Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe
-
Size
49KB
-
MD5
74bbef645fd4dde36db12ebb816df540
-
SHA1
e7282ff83123d885c13c170d7153df99d505ffd5
-
SHA256
2efda8c8fb4768eda56b314e52832aee1763bb4c65816ec399779b9898b5c15d
-
SHA512
bee3a5b1d6e2d0d6c8c36e8059f053292d590499057eff7e41930716dee2110ba23dba8dff9a500c0accaad7a653dd295f7a75152bb6690d23be43b8acfd4c71
-
SSDEEP
768:mzQYScGrIubHuYtvdxwYHw5FAe2Qfncwx9vMdJTeTXpnHTkGrbHdrzxDvDInYn:gQTIubHy5wQfJAejpzkGdxDLIYn
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jusched.exepid process 2508 jusched.exe -
Loads dropped DLL 2 IoCs
Processes:
74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exepid process 2044 74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe 2044 74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe -
Drops file in Program Files directory 2 IoCs
Processes:
74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exedescription ioc process File created C:\Program Files (x86)\70d0d7fd\jusched.exe 74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe File created C:\Program Files (x86)\70d0d7fd\70d0d7fd 74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jusched.exepid process 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe 2508 jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exedescription pid process target process PID 2044 wrote to memory of 2508 2044 74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe jusched.exe PID 2044 wrote to memory of 2508 2044 74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe jusched.exe PID 2044 wrote to memory of 2508 2044 74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe jusched.exe PID 2044 wrote to memory of 2508 2044 74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe jusched.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\74bbef645fd4dde36db12ebb816df540_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\70d0d7fd\jusched.exe"C:\Program Files (x86)\70d0d7fd\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\70d0d7fd\70d0d7fdFilesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
\Program Files (x86)\70d0d7fd\jusched.exeFilesize
49KB
MD59dbe9c966ab230099db17f283efba6ce
SHA125bd404e787a52fd8631bab8bd6517d5ff7bdc8e
SHA256c61e9c1f3fd145435fca2edbfc98d042840a3342651a9ceaa7219743d6f1d301
SHA512484ffb7d7c0ecf94bc86094a8742a64643f1c62c3a76c72782619d6306d63c4c752064544f13bdd585323360482b8587b38c6943765fa2b8de78deee0afc645e