Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 22:07
Behavioral task
behavioral1
Sample
72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe
-
Size
285KB
-
MD5
72bcd32fe8e2701bc5415b24c9084390
-
SHA1
49672200dc718711d0893def1481c41f696b5ff5
-
SHA256
ecc9c891bbb12e2b6b74e3a3c7c52e84e5813bff8e9dcd2c28e33b58a0218c2a
-
SHA512
5905218e46f5481520ef77d957315c48c521046beb725bf360063fdb8af9f5f9dbac0761c1f5bbded23d633211a4fc3f19abd26f00c61bcf90f4595af3d8cc94
-
SSDEEP
6144:2ZibQcmlVD+BgotLvTtehd1wLIE92FJ1wZycpaiTyn:20q+BgotLvTtehd1wd92FJ1yA
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2124 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
huter.exepid process 3044 huter.exe -
Loads dropped DLL 1 IoCs
Processes:
72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exepid process 2880 72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exedescription pid process target process PID 2880 wrote to memory of 3044 2880 72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe huter.exe PID 2880 wrote to memory of 3044 2880 72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe huter.exe PID 2880 wrote to memory of 3044 2880 72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe huter.exe PID 2880 wrote to memory of 3044 2880 72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe huter.exe PID 2880 wrote to memory of 2124 2880 72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe cmd.exe PID 2880 wrote to memory of 2124 2880 72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe cmd.exe PID 2880 wrote to memory of 2124 2880 72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe cmd.exe PID 2880 wrote to memory of 2124 2880 72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\72bcd32fe8e2701bc5415b24c9084390_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\golfinfo.iniFilesize
512B
MD5a2de452e45db47c817b5ada178bd2e83
SHA144b16b5c0e400a2af95299d0c08a6a4fda14bc4c
SHA256516ba3f510ebfd821b47f63ac2c47faa15d5f2ba8732c79c0265fa8aa3ad8fd4
SHA5128799d95d502764a4266c37c1c5fbb24fb9ab94983310962deafd5e246c5900993dffb2c2b06ab6709cc4141aab3346a9cf65b2a62744dbf11c7d381af654be85
-
C:\Users\Admin\AppData\Local\Temp\sanfdr.batFilesize
304B
MD56625746f392cfa6b042038f885dceeb3
SHA1fce49078f95c7d1f67f4c5008d88a851911908a3
SHA25682b0b98932151939bd82dcfcd46e192942e929c56c7d40ba6af3e01ec2a1e08c
SHA512e2f41a7a4c97727abf7ba2d65af28a3feb5ff44b840e72bfc5bc4ea6a1274a43f47da349431a5d564a5a510b69d860eb0257f8b6a5e987427899a60c78f2430f
-
\Users\Admin\AppData\Local\Temp\huter.exeFilesize
285KB
MD5324ced6e9b242278f1c42925e23aea93
SHA15395770c61d95b99ab5e3c9362e4e52eb3b5de99
SHA256f0c9153cc4837431b5aa157449c3faa48c624732240e1c32e6afb3581c0e36c2
SHA512fbe5d34cf39a71a5d3a8b21c410531bed3c17234434e7c2eb2f26571a3b685742eb8bec8617460a3f8bc16ae59f92959d8a90fe3bc6d5100080315f83744f187