e2c257633a1d0a36e870b957390f21b49872aa752ba8cebf0dd9ab052938d54d

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18974c83acf231727e4f844734890560_NeikiAnalytics.exe
Size

95KB
MD5

18974c83acf231727e4f844734890560
SHA1

7244823c17e8cc6b1c018c3cfd8687efc280cc54
SHA256

e2c257633a1d0a36e870b957390f21b49872aa752ba8cebf0dd9ab052938d54d
SHA512

b31f389a263b6023e5d2009148051dd594f189198f3de836b1ea7b9f0aee1d41887f300af4c6dbe7aae85cba5a87b70fe5db07f7ebd0f35b093485ac9bc3723b
SSDEEP

1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU64:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/A3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2056	rMX.exe
2772	rMX.exe.exe

Loads dropped DLL 4 IoCs

pid	Process
2172	18974c83acf231727e4f844734890560_NeikiAnalytics.exe
2172	18974c83acf231727e4f844734890560_NeikiAnalytics.exe
3048	cmd.exe
3048	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\nk.txt	cmd.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	18974c83acf231727e4f844734890560_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	18974c83acf231727e4f844734890560_NeikiAnalytics.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2056	2172	18974c83acf231727e4f844734890560_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2056	2172	18974c83acf231727e4f844734890560_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2056	2172	18974c83acf231727e4f844734890560_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2056	2172	18974c83acf231727e4f844734890560_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 1396	2056	rMX.exe	29
PID 2056 wrote to memory of 1396	2056	rMX.exe	29
PID 2056 wrote to memory of 1396	2056	rMX.exe	29
PID 2056 wrote to memory of 1396	2056	rMX.exe	29
PID 2056 wrote to memory of 3048	2056	rMX.exe	30
PID 2056 wrote to memory of 3048	2056	rMX.exe	30
PID 2056 wrote to memory of 3048	2056	rMX.exe	30
PID 2056 wrote to memory of 3048	2056	rMX.exe	30
PID 2172 wrote to memory of 2536	2172	18974c83acf231727e4f844734890560_NeikiAnalytics.exe	32
PID 2172 wrote to memory of 2536	2172	18974c83acf231727e4f844734890560_NeikiAnalytics.exe	32
PID 2172 wrote to memory of 2536	2172	18974c83acf231727e4f844734890560_NeikiAnalytics.exe	32
PID 2172 wrote to memory of 2536	2172	18974c83acf231727e4f844734890560_NeikiAnalytics.exe	32
PID 3048 wrote to memory of 2772	3048	cmd.exe	35
PID 3048 wrote to memory of 2772	3048	cmd.exe	35
PID 3048 wrote to memory of 2772	3048	cmd.exe	35
PID 3048 wrote to memory of 2772	3048	cmd.exe	35
PID 2772 wrote to memory of 2644	2772	rMX.exe.exe	36
PID 2772 wrote to memory of 2644	2772	rMX.exe.exe	36
PID 2772 wrote to memory of 2644	2772	rMX.exe.exe	36
PID 2772 wrote to memory of 2644	2772	rMX.exe.exe	36
PID 2536 wrote to memory of 2676	2536	cmd.exe	38
PID 2536 wrote to memory of 2676	2536	cmd.exe	38
PID 2536 wrote to memory of 2676	2536	cmd.exe	38
PID 2536 wrote to memory of 2676	2536	cmd.exe	38
PID 2644 wrote to memory of 2444	2644	cmd.exe	39
PID 2644 wrote to memory of 2444	2644	cmd.exe	39
PID 2644 wrote to memory of 2444	2644	cmd.exe	39
PID 2644 wrote to memory of 2444	2644	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\18974c83acf231727e4f844734890560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\18974c83acf231727e4f844734890560_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2172
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\10.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\10.vbs"
        6⤵
        
        PID:2444
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\89.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\89.vbs"
    3⤵
    - Deletes itself
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\10.vbs

Filesize
162B

MD5
b44af3081381bc226c213a7aa4efb84a

SHA1
fdb1e1ae1f5f68c031cad04627e056aaf121e3c3

SHA256
13c89c899605c7a99548ffe750b12ca277f7c81193045f1ebb7fbee45a4fc37f

SHA512
fc769741be1895b4b5296a69f70038b20288be7e08dce8c962d39e8e6dc4ca04f4ea68c356e88404c93dca922d8e96e3a4727015a6b4bb04d7457b7d1d0d5284

Download Submit
C:\89.vbs

Filesize
219B

MD5
8eb5a8f1c43f510873d8c88857664470

SHA1
b7cfd7caa488b7a132359c0bd9b92043cf4bb139

SHA256
22560ac3148cdf21f7475459efc23ad1ee8844f121a242d7be8337a92738e885

SHA512
58bf77463e977e03531963b2e1905d58fce30a952484eddf8827d706600ba12e7f74174b2828022ae3ce8eb4598c5f8be1c652190071263423bb68a06b9951b1

Download Submit
C:\Windows\VWFLH\rMX.exe

Filesize
95KB

MD5
18974c83acf231727e4f844734890560

SHA1
7244823c17e8cc6b1c018c3cfd8687efc280cc54

SHA256
e2c257633a1d0a36e870b957390f21b49872aa752ba8cebf0dd9ab052938d54d

SHA512
b31f389a263b6023e5d2009148051dd594f189198f3de836b1ea7b9f0aee1d41887f300af4c6dbe7aae85cba5a87b70fe5db07f7ebd0f35b093485ac9bc3723b

Download Submit
\Windows\VWFLH\rMX.exe.exe

Filesize
95KB

MD5
a1410e45d4f446750daa2496562fd6ce

SHA1
305368e826473c0aebf04483de699a3816aceca5

SHA256
25cf3e1c9289e7eaf74c6b828e8e9fbf6247b6bbe15eb1aaad69bb7f5ab559d5

SHA512
249787026b26d14d77b3fe1a1a98b7890c869955166dc52720c63d8eb1c1b06059bd5b5265f4153e34fa8bf3c42a3cd1db982e2290cd029fdacf2e9fcd1d8875

Download Submit
memory/2056-13-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2172-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2772-28-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download