Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 14:17
Static task
static1
Behavioral task
behavioral1
Sample
080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe
-
Size
2.2MB
-
MD5
080d1485cfbd03b271340e725881da60
-
SHA1
2806467db3e45e071dd66ef2bf9f1307cd349399
-
SHA256
4f780492c9a8a825f7c259aae31d0a9f00b435d7f87e297390c8386c63f32769
-
SHA512
34c57614e5255355fae7bf73e71a2c6266c2b2d6fbd02c7d4fabe61b7af2e2054b8d4b799aa42917d21ba0eb39dc77b1e324b91f82c42f21925432aa62b90ae9
-
SSDEEP
24576:n2dJqwaZs9a8fbKmIwlDSIerahovRCVCWWO0BubzQ0Rj3jtK+a++K+jNd1RzVCEL:n7n7pNXheQc3Fg7g3vYXg
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2528 WG8D80.tmp -
Loads dropped DLL 2 IoCs
pid Process 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe -
resource yara_rule behavioral1/files/0x000e000000014e3d-27.dat upx behavioral1/memory/1284-29-0x0000000002AE0000-0x0000000002B03000-memory.dmp upx behavioral1/memory/2528-36-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2528-38-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe Token: SeDebugPrivilege 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1284 wrote to memory of 2528 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe 28 PID 1284 wrote to memory of 2528 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe 28 PID 1284 wrote to memory of 2528 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe 28 PID 1284 wrote to memory of 2528 1284 080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\080d1485cfbd03b271340e725881da60_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\WG8D80.tmpC:\Users\Admin\AppData\Local\Temp\WG8D80.tmp2⤵
- Executes dropped EXE
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110B
MD57c8c531ff6a158742da186b1fad6e00e
SHA198d4551e0d6ac034838a17437640f3335edfaa86
SHA25600ddbc71282fdbf74b8a02cc75b2c3d66529fe7664c148cc0ca79576a883c501
SHA5121788173da6e9cf7e5421c02854ca9122d0825927f33fc64bafb76377ee80c0e1a8112c36ee40b1cbce86e121f864777e8ddf9aecd282f3cc82b70e12cc904805
-
Filesize
15KB
MD5e6b75a3573c1825d9827bf8720369010
SHA11fb308d81358ca8db5e6f7609b9caf697477b415
SHA2568f55a211f420fcdae8ca894407f72e423997d054dbdab14c54568570a30daa03
SHA5124713e374786be79088b276b322b2aa2e747bb1adc4fe7de6612a433c64a917b63d9cdd0de3cdcc786e2b7b11da421b6f73e60b9db7ceaba4cfe5d0d11528608c