e250f398dd177d8df758793dd9d83ebf14de4e0dd31cf6e2ac14cc9ce55540e2

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bbbdd9baf824fb8f0d73b8fa90b2200_NeikiAnalytics.exe
Size

408KB
MD5

7bbbdd9baf824fb8f0d73b8fa90b2200
SHA1

e9ae359b0407cee14cb53bfaa85065071540cad0
SHA256

e250f398dd177d8df758793dd9d83ebf14de4e0dd31cf6e2ac14cc9ce55540e2
SHA512

703be1b659249ee49f654239027b9a9ac8d7cb30b731d84d5b99a49691997e813e8ed98d5fb8ed382b0e08bd0a31bc7cd3301fa31416b8be8522088a251e8fea
SSDEEP

6144:4jlYKRF/LReWAsUyJNqSaP/4qjSbnLIZlzJh4BnAvTXqO/WyccbdztKgLWmaTZ:4jauDReWXNqSaP/4qjzqmWDcbttKcWfZ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2948	ctgtef.exe

Loads dropped DLL 2 IoCs

pid	Process
2484	7bbbdd9baf824fb8f0d73b8fa90b2200_NeikiAnalytics.exe
2484	7bbbdd9baf824fb8f0d73b8fa90b2200_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\ctgtef.exe"	ctgtef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2948	2484	7bbbdd9baf824fb8f0d73b8fa90b2200_NeikiAnalytics.exe	28
PID 2484 wrote to memory of 2948	2484	7bbbdd9baf824fb8f0d73b8fa90b2200_NeikiAnalytics.exe	28
PID 2484 wrote to memory of 2948	2484	7bbbdd9baf824fb8f0d73b8fa90b2200_NeikiAnalytics.exe	28
PID 2484 wrote to memory of 2948	2484	7bbbdd9baf824fb8f0d73b8fa90b2200_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\7bbbdd9baf824fb8f0d73b8fa90b2200_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7bbbdd9baf824fb8f0d73b8fa90b2200_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484
- C:\ProgramData\ctgtef.exe
  "C:\ProgramData\ctgtef.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache .exe

Filesize
408KB

MD5
83295f7c7b75f0ad757f8c0321ad068c

SHA1
dc24fa625151c615e034b9a17ad310bc331c5f0f

SHA256
8a56b7a3badaa80ceb14289fee973b08dcb099a7518d445e76cab396fd51c2d7

SHA512
acbdfbeeb25d4ce6b9940ce6a8494646dfc478318430879032b5ab1dfb60c442107b25e1bca39efaec829d865892950791bbe891fa68317d2d82dd9e173b7a87

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\ctgtef.exe

Filesize
271KB

MD5
2ef4f690778d35608c43f22b4beb4c62

SHA1
6a22b3dcf256a358a72955c95d01a13fde91f3f2

SHA256
4915a17d11abcc1214162d9928e16156c0719505c2deca081ff94a47e34581a7

SHA512
16bdf1933e9355fc209618f2c9818990dc81bcd2ed1b9ecf1a2b751aee29cda15ac4c626f9701cca46e8b3034cee0ca1dfd4baac253e565f8a3dc3a3a579430c

Download Submit
memory/2484-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2484-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2484-12-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2948-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads