Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
27/05/2024, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe
-
Size
78KB
-
MD5
c63b49da763fd0470e4ab20c99307850
-
SHA1
be94bebff9f438defcb55738dfd7941abf90cf9b
-
SHA256
0b40b8fb59834f4cf3a5a3a21b3cfbc1154edbd61164f99ff07c2a39433771d9
-
SHA512
847a78e7c3a196dadd3b78b6e38f95389b519c2cd3ec9f0f3ff6cd67e4ffccf5bee6a15a768ad524e1b8a8176022c1dbd9e570ef564e46e53a1deeb8f0fff56f
-
SSDEEP
768:EflihXrHKpVhKvtxwYHwVFoeAQDmucwUbfVAThsf4vvvWTDoNMl:6lsrHKprVuQDofVAhNO
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2080 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 2416 c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe 2416 c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\18739b51\jusched.exe c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe File created C:\Program Files (x86)\18739b51\18739b51 c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe 2080 jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2080 2416 c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2080 2416 c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2080 2416 c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2080 2416 c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c63b49da763fd0470e4ab20c99307850_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Program Files (x86)\18739b51\jusched.exe"C:\Program Files (x86)\18739b51\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
Filesize
78KB
MD56dbbc9d087581a566e416fa95d92a46c
SHA1b074e55c5410353d3afd65f55323d9688c0edee9
SHA256cc6ae326cac6e1df7011e7db60e4d9a2cf2d23544453e874295976159be405cc
SHA5124f833581c05cd20de18f9b6d44ca209d38eaf6154fa57a1c5e49c0d8b516aa6855a51ff41856e51aa678d3d5a20218362090a491a3c94ac92fad20dc2803ec43