aaa82c7252c2b993eb68297f50bd58e00d0292361248fc788b74f891d4fcfcc4

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe
Size

40KB
MD5

976fec1f7068de234d4b152c88403730
SHA1

bb6f8efa8fb035baf680e8d99b8c38277a40677a
SHA256

aaa82c7252c2b993eb68297f50bd58e00d0292361248fc788b74f891d4fcfcc4
SHA512

d2a2996c7b05ab5b4a4d3dfe2039eccb8d6b214aac4af236712dae2578d92797560424c2bdd7efde4e1e2cf908cca807f84d7a6924b500acd5f52e8e0646b3fc
SSDEEP

384:R4xUgL9mP/khB8Dy4MfyzLeReRGngzXZ+Yu1zJIFBdy1AQrPgwNt6AMJ1cbfnVz6:eGknMFiiDMNzJIFBLQ7XNt6bk6

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\SysMain.exe"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2212	regedit.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2876	976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe
2876	976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2212	2876	976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe	28
PID 2876 wrote to memory of 2212	2876	976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe	28
PID 2876 wrote to memory of 2212	2876	976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe	28
PID 2876 wrote to memory of 2212	2876	976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe	28
PID 2876 wrote to memory of 2212	2876	976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe	28
PID 2876 wrote to memory of 2212	2876	976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe	28
PID 2876 wrote to memory of 2212	2876	976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\976fec1f7068de234d4b152c88403730_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SysMain.exe

Filesize
40KB

MD5
13af2e2ca749e57d48997d3caacb62f1

SHA1
b531648d3be8ece3f38ad0ce081e0902a82865c6

SHA256
56d7fa2b830ce61cdabca9d2e45be0cc3024729d8ae8c393ab694e4074e98c3a

SHA512
26540f2d6b0eeed6126ff0578b771469c3f0e4f1843f6637e27daff29d7669c7780f0c2cb2c036b5973b5a3aba1f27cd4a33d8a84c546d6730f8c98c11b3665a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
166B

MD5
b67c54cc252016ea441affb1b015db90

SHA1
b956bf51ed1213a4903f5af819edbb2b200b416c

SHA256
efe884ae8327e9d7811fe8b00b79a1c3d302aba1f9c1aef982398c6e9460d93b

SHA512
d79926f6462cb0e64c592cc28771f2bf95d18bf936846288c3a11271c4d50907dfd63998c6d5da6d96149dbbd370c6642b87e28b2f6624a5a803efdfebc03194

Download Submit
memory/2876-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2876-1-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2876-2-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2876-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads