8ddd72fbe374ecd33dfb6b70bbcb0e1c1ef6c556c25f554d607ea7a20257eeb2

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe
Size

38KB
MD5

69af338a8e89bef5282d5dab1006e040
SHA1

c97a887aa39129db21bc94784a0507e5c4e6f7fb
SHA256

8ddd72fbe374ecd33dfb6b70bbcb0e1c1ef6c556c25f554d607ea7a20257eeb2
SHA512

d675d0a6419f59a77ff224eecae136efafb4ca768642acc133fea5aaed7b6ade31cf86e265d9dc59671420cf3e1b531572dc37aa6b3c6fa1cbaba3dfac938897
SSDEEP

768:jf/hLlNgcDZVPaM7QvmadHZyzY/y76WxQWngi++yilF2jmE:jxLIc3PR7RazyzGyGIqvaF2Z

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2644 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

WgaDisp.exe

pid process

1596 WgaDisp.exe
Loads dropped DLL 2 IoCs

Processes:

69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

pid process

808 69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe
808 69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

pid	process
2644	cmd.exe

pid	process
1596	WgaDisp.exe

pid	process
808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe
808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\_WGA = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WgaDisp.exe"	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe

description	pid	process	target process
PID 808 wrote to memory of 1596	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	WgaDisp.exe
PID 808 wrote to memory of 1596	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	WgaDisp.exe
PID 808 wrote to memory of 1596	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	WgaDisp.exe
PID 808 wrote to memory of 1596	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	WgaDisp.exe
PID 808 wrote to memory of 2644	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	cmd.exe
PID 808 wrote to memory of 2644	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	cmd.exe
PID 808 wrote to memory of 2644	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	cmd.exe
PID 808 wrote to memory of 2644	808	69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\69af338a8e89bef5282d5dab1006e040_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\WgaDisp.exe
"C:\Users\Admin\AppData\Local\Temp\WgaDisp.exe"
2⤵
- Executes dropped EXE
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_DelItK.bat" "
2⤵
- Deletes itself
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_DelItK.bat

Filesize
261B

MD5
db2257faa01f4ffbfdf2501183151ecc

SHA1
ddb7c8ff9f88cdc40aef6fb0f008346f91f22365

SHA256
4f0e3c778e0524d1421cfa876f621b0c80ea43d36bdf19192636d4d4740e9a49

SHA512
628286359d963b4d91bbbd0f276be2e79f1464acc783fbf347700584e43682a9893451f7069394685abf9e8905ead4bf13726854396a8de604375f17db875845

Download Submit
\Users\Admin\AppData\Local\Temp\WgaDisp.exe

Filesize
38KB

MD5
81533fc957da652180a25842fe88db83

SHA1
3c1d0c417c26dee1b986d9abf648ef4f0f8778b1

SHA256
f362be63473b621e4ca7a7fcfc22df5dacb52ba4fbca98929649778dff580bbf

SHA512
1ae10aa0bf68242f0871a3e8a205e3bf02dbdbb17ce5687db1fd4ec39d050a77257bd326d84e48d37949493215c117ffecaebdf029f07fab792c651b4df9151d

Download Submit
memory/808-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/808-5-0x0000000001C40000-0x0000000001C59000-memory.dmp

Filesize
100KB

Download
memory/808-13-0x0000000001C40000-0x0000000001C59000-memory.dmp

Filesize
100KB

Download
memory/808-28-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1596-14-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1596-40-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download