864091e4aafa164366752324593a5a107888cc52970d44dbadebc808e6c8e421

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7359c987fb7f41f7b2178b5d55c400b0_NeikiAnalytics.exe
Size

499KB
MD5

7359c987fb7f41f7b2178b5d55c400b0
SHA1

b0357b61f2f93d8af3d4fffecb6edc9f4d6f1069
SHA256

864091e4aafa164366752324593a5a107888cc52970d44dbadebc808e6c8e421
SHA512

cab55be994c811b1596f4ab0e647d31012813db40fac55273c5f2aa090ced992e0c0631072a874441732b92c1675e7c1fe57d44b079f4bdc154ae562ae4111ea
SSDEEP

12288:NyAfDcgcTQhgpZBDtoRAG01LqTl2mZoihVaA:vDVBADt1ZKlXBIA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2832	EXE9463.tmp

Loads dropped DLL 2 IoCs

pid	Process
2908	7359c987fb7f41f7b2178b5d55c400b0_NeikiAnalytics.exe
2908	7359c987fb7f41f7b2178b5d55c400b0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2832	EXE9463.tmp
2832	EXE9463.tmp

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2832	2908	7359c987fb7f41f7b2178b5d55c400b0_NeikiAnalytics.exe	28
PID 2908 wrote to memory of 2832	2908	7359c987fb7f41f7b2178b5d55c400b0_NeikiAnalytics.exe	28
PID 2908 wrote to memory of 2832	2908	7359c987fb7f41f7b2178b5d55c400b0_NeikiAnalytics.exe	28
PID 2908 wrote to memory of 2832	2908	7359c987fb7f41f7b2178b5d55c400b0_NeikiAnalytics.exe	28
PID 2832 wrote to memory of 2760	2832	EXE9463.tmp	29
PID 2832 wrote to memory of 2760	2832	EXE9463.tmp	29
PID 2832 wrote to memory of 2760	2832	EXE9463.tmp	29
PID 2832 wrote to memory of 2760	2832	EXE9463.tmp	29

C:\Users\Admin\AppData\Local\Temp\7359c987fb7f41f7b2178b5d55c400b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7359c987fb7f41f7b2178b5d55c400b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\EXE9463.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE9463.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM9464.tmp" "C:\Users\Admin\AppData\Local\Temp\7359c987fb7f41f7b2178b5d55c400b0_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXE9463.tmp

Filesize
968KB

MD5
0f619e7352920d8d21926f2b715e0794

SHA1
cdd75d72647b1c75477c069b51b5f8ab5dc63e50

SHA256
e6090962c2504441c1cd5f6ee75dd5ffbddc38062f02807f0d44176d8f464381

SHA512
380592a1382f40d80839efea429619470b09fc0c0aad8666c6392d8dbd112f5e8719538fc93044454f4ce67375aaae8da59e09563b167ff8adf34240be684dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFM9464.tmp

Filesize
48KB

MD5
45f7d092e82e56b0d63ae3ef0584f240

SHA1
efdefd845a294bc4cf7e695148404b558418a7ea

SHA256
1b44a7a285d11e3f234bd382ee0c770c13812c11261ced789bc1247c144998fd

SHA512
3cc2e085bc79a642b6f0f217aac62a52d61cb67e073622dccdcdda00bd41398818c83e71131d3f133156e68b3d4a571ef27c0728f77784ce4554ad3356ed977a

Download Submit