0350e40d53218b28be1f1d7e73d49111ee9b1f2b370af8df5c16f0fb2d05d7b5

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02d88f2533a0507d8e3588ef2c490820_NeikiAnalytics.exe
Size

91KB
MD5

02d88f2533a0507d8e3588ef2c490820
SHA1

4df149a1dcfbffc303244aefe65ca48b81900c3c
SHA256

0350e40d53218b28be1f1d7e73d49111ee9b1f2b370af8df5c16f0fb2d05d7b5
SHA512

500960e9d4a4337948a171a9d303efaec502114500301af2fa7d6b619c711b9bd4e70f182638e231cb715afee62151e620a1a375a4cbcc9cc7d8a12a789e3363
SSDEEP

1536:/Ao0+j2d6rnJqlIUSJnJBSX1nV1b1N1Il1k1YFI1x1J1MuEqx517Q/1T1Jzct01G:/AoVl4lXinJBSX1nV1b1N1Il1k1YFI1H

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2848	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	02d88f2533a0507d8e3588ef2c490820_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	02d88f2533a0507d8e3588ef2c490820_NeikiAnalytics.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2848	3020	02d88f2533a0507d8e3588ef2c490820_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2848	3020	02d88f2533a0507d8e3588ef2c490820_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2848	3020	02d88f2533a0507d8e3588ef2c490820_NeikiAnalytics.exe	28
PID 3020 wrote to memory of 2848	3020	02d88f2533a0507d8e3588ef2c490820_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\02d88f2533a0507d8e3588ef2c490820_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02d88f2533a0507d8e3588ef2c490820_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
92KB

MD5
e9292d827fb4bedd84f9ccb68fd375a8

SHA1
6b61d8f759753396a0a363f8a70cc97cafb8081c

SHA256
654582ae3b939461fb9723ea0bdb53d08ef054cc9fc8e86d75e48ea6b4658126

SHA512
b5fd8b3c6abdd1d3d8bf3ecb963304e2bc09fd036ecbf3a9402595c393f01ab5bd26f97ce996bd04e9d875a9512b5ef0bd9353e935bbb0d395a9dd6fb5b606ec

Download Submit
memory/3020-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3020-6-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads