 2612	2204	3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2204

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2612

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\148729502.tmp
Filesize
2.7MB

MD5
3667e4eb3688a1c1973ea66d4bfe0e90

SHA1
9e6a8264f69b5fc41cb51944b99557f45dd91cc8

SHA256
0918d2dec622289c197e987da6e6ce1ec01561dacb0e113156f7069a31100765

SHA512
edad7928694f6986be21bf491613b851376a40b533ab03c0d0fbb10107a6b9c4c7d586d739baebeb177920215a9ae34023663d5a4661ab7681d8df666b979eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.pdf
Filesize
1.1MB

MD5
58ba263ee6d8d64d69957c44cb10bbc3

SHA1
a4c86768b63a7e3a51203618f3cf51df9f3f9027

SHA256
84e09359b0b15eb947814e39cb5007b6ccf158682edf74ccdeb874299858e27a

SHA512
09f52028f91828aa79d76f59782c1910af9210ccf67041b13558af6b421101199671f97b02f549249b6c263ff7e9c95574c6a26739c417ca3e4097aacfe878e3

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
80ad6b42eb74b060eabc8da294b93045

SHA1
107ee5bfb54885a0251d8d0ff1c35ba05ea17c73

SHA256
514b1442986703757b591818b30e38252dbf990d2be78a07e9a3b4316229c3cd

SHA512
276871fa83714e5525f1f39d092e91af7f600c644051256bb43131b8b3c1fc2d32daa5e11da7444a3d93e68342b43809ccb9cf58abe0834d6e22a7ee4f6bb7a7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads