Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 09:31
Behavioral task
behavioral1
Sample
4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe
-
Size
29KB
-
MD5
4f41c3bb98efb9ea52e0963f6ff93950
-
SHA1
1bb1152aec603dbba69fb58256e3bf37e89d2d73
-
SHA256
3345119363bf92bbece133c0efef720ae755b12f2d99e2d927f8346bbee6aa36
-
SHA512
cf69bfe636a864fcca9054f8cbaacd967da02f5b05fbd58e6bfb3fb276fe21144451ec74379831cff27d3483864de3a18a25a79272553f1b2295290022fb9cb2
-
SSDEEP
768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/z:AEwVs+0jNDY1qi/q7
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 760 services.exe -
resource yara_rule behavioral2/memory/2484-0-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/files/0x00080000000233d3-4.dat upx behavioral2/memory/760-6-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2484-13-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/760-14-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/760-19-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/760-24-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/760-26-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2484-30-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/760-31-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2484-35-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/760-36-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/files/0x00090000000233e4-46.dat upx behavioral2/memory/760-159-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2484-158-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/2484-162-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/760-163-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/760-168-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2484-169-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/760-170-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2484-207-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/760-208-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2484-211-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/760-212-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/2484-219-0x0000000000500000-0x0000000000510200-memory.dmp upx behavioral2/memory/760-220-0x0000000000400000-0x0000000000408000-memory.dmp upx behavioral2/memory/760-224-0x0000000000400000-0x0000000000408000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe" 4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe" services.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\java.exe 4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe File created C:\Windows\java.exe 4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe File created C:\Windows\services.exe 4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2484 wrote to memory of 760 2484 4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe 81 PID 2484 wrote to memory of 760 2484 4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe 81 PID 2484 wrote to memory of 760 2484 4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4f41c3bb98efb9ea52e0963f6ff93950_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\services.exe"C:\Windows\services.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5bcda4e3e293d83cea312db334cfa9174
SHA1782e61433901e91d7cb2ff4546b1d78f21d9ca37
SHA256b8a07bd6d62df728a63335cfcdc35cef4420ad8132469a479a61bbd6c20d9f25
SHA512e0a13347b4acdd6ea529603359315b415431151b2fc68f27404a510b3808d1187ca672cd6985e9d0758d78a892a925b952ef35d7fb951ef45f22aa3e665e35e7
-
Filesize
29KB
MD5291470cc4cd223bef0cb6c2f5553a8c6
SHA16ba651eff180675070c3a83bd066670b43757b89
SHA256640f9b2df60ebf22676eb97668ef8e7c96d076e7f192bbbff13808b993ce69af
SHA512e485e487a52577cc3ba52d43e1a44025390006552a399a013b2631c0885425ed8e9ec10e3243efd2059631af4d9fc2684b05ac9aaa1b4715a74682c3f9440d9e
-
Filesize
320B
MD561e2ca064b9c54f929bf4bf989b2cd9f
SHA1f18e6bf0ccd12c10d24f9708467ea9736a8e238a
SHA256ffe9c8709ad5a8bad17bcf3bf43d755ea1f7473ef5d1bf59f2321f94e2fd5de0
SHA5129d5c9541043b3592024fa0af21b06498c454c1d78d6c8da7e7137e9b6a6ff24eec32591e2667872f3261dde875efc29bfc634c79831bf01ecd480a1b6dbe088b
-
Filesize
320B
MD509583a8678ab2cbb67f12cf7bd0f37b4
SHA17d714a44671d448fd9ac66a3e953a1a66cab876a
SHA25649cca8265a5e347ad99216325e3d8058cb15012b0b54af32e7a9455219cd44c3
SHA5123cf182a681c6b0c00eb0874510c7a19e3cbce3ee3a8b0ef391e09ea7d79820783a038ab6e1fd92ecb1f54280057a5acb129ddcfc58e46dea4cc719068d825e90
-
Filesize
320B
MD56a9c43a1580a421d3386659d165fe97a
SHA12b82fd82294bcc1feec7138f768225334e1da8d3
SHA256948eb9825fa7ebdc5745b841f32376f87c9976099fe47f04162ceb9ba4e60e66
SHA512cb0b10719390565608be12eca9401017d3b644cb690d8a8b8680fc2a6ad3edc1bc4b603b743573b21bd53243147b2fa1eefa39b40811ca97e1265ce099ed5fd0
-
Filesize
320B
MD5dbc5ce915775d1d383920850d89e1e00
SHA1e06fbff4bb14cf00eac6148bb1d29710ee1be8de
SHA256dc4df41c2437236f85661de21a529339f98f0d9682327332f66edae30eef618d
SHA512a7f04a736aa2a03cd3cef7a7d05827a21dc72bdea66e705eb7ee5218ab874ea2acc6c4bc3adaedac93d6e8304458a1d5eb5b1ee65fe8d0649f1cf526b7ff4f2d
-
Filesize
8KB
MD5b0fe74719b1b647e2056641931907f4a
SHA1e858c206d2d1542a79936cb00d85da853bfc95e2
SHA256bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c
SHA5129c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2