9d6caf0c17d153d29544652eeb6fb71ac5bbb719ab5acb150df1001c71f3381f

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 17:35

Target

ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe
Size

208KB
MD5

ffeb27d9239d64e7bd034d2b4e4aa6c0
SHA1

88aa00576ee57d675ea4bad8a375701bcd05a1af
SHA256

9d6caf0c17d153d29544652eeb6fb71ac5bbb719ab5acb150df1001c71f3381f
SHA512

4240bcc7fa09d660425a3c58b7f752b4fc2bacf9a06dbd3abefb4c0c4139dc55763af5ac13676dd306b18eefb555c2b56b9ff1b5f89a6427d87ca4ff38873c8c
SSDEEP

3072:3qlB/0/6HUAT6Tx3Zg+UUqtUUeUckydXVh/55nXag4NLthEjQT6:ab/HUAm13ZeUO/8kydXVJ5htQEj

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
544	BFHPVQX.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\windows\BFHPVQX.exe	ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe
File created	C:\windows\BFHPVQX.exe.bat	ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe
File created	C:\windows\BFHPVQX.exe	ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2380	ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe
544	BFHPVQX.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2380	ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe
2380	ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe
544	BFHPVQX.exe
544	BFHPVQX.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2140	2380	ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 2140	2380	ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 2140	2380	ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe	28
PID 2380 wrote to memory of 2140	2380	ffeb27d9239d64e7bd034d2b4e4aa6c0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 544	2140	cmd.exe	30
PID 2140 wrote to memory of 544	2140	cmd.exe	30
PID 2140 wrote to memory of 544	2140	cmd.exe	30
PID 2140 wrote to memory of 544	2140	cmd.exe	30

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\BFHPVQX.exe.bat

Filesize
60B

MD5
0284b56f994e1704d52112d0f699add1

SHA1
d607eb32edc8b821648ab34d0153c9caf46ea97c

SHA256
6035bb51aa3cdf6d681a12bca2a27de3369e3354e1ae7e9be3abf9048212cd09

SHA512
1e61210cf6953082231c288b59b0e162e379b9447e339467aebbfd8dad6ebd3618b08340d7b3dffe27367921905ba9b2cbbcf210e6b682683f275ef40dbc728c

Download Submit
C:\windows\BFHPVQX.exe

Filesize
208KB

MD5
4586f2bbb35262fec43653f2c0ef12db

SHA1
f48999456b0a20fea52b1a113db89a5680fe5c5f

SHA256
72e71ae07834cc42a6776edd45ec6439e747b5ce624375b1c0dcf026a975ad16

SHA512
34a27044f39d113c349cdf599879f228bd9dddcfce3ecd1f120dcfcc9686ebb5588a1b3b99d445fde0be8cd600d616a1a929ea616799233cb4cdb832da2de1b7

Download Submit
memory/544-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/544-17-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2380-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2380-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download