ea0abd691e5ebb4878cad5500a95ffe8f546fbd366106f1a5bfe37213db672d9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe
Size

94KB
MD5

82ab49c0b09b3a5e345d583b4c946a90
SHA1

7429b51b9934c1d61f01000fd40a45b63eb7ec61
SHA256

ea0abd691e5ebb4878cad5500a95ffe8f546fbd366106f1a5bfe37213db672d9
SHA512

24defe8ae649bbaf5c8d52aa3ae0e2108ebd92143eb21015d0dfd84aa41469add6938fc8d2eb423a5a5e5e984072bc203126831e2678516b880e814fe65a0f5b
SSDEEP

1536:PGYU/W2/HG6QMauSV3ixJHABLrmhH7i9CO+WHg7zRZICrWaGZh7uC:PfU/WF6QMauSuiWNi9CO+WARJrWNZ5

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
276	wuauclt.exe

Loads dropped DLL 1 IoCs

pid	Process
3008	82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\wuauclt.exe\" /run"	82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 276	3008	82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 276	3008	82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 276	3008	82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 276	3008	82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 2784	3008	82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 2784	3008	82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 2784	3008	82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 2784	3008	82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3008
- C:\ProgramData\Update\wuauclt.exe
  "C:\ProgramData\Update\wuauclt.exe" /run
  2⤵
  - Executes dropped EXE
  PID:276
- C:\windows\SysWOW64\cmd.exe
  "C:\windows\system32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\82ab49c0b09b3a5e345d583b4c946a90_NeikiAnalytics.exe" >> NUL
  2⤵
  - Deletes itself
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\wuauclt.exe

Filesize
94KB

MD5
73a7274b66fa279c0cd7cec12fdc8d46

SHA1
ecb9c3aacc81f1f545802721e888a19b09ed1f21

SHA256
0c4100a943c1466713b7899682ac9f4bf3262d2aa904929063e17251dd0434e2

SHA512
3fd144f6b4da6778ebb8303fe88977f983e8775ba5d62353b528d34e8fa0c02b98b70d00f2e0c1ebc064cb42928474472745cba56bc51278d4de07c034dc2ea4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads