8ddd72fbe374ecd33dfb6b70bbcb0e1c1ef6c556c25f554d607ea7a20257eeb2

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe
Size

38KB
MD5

69af338a8e89bef5282d5dab1006e040
SHA1

c97a887aa39129db21bc94784a0507e5c4e6f7fb
SHA256

8ddd72fbe374ecd33dfb6b70bbcb0e1c1ef6c556c25f554d607ea7a20257eeb2
SHA512

d675d0a6419f59a77ff224eecae136efafb4ca768642acc133fea5aaed7b6ade31cf86e265d9dc59671420cf3e1b531572dc37aa6b3c6fa1cbaba3dfac938897
SSDEEP

768:jf/hLlNgcDZVPaM7QvmadHZyzY/y76WxQWngi++yilF2jmE:jxLIc3PR7RazyzGyGIqvaF2Z

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2644 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

WgaDisp.exe

pid process

1596 WgaDisp.exe
Loads dropped DLL 2 IoCs

Processes:

69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

pid process

808 69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe
808 69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

pid	process
2644	cmd.exe

pid	process
1596	WgaDisp.exe

pid	process
808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe
808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\_WGA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WgaDisp.exe"	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

description	pid	process	target process
PID 808 wrote to memory of 1596	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	WgaDisp.exe
PID 808 wrote to memory of 1596	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	WgaDisp.exe
PID 808 wrote to memory of 1596	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	WgaDisp.exe
PID 808 wrote to memory of 1596	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	WgaDisp.exe
PID 808 wrote to memory of 2644	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	cmd.exe
PID 808 wrote to memory of 2644	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	cmd.exe
PID 808 wrote to memory of 2644	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	cmd.exe
PID 808 wrote to memory of 2644	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\WgaDisp.exe
"C:\Users\Admin\AppData\Local\Temp\WgaDisp.exe"
2⤵
- Executes dropped EXE
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_DelItK.bat" "
2⤵
- Deletes itself
PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_DelItK.bat
Filesize
261B

MD5
db2257faa01f4ffbfdf2501183151ecc

SHA1
ddb7c8ff9f88cdc40aef6fb0f008346f91f22365

SHA256
4f0e3c778e0524d1421cfa876f621b0c80ea43d36bdf19192636d4d4740e9a49

SHA512
628286359d963b4d91bbbd0f276be2e79f1464acc783fbf347700584e43682a9893451f7069394685abf9e8905ead4bf13726854396a8de604375f17db875845

Download Submit
\Users\Admin\AppData\Local\Temp\WgaDisp.exe
Filesize
38KB

MD5
81533fc957da652180a25842fe88db83

SHA1
3c1d0c417c26dee1b986d9abf648ef4f0f8778b1

SHA256
f362be63473b621e4ca7a7fcfc22df5dacb52ba4fbca98929649778dff580bbf

SHA512
1ae10aa0bf68242f0871a3e8a205e3bf02dbdbb17ce5687db1fd4ec39d050a77257bd326d84e48d37949493215c117ffecaebdf029f07fab792c651b4df9151d

Download Submit
memory/808-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/808-5-0x0000000001C40000-0x0000000001C59000-memory.dmp

Filesize
100KB

Download
memory/808-13-0x0000000001C40000-0x0000000001C59000-memory.dmp

Filesize
100KB

Download
memory/808-28-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1596-14-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1596-40-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download