378f6ba5d80510262c3483bebe182add567464b0b2c15f9900cc107faddb2467

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
Size

1.3MB
MD5

bd977a9ea6447b09730a65d9934a0b70
SHA1

50c2294f8ebe51b922d038b947e8818b446c758a
SHA256

378f6ba5d80510262c3483bebe182add567464b0b2c15f9900cc107faddb2467
SHA512

b6699e8e11b624faaa2b67d759a9fdcf5730797ef7830f04a1c330cd5b673ae2fdd6d5003079755611a17424d5e7d26fd0bc415a6f6957772a5ed6151ba809a9
SSDEEP

24576:zDvxE0HTog5ujibtFGNF5Ux2evA8xE2rn3TR7iB:S2TogXZa5UvvpxE2b3TR7S

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2992	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2972	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
2992	svchost.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\kdaOYre\svchost.exe	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
File created	C:\Windows\CLOG.txt	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
File created	C:\Windows\ibsRJPh.dll	svchost.exe
File opened for modification	C:\Windows\CLOG.txt	svchost.exe
File created	C:\Windows\KMJUkl\nEJJHCeT.dll	svchost.exe
File opened for modification	C:\Windows\KMJUkl\nEJJHCeT.dll	svchost.exe
File created	C:\Windows\iQsDFTLQ.dll	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
File created	C:\Windows\kdaOYre\svchost.exe	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2992	svchost.exe
2992	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2992	2972	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe	28
PID 2972 wrote to memory of 2992	2972	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe	28
PID 2972 wrote to memory of 2992	2972	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe	28
PID 2972 wrote to memory of 2992	2972	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\kdaOYre\svchost.exe
  "C:\Windows\kdaOYre\svchost.exe" 2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CLOG.txt

Filesize
163B

MD5
18e2844ce2b4c4294cc0d4fc05afb937

SHA1
866bd245e7ad4888c60d0f300791a4590295538e

SHA256
e763b43020a4960b17d92355aac75bac30d045bde8ed6e01985177312fbe647a

SHA512
14e8b5418dd8d224fe014f14137ca5a5e3efbd2092dbbed14f096362dc8a79d75dc807db76e56b7bc7aebd56e0882f874fe7ebd158866a76ab89ba1f2dd45469

Download Submit
C:\Windows\kdaOYre\svchost.exe

Filesize
1.3MB

MD5
33e2ade06014a4fb261fd264b720b0cc

SHA1
07da528e204be1c07444677edfec228893526a16

SHA256
e7bc3f32215e052ed475ce8108a98b003c6e3d85236cdda5624beeefe488cf9c

SHA512
b1bae1b40fb810a16d6f39d35d96a2a604a2e31a2552441e93c2b79ff2200a12d7955e37a67c3b941c5ffecbd5dad83f012ab364824ffd4f58b951b334b7fd56

Download Submit
\Users\Admin\AppData\Local\QMdOLpf\OXweEt.dll

Filesize
842KB

MD5
f6b96395a9f828bccf0b4e6c7b1abfdf

SHA1
500bb854b8a62e819fc9c7c4728969348eaefdc6

SHA256
8922a6a6e6bb4c7a887d12e8b89ffbcd6f7b191e6902fc03e348d4ca621f3d19

SHA512
abe350c693b271ab866ab671f87c3f195b8a566af5154f722b1e07d4c1aaaf8d58c4ae514e4b170a41c28a98ac4dc28e0c68dd86534e3e2efeca623207c29628

Download Submit
memory/2972-2-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2972-10-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2992-13-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2992-16-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2992-53-0x00000000002A0000-0x00000000002A3000-memory.dmp

Filesize
12KB

Download
memory/2992-52-0x0000000002F50000-0x00000000030D4000-memory.dmp

Filesize
1.5MB

Download