32059364835f9a515044506d3cb6b93d789ffcfe9ab23f06a5f3f3fb5b24efef

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28b69e2a4eee2c64364e76325cc66810_NeikiAnalytics.exe
Size

178KB
MD5

28b69e2a4eee2c64364e76325cc66810
SHA1

71a317927b301a10dda2fb04073f8803cd9c1859
SHA256

32059364835f9a515044506d3cb6b93d789ffcfe9ab23f06a5f3f3fb5b24efef
SHA512

70197657c18a23e9a64e701cc5c87c39454f8dbf83608ebde768e34e5410b125ac75fc959137c9721a107311de5590b86fa1e15f060b31b85c92cc23ecdeaa6d
SSDEEP

3072:+nOn7t7XpdpCCTg/sxFgJzAG7u+C731AeNEPjpjQ8S9ros5TNeZGdBuB2M3RAzBe:+KpdcCrT4AGe73tNqjtQpn3uB20RAlZ8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2924	northstar.exe

Loads dropped DLL 2 IoCs

pid	Process
2884	28b69e2a4eee2c64364e76325cc66810_NeikiAnalytics.exe
2884	28b69e2a4eee2c64364e76325cc66810_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2924	northstar.exe
2924	northstar.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2924	2884	28b69e2a4eee2c64364e76325cc66810_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2924	2884	28b69e2a4eee2c64364e76325cc66810_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2924	2884	28b69e2a4eee2c64364e76325cc66810_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2924	2884	28b69e2a4eee2c64364e76325cc66810_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\28b69e2a4eee2c64364e76325cc66810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\28b69e2a4eee2c64364e76325cc66810_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\nsd1067.tmp\northstar.exe
  C:\Users\Admin\AppData\Local\Temp\nsd1067.tmp\northstar.exe /dT201303201513 /u4dc90721-0888-4db0-a2e5-20545bc06f26 /e2842322
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd1067.tmp\VPatch.dll

Filesize
10KB

MD5
20ee82203544c4f831a7dc1650e7ec51

SHA1
671affb8e32f06777483782197173af254e02548

SHA256
69a00c14562ea5a71f6196b307292fa6d8b1a2fc02368020f40c84b3b0a1a83a

SHA512
4dabcc0cfebb36cfe57fa05777224f45c04c84031cfecf4184bd95d2b148ce18a6c91655320e69c1709e740a261e1e25effc8395fed91d0fc61b18f9a9f7685f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1067.tmp\northstar.exe

Filesize
257KB

MD5
a767c2de2a3aa84e70da1230b2dd8f26

SHA1
92fc3b006b30b37e699d0cd1069391f3edd09fc8

SHA256
272ee7f5bffe70f329cfe9fcd7d61eb7a34c4dc2c5de3a6f5fd078962dcde7d3

SHA512
2beb66dad6db97d856cfe05daef19f3368c310ae10f27b90a541ae3be2ac15d6de0c2983df6d3b0f9722240bbd39e80ab9f0ef57e00eae16b72f3c98742e0496

Download Submit
memory/2884-29-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2924-15-0x0000000074501000-0x0000000074502000-memory.dmp

Filesize
4KB

Download
memory/2924-16-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2924-17-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2924-18-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2924-19-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2924-20-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/2924-21-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download