Overview

overview

10

Static

static

3

62b1d76732...cs.exe

windows7-x64

10

62b1d76732...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62b1d7673220b7f3c50184cd032af7e0_NeikiAnalytics.exe

  • Size

    42KB

  • MD5

    62b1d7673220b7f3c50184cd032af7e0

  • SHA1

    e6e7c81611e0fbe07d5464e8d252afc8112169e4

  • SHA256

    b4d1ad3c13c696680ce4eb68614fe21079b040d70762b21f0b2d05fa220763fd

  • SHA512

    5ae501e19ce8eb20c13e8aaaf3285206b13553680a01d8af4231629de296d70c518b0f2379563e87a594cd14f6f7f92725c48c05fc5d8036c2be6a831d0e5f62

  • SSDEEP

    768:xIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77DPQ1TTGfGYha:xI0OGrOy6NvSpMZrQ1Jt

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\62b1d7673220b7f3c50184cd032af7e0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\62b1d7673220b7f3c50184cd032af7e0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    42KB

    MD5

    85ad19c2e5acacc142184966e759ff81

    SHA1

    66ebb3e8d1abaa664b211930243ddc8c20464036

    SHA256

    cb9e97d17217e2c02d122fff1c0526145d8cc72a686fbcd5cf8875dd906b699f

    SHA512

    7067902fe0d7c31b2aa7b7bb845d6f06771431dd74f6804d7c31d52238993da34ee16043965c29d49dba5a9f8c49f246f2757d488d6961b39a6227ce282bc2a4

    Download Submit

  • memory/1816-0-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/1816-12-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4960-11-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4960-14-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4960-19-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4960-20-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download