Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 20:38
Static task
static1
Behavioral task
behavioral1
Sample
7745054389a1308d3293ebe957396830_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
7745054389a1308d3293ebe957396830_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
7745054389a1308d3293ebe957396830_NeikiAnalytics.exe
-
Size
100KB
-
MD5
7745054389a1308d3293ebe957396830
-
SHA1
5be9394fe0ff59cb7f712a51e92ef18f2903512d
-
SHA256
6c0d035ef5e973a4222fae3edf7c04e039b3e04614db952d9d16e03cb5245130
-
SHA512
a0d0f3c7f90955403623766fdc999c02f40f7180c8cc55988300b93aeeab6970ca7ecee7743683b128c23651e85df7937fc7c148c5ed4abdf2e4260a4b65b056
-
SSDEEP
1536:OE9QaVQ8v9/ui73aOtH0nrFgUhRwqjhurmKFctV:caV1/uMKacdhTjAqGctV
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\EF3F37DD = "C:\\Users\\Admin\\AppData\\Roaming\\EF3F37DD\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe 3032 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 3032 winver.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7745054389a1308d3293ebe957396830_NeikiAnalytics.exewinver.exedescription pid process target process PID 1320 wrote to memory of 3032 1320 7745054389a1308d3293ebe957396830_NeikiAnalytics.exe winver.exe PID 1320 wrote to memory of 3032 1320 7745054389a1308d3293ebe957396830_NeikiAnalytics.exe winver.exe PID 1320 wrote to memory of 3032 1320 7745054389a1308d3293ebe957396830_NeikiAnalytics.exe winver.exe PID 1320 wrote to memory of 3032 1320 7745054389a1308d3293ebe957396830_NeikiAnalytics.exe winver.exe PID 1320 wrote to memory of 3032 1320 7745054389a1308d3293ebe957396830_NeikiAnalytics.exe winver.exe PID 3032 wrote to memory of 1196 3032 winver.exe Explorer.EXE PID 3032 wrote to memory of 1108 3032 winver.exe taskhost.exe PID 3032 wrote to memory of 1168 3032 winver.exe Dwm.exe PID 3032 wrote to memory of 1196 3032 winver.exe Explorer.EXE
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\7745054389a1308d3293ebe957396830_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\7745054389a1308d3293ebe957396830_NeikiAnalytics.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-23-0x0000000077971000-0x0000000077972000-memory.dmpFilesize
4KB
-
memory/1108-22-0x0000000000620000-0x0000000000626000-memory.dmpFilesize
24KB
-
memory/1168-19-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/1168-25-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/1196-4-0x0000000002D10000-0x0000000002D16000-memory.dmpFilesize
24KB
-
memory/1196-3-0x0000000002D10000-0x0000000002D16000-memory.dmpFilesize
24KB
-
memory/1196-2-0x0000000002D10000-0x0000000002D16000-memory.dmpFilesize
24KB
-
memory/1196-24-0x0000000002480000-0x0000000002486000-memory.dmpFilesize
24KB
-
memory/1196-10-0x0000000077971000-0x0000000077972000-memory.dmpFilesize
4KB
-
memory/1196-21-0x0000000002480000-0x0000000002486000-memory.dmpFilesize
24KB
-
memory/1320-5-0x0000000001DC0000-0x00000000027C0000-memory.dmpFilesize
10.0MB
-
memory/1320-12-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1320-13-0x0000000001DC0000-0x00000000027C0000-memory.dmpFilesize
10.0MB
-
memory/1320-0-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1320-1-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/3032-7-0x0000000077B20000-0x0000000077B21000-memory.dmpFilesize
4KB
-
memory/3032-8-0x0000000077B1F000-0x0000000077B20000-memory.dmpFilesize
4KB
-
memory/3032-9-0x0000000077B1F000-0x0000000077B21000-memory.dmpFilesize
8KB
-
memory/3032-11-0x0000000077920000-0x0000000077AC9000-memory.dmpFilesize
1.7MB
-
memory/3032-6-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/3032-29-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB