b8eccfcccb1e237d01c11de3df111e209f4d9b13eac2fef5e119fabcaf3d0d6b

Analysis

max time kernel
143s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe
Size

9.7MB
MD5

62ab500953036aad9e6c215036555ba0
SHA1

05350a4f4fa4a45f55b922652cf991514300e2c2
SHA256

b8eccfcccb1e237d01c11de3df111e209f4d9b13eac2fef5e119fabcaf3d0d6b
SHA512

7585459e31820cd9b3d42b64b913a63dd0808f4f247e5b5b10fb5fde35dfcdc41e4059f751348315d680c23068c8775c37dc53923b77209166c3bed4a1a7a17e
SSDEEP

196608:j3F6n80W6uGaLAL9gZmesbZRneSPNgGySqHXsU6aDvMqT4Oi+eNs:rFREnIU7ewg9Sq8XaDvVT4O8K

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

irsetup.exe

pid process

2052 irsetup.exe

pid	process
2052	irsetup.exe

Loads dropped DLL 5 IoCs

Processes:

62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exeirsetup.exe

pid	process
3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe
3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe
3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe
3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe
2052	irsetup.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/3008-14-0x0000000002E40000-0x000000000320B000-memory.dmp	upx
behavioral1/memory/2052-25-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral1/memory/2052-36-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

irsetup.exe

pid process

2052 irsetup.exe
2052 irsetup.exe
2052 irsetup.exe

pid	process
2052	irsetup.exe
2052	irsetup.exe
2052	irsetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe

description	pid	process	target process
PID 3008 wrote to memory of 2052	3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe	irsetup.exe
PID 3008 wrote to memory of 2052	3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe	irsetup.exe
PID 3008 wrote to memory of 2052	3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe	irsetup.exe
PID 3008 wrote to memory of 2052	3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe	irsetup.exe
PID 3008 wrote to memory of 2052	3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe	irsetup.exe
PID 3008 wrote to memory of 2052	3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe	irsetup.exe
PID 3008 wrote to memory of 2052	3008	62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe	irsetup.exe

C:\Users\Admin\AppData\Local\Temp\62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1742194 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\62ab500953036aad9e6c215036555ba0_NeikiAnalytics.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-330940541-141609230-1670313778-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\logo.ico

Filesize
66KB

MD5
beb1564799f32c748e1fe5e58bc99e9e

SHA1
b7b1de1f5dfcece8aca713af256bb4b4f4f627b2

SHA256
4f0f68e0d63fc9a455acc4d6546d64ba95f696c77d6968a83ec2b3f18917d751

SHA512
c7c35178557935cd783a03ed601e30eb87b57c1215bf497993c1a7c8bfb60b47490e3b01e0b22ffbcc106879dff2b596087f3a9443f0e0dd945c6c0909d3a7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
memory/2052-25-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/2052-36-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/3008-14-0x0000000002E40000-0x000000000320B000-memory.dmp

Filesize
3.8MB

Download
memory/3008-18-0x0000000002E40000-0x000000000320B000-memory.dmp

Filesize
3.8MB

Download
memory/3008-20-0x0000000002E40000-0x000000000320B000-memory.dmp

Filesize
3.8MB

Download
memory/3008-38-0x0000000002E40000-0x000000000320B000-memory.dmp

Filesize
3.8MB

Download