1d25f31dfce99e86c6b39d75d18b6140baf13caab5145573ae3f55a41e90240b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe
Size

262KB
MD5

949cac1292cfabc3865f9d90ec42ce30
SHA1

c819fc0eea9455ede347b3a6ac8786cc2057d4b7
SHA256

1d25f31dfce99e86c6b39d75d18b6140baf13caab5145573ae3f55a41e90240b
SHA512

b16a7031baa2f8d335e356b56ea712c3f016336e3ea0fe95f0bebb6628aaa4945dc517252a87e1abff020e25c30238a1560aeef99f42a308409c9e399b5eff6a
SSDEEP

3072:O7BMvaWjzrLXQQJKgmSBAVpet2AgoQlMZj:saaWjz/gGKgmS+k2t2

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2976	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2412	949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe
2412	949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\bc1f0645\jusched.exe	949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe
File created	C:\Program Files (x86)\bc1f0645\bc1f0645	949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2976	2412	949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe	28
PID 2412 wrote to memory of 2976	2412	949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe	28
PID 2412 wrote to memory of 2976	2412	949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe	28
PID 2412 wrote to memory of 2976	2412	949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\949cac1292cfabc3865f9d90ec42ce30_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files (x86)\bc1f0645\jusched.exe
  "C:\Program Files (x86)\bc1f0645\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\bc1f0645\bc1f0645

Filesize
17B

MD5
2130fee70fc3f7c10d5279f96f98ad1e

SHA1
4307cef89171fa230048ea22546802198d888780

SHA256
3506e286f6223ccaf1665d4e457b712abeb527266ff28327ce60e37b9fbeb404

SHA512
67fa1bb31028ff3ba125f184207499b9205f58c9eef2ac948f5824475515c396b3d5f93e207cb96deffe1aedb286b1f935cc689c5d84449e51c517da1cffe2e5

Download Submit
\Program Files (x86)\bc1f0645\jusched.exe

Filesize
262KB

MD5
b7881ff54fbad86f06b14d7c7014700e

SHA1
4d8d43b1a03622cd4db9c43530ce101e1ba8118b

SHA256
77b9522b1972eb00f0b1587c80b5b58532e8afbfde8cf78e73e35d894ba2725a

SHA512
2ac7d525bd6ffd7aafc1f958fff279f29e935e37b1030fd8b7a1343ca63659a3aba61661d3c5688d4d1f1e2ecfff4967881c0373eab930b6663864a4024a6925

Download Submit
memory/2412-0-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2412-7-0x0000000002970000-0x00000000029BF000-memory.dmp

Filesize
316KB

Download
memory/2412-13-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2976-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download