ae78c4cb8ff8e5ee9f4567fdf1a8b33cb75cdac7e4e1019aeffe18d544eb056c

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1672279668211b916399ddf57f6597e0_NeikiAnalytics.exe
Size

29KB
MD5

1672279668211b916399ddf57f6597e0
SHA1

a2c32bf4495c27e37f465a26ef3a176c79df4bc0
SHA256

ae78c4cb8ff8e5ee9f4567fdf1a8b33cb75cdac7e4e1019aeffe18d544eb056c
SHA512

cb47b71ee63b78e0825f0749e35f7aa055162454d409c5fa477384ec7103177af19fca500f76293234ebe2187cc96d31e303630510a0b05abe50dc16142a2d94
SSDEEP

384:eApc8m4e0GvQak4JI341C0abnk6hJIuq1Qdv:eApQr0GvdFJI34qTk6hJIuIA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	sal.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	1672279668211b916399ddf57f6597e0_NeikiAnalytics.exe
2240	1672279668211b916399ddf57f6597e0_NeikiAnalytics.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\sal.exe	1672279668211b916399ddf57f6597e0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 3008	2240	1672279668211b916399ddf57f6597e0_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 3008	2240	1672279668211b916399ddf57f6597e0_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 3008	2240	1672279668211b916399ddf57f6597e0_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 3008	2240	1672279668211b916399ddf57f6597e0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\1672279668211b916399ddf57f6597e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1672279668211b916399ddf57f6597e0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240
- C:\windows\SysWOW64\sal.exe
  "C:\windows\system32\sal.exe"
  2⤵
  - Executes dropped EXE
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\sal.exe

Filesize
29KB

MD5
1e2f4367fd0c658ddf0fa8bbba84535f

SHA1
7b28da12b094fdaad18030bdbb6dd60bd28da5f2

SHA256
70f9278937797f409f915d276ed4d45c85d6dd8f3347b2c05301c713fd674ab6

SHA512
52aab8c3c25fc72304c6ad63dd760e2695c52495cfd880b0c9d6ed0f3b20c0dbf0cd7bc4b95b38cfb7c31bb7e17baf46baeb7444dad610ee7c1011815a670141

Download Submit