38ca3927279d4d14b4a7bdf77eefa3186336927a0f6ffe97e84f3674ba7ace11

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 00:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3dddf34170f9918defe0142362ed2fa0_NeikiAnalytics.exe
Size

408KB
MD5

3dddf34170f9918defe0142362ed2fa0
SHA1

124cde6abc5d0c8ea382092cccce3576c22aa497
SHA256

38ca3927279d4d14b4a7bdf77eefa3186336927a0f6ffe97e84f3674ba7ace11
SHA512

f66ba47d1eb8d91d7d9618ba7bd9a54713f34003524b485e68193f4fe9f61ce1f952cae965dacf36e6df3b41ad134a5b7ab5c7e93d7b2946be48fcb370285ff2
SSDEEP

6144:4jlYKRF/LReWAsUyqZGL+zcwrDgBcdNbqRmiBhnMzcj/0c5u8prA:4jauDReWYZDXDgBNRiesWuIA

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3212	fxfme.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\fxfme.exe"	fxfme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 3212	4572	3dddf34170f9918defe0142362ed2fa0_NeikiAnalytics.exe	82
PID 4572 wrote to memory of 3212	4572	3dddf34170f9918defe0142362ed2fa0_NeikiAnalytics.exe	82
PID 4572 wrote to memory of 3212	4572	3dddf34170f9918defe0142362ed2fa0_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\3dddf34170f9918defe0142362ed2fa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3dddf34170f9918defe0142362ed2fa0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4572
- C:\ProgramData\fxfme.exe
  "C:\ProgramData\fxfme.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings .exe

Filesize
408KB

MD5
e8c9e273a3690070c8df4ede1610f49d

SHA1
16214fc07b2fa155ac6bfac711b0e302e95ea6ea

SHA256
5bcdefa4ee06a09a9ea0b273d7f445f94cd529c80afd7e5892193cef551b9365

SHA512
5c843750a1171ba02c5d565cee31117a4aed7a85cd764df515cdc34d8d4624da07f227404a740240b4e07f244632520b3afeb6ab8a2ba3d83c303dfa27bc9ea8

Download Submit
C:\ProgramData\Saaaalamm\Mira.h

Filesize
136KB

MD5
cb4c442a26bb46671c638c794bf535af

SHA1
8a742d0b372f2ddd2d1fdf688c3c4ac7f9272abf

SHA256
f8d2c17bdf34ccfb58070ac8b131a8d95055340101a329f9a7212ac5240d0c25

SHA512
074a31e8da403c0a718f93cbca50574d8b658921193db0e6e20eacd232379286f14a3698cd443dc740d324ad19d74934ae001a7ad64b88897d8afefbc9a3d4e3

Download Submit
C:\ProgramData\fxfme.exe

Filesize
271KB

MD5
23740906014cf5ae86f9af350bdd5b51

SHA1
9c4271790b6d04a96f8592c6849d4d1e0f6eafea

SHA256
da5d44ee21fc1b3b5250670f85db5172b3c73f037c1df65d9a6a1a6384c44117

SHA512
c547c8150aee358d2a9d9b747d07ea529eea1f193d98a58e067b3e47dfd950f81c30b53f88e94fdc4a199542a098ad89e26ffcdfc99cc6a6eed93898b0918f7c

Download Submit
memory/3212-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3212-1221-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4572-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4572-1-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/4572-8-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads