Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe
-
Size
6.5MB
-
MD5
970ab7302a9b5b9ee4634396988cff50
-
SHA1
f7c34ca04b3e3620e92d8d9e375b738b0d102b73
-
SHA256
a30922df99e9ccdad5da7ae843f0177ba29a075338128937da4982aac777bd45
-
SHA512
763e05a2eabbdeb24e873a388eb4f0ac7f99c295fe4344b5bfc09f90eda6786888ddfc03cab133b5a563caccdfde83646d650886034bad5cd6c2e3a78944d9a1
-
SSDEEP
98304:Roc5swrA2XGxlHKcjTjNk3o659yrnfKtDrKIAyyks+Ctf8mQZVSc:i0LrA2kHKQHNk3og9unipQyOaOc
Malware Config
Extracted
urelas
218.54.31.165
218.54.31.226
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2620 cmd.exe -
Executes dropped EXE 3 IoCs
Processes:
peryh.exeyptadu.exesehom.exepid process 3048 peryh.exe 2872 yptadu.exe 1148 sehom.exe -
Loads dropped DLL 5 IoCs
Processes:
970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exeperyh.exeyptadu.exepid process 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe 3048 peryh.exe 3048 peryh.exe 2872 yptadu.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\sehom.exe upx behavioral1/memory/1148-168-0x0000000000400000-0x0000000000599000-memory.dmp upx behavioral1/memory/1148-174-0x0000000000400000-0x0000000000599000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exeperyh.exeyptadu.exesehom.exepid process 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe 3048 peryh.exe 2872 yptadu.exe 1148 sehom.exe 1148 sehom.exe 1148 sehom.exe 1148 sehom.exe 1148 sehom.exe 1148 sehom.exe 1148 sehom.exe 1148 sehom.exe 1148 sehom.exe 1148 sehom.exe 1148 sehom.exe 1148 sehom.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exeperyh.exeyptadu.exedescription pid process target process PID 2040 wrote to memory of 3048 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe peryh.exe PID 2040 wrote to memory of 3048 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe peryh.exe PID 2040 wrote to memory of 3048 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe peryh.exe PID 2040 wrote to memory of 3048 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe peryh.exe PID 2040 wrote to memory of 2620 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe cmd.exe PID 2040 wrote to memory of 2620 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe cmd.exe PID 2040 wrote to memory of 2620 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe cmd.exe PID 2040 wrote to memory of 2620 2040 970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe cmd.exe PID 3048 wrote to memory of 2872 3048 peryh.exe yptadu.exe PID 3048 wrote to memory of 2872 3048 peryh.exe yptadu.exe PID 3048 wrote to memory of 2872 3048 peryh.exe yptadu.exe PID 3048 wrote to memory of 2872 3048 peryh.exe yptadu.exe PID 2872 wrote to memory of 1148 2872 yptadu.exe sehom.exe PID 2872 wrote to memory of 1148 2872 yptadu.exe sehom.exe PID 2872 wrote to memory of 1148 2872 yptadu.exe sehom.exe PID 2872 wrote to memory of 1148 2872 yptadu.exe sehom.exe PID 2872 wrote to memory of 1764 2872 yptadu.exe cmd.exe PID 2872 wrote to memory of 1764 2872 yptadu.exe cmd.exe PID 2872 wrote to memory of 1764 2872 yptadu.exe cmd.exe PID 2872 wrote to memory of 1764 2872 yptadu.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\970ab7302a9b5b9ee4634396988cff50_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\peryh.exe"C:\Users\Admin\AppData\Local\Temp\peryh.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\yptadu.exe"C:\Users\Admin\AppData\Local\Temp\yptadu.exe" OK3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\sehom.exe"C:\Users\Admin\AppData\Local\Temp\sehom.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1148 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "4⤵PID:1764
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "2⤵
- Deletes itself
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
224B
MD5cbcdb54d77bac93d4da7b525e118d004
SHA1ec28a0d05c1d7ea3615c50d53b38b50d8e00909d
SHA25630e5277a8e17fd15cb346660cd87c8076cddf5e3721b0ca6e570ea4e0b22cf1c
SHA51209f06dba1cb457b71573fd08ee970a2e711423581b2f65100658f62e07dc0f67649d4612c9ddf177f31c978359f1c58c04f82be111b9ae5931e96671793c60b0
-
Filesize
306B
MD5fb27073afe344aa2e5faefe2801a8fb4
SHA132ac6bac56219ef31c4d6d19dc33fa1f2e0d240b
SHA256c3160269d61468e1837ea6163cf237e903bd81161269a36684c8ccf3863586af
SHA512e26d0931feeb1860401940b107d2a78fc3ad8106a5b5a83ae198c7dd1f033765fe297f84ffbfdb8ee3acdf3f81179ba5852de4913fb2e2e38a8317f84a9a0780
-
Filesize
104B
MD5dbef593bccc2049f860f718cd6fec321
SHA1e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA25630f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA5123e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a
-
Filesize
512B
MD5572f2d6fa961de2dae1754deaa857501
SHA1521e6da14eae4c77b1f168b64f9dbf85cacc238f
SHA256b3e18a4700da2bfe3da706e6dff14b523aff6be0bfd4ccaa8bb20303bda76017
SHA51251ca0d629ba847c439dd17511f5ac3d505d691a087af7629afbb4a489a0942f50466199c08d101fbb8a1cdab899b5edb27c0998de6ef963d0d3626be462fc5c0
-
Filesize
6.5MB
MD568dd8214f64776668fb5c21852328149
SHA1c411fd4721a26ee0dd4fab92f5136becd35cb579
SHA256b6217bbc80eafaddb18b54a66ecb4510d6cdb4ab10d4210c7558444c595689cf
SHA5126ed970cfc9142e96f19c47ea8c8ae4704134d201849e31336f41361b2947f4c6b2b2a7bd98c11805e68720537670e88ca94a887244fafc69de6176e2d39e993f
-
Filesize
459KB
MD5c79b7a8876c9abdfe3b3f7c6cf79fd2f
SHA1c209018197019129656a074aef38885defb66e36
SHA256538159f8bb2fff751150075572efb96a69f5fa0e4d969e9976f29d4ae9cb0d9b
SHA512b82f153c4b1bf1d8f353e227ac1a109c9534966e399e9a699ae35d9192eeca730c07d6168036d6327e30fb18944a3de6dc9dab250b5d81213300ba70cd39057d