757bb52277053fa8ec38e35e1d8d61f848b3cb98052f9b83ab7beef6764c5141

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8791e6d033c60f741742263243416ae0_NeikiAnalytics.exe
Size

408KB
MD5

8791e6d033c60f741742263243416ae0
SHA1

518214cdc0ab7e34355f81b783ac34825711138e
SHA256

757bb52277053fa8ec38e35e1d8d61f848b3cb98052f9b83ab7beef6764c5141
SHA512

77908b64b0a7f3beef34cedcf8c3d67dfc430347682fdddb8e0366c6ec23c63806cb8511d15f87cbaa147913ced6757658a4812ade7447474ef02731bd8e1759
SSDEEP

6144:4jlYKRF/LReWAsUymUvi1VJp6nrrtAujCcd2i6MkU6sHR8VckeknCHBi0QLN4:4jauDReWoUa1VJEZ/acOCHBi0Qq

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3544	ccqub.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\ccqub.exe"	ccqub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3544	4052	8791e6d033c60f741742263243416ae0_NeikiAnalytics.exe	90
PID 4052 wrote to memory of 3544	4052	8791e6d033c60f741742263243416ae0_NeikiAnalytics.exe	90
PID 4052 wrote to memory of 3544	4052	8791e6d033c60f741742263243416ae0_NeikiAnalytics.exe	90

C:\Users\Admin\AppData\Local\Temp\8791e6d033c60f741742263243416ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8791e6d033c60f741742263243416ae0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4052
- C:\ProgramData\ccqub.exe
  "C:\ProgramData\ccqub.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3144,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
408KB

MD5
6a7fc39021b2dfc8e13d3b9a0af6536a

SHA1
a645e04bc76e21cf6d6d5de0b32dcb8bbcf5374e

SHA256
8f5db87617d5165c840a3d85ddcc67a75d3a4dcef8febd0d91993789a298798b

SHA512
6db4f8994fca7d0939f93df25543dbc39b37c3cd99f45c6e082ae26c26f57810689bf47842919bdf449d84b1d1216cdc781f82698aea47f9b7418a9dcd2ceece

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\ccqub.exe

Filesize
271KB

MD5
56880d7d241a6137c0ed2d5893c6af1d

SHA1
1a4d35a824bac78ad625ca97d50fd7b406d02761

SHA256
05571d347095f56d6e06c78d387841e8e962593da2a66601765ed3424849981a

SHA512
cc806e9d2cfee76541970f0082e1e600cec89c7e1941f488df944e1132fdf6f8bff62aa06b819ad16a5b69541e779bd9c8aebc41255dc80d98c13672fdf546bd

Download Submit
memory/3544-134-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4052-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4052-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4052-8-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads