1178b8c28c107d6f7551b9093bbf4b2e28995eedee66cc149cb42338aaaea5c8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5017b1e4a5eaf2ef28aa3aada015f0b0_NeikiAnalytics.exe
Size

501KB
MD5

5017b1e4a5eaf2ef28aa3aada015f0b0
SHA1

d9ce969d89de683594c1870c8db568b72245d724
SHA256

1178b8c28c107d6f7551b9093bbf4b2e28995eedee66cc149cb42338aaaea5c8
SHA512

e8f942ee56a8606e851d1c142fb03572f9c39455dcd6657573b3c33e8c932dce013e27db0b8082d84baf8be92fbfed4af274bfe9a9a9382933dd71c757218574
SSDEEP

12288:NyAfDcgcTQhgpZBDtoRAG01LqTl2mZoifiE:vDVBADt1ZKlX1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2928	EXE1786.tmp

Loads dropped DLL 2 IoCs

pid	Process
2868	5017b1e4a5eaf2ef28aa3aada015f0b0_NeikiAnalytics.exe
2868	5017b1e4a5eaf2ef28aa3aada015f0b0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2928	EXE1786.tmp
2928	EXE1786.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2928	2868	5017b1e4a5eaf2ef28aa3aada015f0b0_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2928	2868	5017b1e4a5eaf2ef28aa3aada015f0b0_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2928	2868	5017b1e4a5eaf2ef28aa3aada015f0b0_NeikiAnalytics.exe	28
PID 2868 wrote to memory of 2928	2868	5017b1e4a5eaf2ef28aa3aada015f0b0_NeikiAnalytics.exe	28
PID 2928 wrote to memory of 2080	2928	EXE1786.tmp	29
PID 2928 wrote to memory of 2080	2928	EXE1786.tmp	29
PID 2928 wrote to memory of 2080	2928	EXE1786.tmp	29
PID 2928 wrote to memory of 2080	2928	EXE1786.tmp	29

C:\Users\Admin\AppData\Local\Temp\5017b1e4a5eaf2ef28aa3aada015f0b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5017b1e4a5eaf2ef28aa3aada015f0b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\EXE1786.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE1786.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM1787.tmp" "C:\Users\Admin\AppData\Local\Temp\5017b1e4a5eaf2ef28aa3aada015f0b0_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OFM1787.tmp

Filesize
64KB

MD5
fcd8485449d2855ef5f72715968a644e

SHA1
0ced057f02cba544bf52a974472829b249c59c06

SHA256
249d9b9de3930e76204870b5e988f58848f636c2e833ed5cab39d225f883f249

SHA512
f1a34e568fdd4c4494af05477fa313aa2f93a786f095c0f3e44fa9310620f4ee37845eaa067bad02b26a70ab5db7f0014cd765f7db1b1d2a338827a8a99b442f

Download Submit
\Users\Admin\AppData\Local\Temp\EXE1786.tmp

Filesize
968KB

MD5
0f619e7352920d8d21926f2b715e0794

SHA1
cdd75d72647b1c75477c069b51b5f8ab5dc63e50

SHA256
e6090962c2504441c1cd5f6ee75dd5ffbddc38062f02807f0d44176d8f464381

SHA512
380592a1382f40d80839efea429619470b09fc0c0aad8666c6392d8dbd112f5e8719538fc93044454f4ce67375aaae8da59e09563b167ff8adf34240be684dae

Download Submit