a9db9c6c77069bb4f43e825eb057308e4591091790766a91f17210b8ee62a89c

Analysis

max time kernel
134s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72e35c9a610e89cb2d4aa56f3993d7b0_NeikiAnalytics.exe
Size

495KB
MD5

72e35c9a610e89cb2d4aa56f3993d7b0
SHA1

ed1ee2aa078f3a9f748d088515578e54224eb99c
SHA256

a9db9c6c77069bb4f43e825eb057308e4591091790766a91f17210b8ee62a89c
SHA512

db3ec40f4c23bf76e82b7d2692861daa8e05687c1d0e3c0580c2692c1be53066fdb515aaf328b50da25e5d679dbfcca47c70814077b05e8f520c46b822b65ec5
SSDEEP

12288:NyAfDcgcTQhgpZBDtoRAG01LqTl2mZoiM:vDVBADt1ZKlXs

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4800	EXE321C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4800	EXE321C.tmp
4800	EXE321C.tmp

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 4800	3144	72e35c9a610e89cb2d4aa56f3993d7b0_NeikiAnalytics.exe	84
PID 3144 wrote to memory of 4800	3144	72e35c9a610e89cb2d4aa56f3993d7b0_NeikiAnalytics.exe	84
PID 3144 wrote to memory of 4800	3144	72e35c9a610e89cb2d4aa56f3993d7b0_NeikiAnalytics.exe	84
PID 4800 wrote to memory of 3288	4800	EXE321C.tmp	85
PID 4800 wrote to memory of 3288	4800	EXE321C.tmp	85

C:\Users\Admin\AppData\Local\Temp\72e35c9a610e89cb2d4aa56f3993d7b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\72e35c9a610e89cb2d4aa56f3993d7b0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\EXE321C.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE321C.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM321D.tmp" "C:\Users\Admin\AppData\Local\Temp\72e35c9a610e89cb2d4aa56f3993d7b0_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXE321C.tmp

Filesize
968KB

MD5
0f619e7352920d8d21926f2b715e0794

SHA1
cdd75d72647b1c75477c069b51b5f8ab5dc63e50

SHA256
e6090962c2504441c1cd5f6ee75dd5ffbddc38062f02807f0d44176d8f464381

SHA512
380592a1382f40d80839efea429619470b09fc0c0aad8666c6392d8dbd112f5e8719538fc93044454f4ce67375aaae8da59e09563b167ff8adf34240be684dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFM321D.tmp

Filesize
48KB

MD5
57ae7602223c16f2196478dbab4d3022

SHA1
62e1a157bd91d6f4abbed7608d7d6c72abfdc3ce

SHA256
df7d02aa00b476d0c817e113b0431c04759c6db6b3170659d4106ea40edf3de6

SHA512
68af3b492f7651b4d64ff4d70438a585b87cd2e1f4b88e9ad7011b8287968a53691a0758756536370babac14ef2e8eacd5ac767e0c9170466c0a8bca2600c1d7

Download Submit