a18130f8d3d2ee01d0f9b306e1fe232ada951b92eea3e3f1b9deff1fc86737af

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ed6b60fe537cc20164435cbbef2ee80_NeikiAnalytics.exe
Size

495KB
MD5

0ed6b60fe537cc20164435cbbef2ee80
SHA1

2eba75e98a5b0dead85178a1d238515db0654e83
SHA256

a18130f8d3d2ee01d0f9b306e1fe232ada951b92eea3e3f1b9deff1fc86737af
SHA512

c786d0989d421705b34aaf4a6f180db8fda85f5659d9d00e7f71b5c6fb9263c0791ec33c9c78ed0277529f990d1380940bd30c273c510b242ae9dd0a4aa16c7d
SSDEEP

12288:NyAfDcgcTQhgpZBDtoRAG01LqTl2mZoiV:vDVBADt1ZKlX1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1960	EXEE14.tmp

Loads dropped DLL 2 IoCs

pid	Process
1368	0ed6b60fe537cc20164435cbbef2ee80_NeikiAnalytics.exe
1368	0ed6b60fe537cc20164435cbbef2ee80_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1960	EXEE14.tmp
1960	EXEE14.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1960	1368	0ed6b60fe537cc20164435cbbef2ee80_NeikiAnalytics.exe	28
PID 1368 wrote to memory of 1960	1368	0ed6b60fe537cc20164435cbbef2ee80_NeikiAnalytics.exe	28
PID 1368 wrote to memory of 1960	1368	0ed6b60fe537cc20164435cbbef2ee80_NeikiAnalytics.exe	28
PID 1368 wrote to memory of 1960	1368	0ed6b60fe537cc20164435cbbef2ee80_NeikiAnalytics.exe	28
PID 1960 wrote to memory of 1388	1960	EXEE14.tmp	29
PID 1960 wrote to memory of 1388	1960	EXEE14.tmp	29
PID 1960 wrote to memory of 1388	1960	EXEE14.tmp	29
PID 1960 wrote to memory of 1388	1960	EXEE14.tmp	29

C:\Users\Admin\AppData\Local\Temp\0ed6b60fe537cc20164435cbbef2ee80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0ed6b60fe537cc20164435cbbef2ee80_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\EXEE14.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXEE14.tmp" "C:\Users\Admin\AppData\Local\Temp\OFME15.tmp" "C:\Users\Admin\AppData\Local\Temp\0ed6b60fe537cc20164435cbbef2ee80_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OFME15.tmp

Filesize
48KB

MD5
ef9356e9f3551803ff72cbba74e2cb56

SHA1
f3126fc469ca1c864f7d0ac9540b0d0995c178ff

SHA256
7f98fffb48d61c6afe379bcdfd8826f287d3c6e057f48d790173db907f3e2de9

SHA512
64e2943ebda5f3d795a77f9dd34b79728c1c836de4148042e226b1f21726be3d8ccfbb72372966a26de3a2959493f3f59ec9ac3c765539e43036984e0b79779b

Download Submit
\Users\Admin\AppData\Local\Temp\EXEE14.tmp

Filesize
968KB

MD5
0f619e7352920d8d21926f2b715e0794

SHA1
cdd75d72647b1c75477c069b51b5f8ab5dc63e50

SHA256
e6090962c2504441c1cd5f6ee75dd5ffbddc38062f02807f0d44176d8f464381

SHA512
380592a1382f40d80839efea429619470b09fc0c0aad8666c6392d8dbd112f5e8719538fc93044454f4ce67375aaae8da59e09563b167ff8adf34240be684dae

Download Submit