Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
07/06/2024, 11:48
Behavioral task
behavioral1
Sample
54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe
-
Size
427KB
-
MD5
54e3722e65bff1800fa6d58f8bea7560
-
SHA1
9c2ecad59f091f3ebc3a5e4105c5a40f7dce5b06
-
SHA256
a69b8c96db4b68c72e103978877238ef9aacb368376c3543b7cf9cedc8e76fae
-
SHA512
bdee93f53ffd97d86f2bce9219b3d3affa42c0f1e5e09be08abe35d6128971ee7066d61939f3b3e1e890a8bdb1a31b35d4a9fd72812e9cf9e6f8573ec5bdcc5d
-
SSDEEP
6144:v2ja0W9vFWhZ4HYaWtsV6gNbncvlNFn9XGTWve/0OvCEv:v6a0W9vF2SLM0NAvlNFn8TWvecOvfv
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3012 Sysceamxfzrp.exe -
Executes dropped EXE 1 IoCs
pid Process 3012 Sysceamxfzrp.exe -
Loads dropped DLL 2 IoCs
pid Process 2176 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe 2176 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe -
resource yara_rule behavioral1/memory/2176-0-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/files/0x0035000000016824-20.dat upx behavioral1/memory/3012-19-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/2176-22-0x0000000000400000-0x000000000046D000-memory.dmp upx behavioral1/memory/3012-23-0x0000000000400000-0x000000000046D000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe 3012 Sysceamxfzrp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2176 wrote to memory of 3012 2176 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe 29 PID 2176 wrote to memory of 3012 2176 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe 29 PID 2176 wrote to memory of 3012 2176 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe 29 PID 2176 wrote to memory of 3012 2176 54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\54e3722e65bff1800fa6d58f8bea7560_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe"C:\Users\Admin\AppData\Local\Temp\Sysceamxfzrp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
427KB
MD54b7769ca5e4b980f5a3875f41c92a8c4
SHA17a562cc5e154edf5beec64b50c983a74f75ae213
SHA25675796cc86050750cf40c3bf633c96a87285585aad44f04107a1e64af3acdb54a
SHA512907b6ca9142d608c90b6ac4d688047d6f032f5bbd5de3d01f56bc8e2fd86b5e50228dfa4061c4cde446d739aa2b452e35674b062f5af8cb70151143f771d9682
-
Filesize
85B
MD5f3c13a8491eacec21cb6e4e08275fc79
SHA1f15617afa3611aa196fef7a11542038c8ed1f3d0
SHA2563c55c82473198408f935a198c41592eb96be93e37c60919f42cf12b80cb0d1ec
SHA512c5d3db45e8cc13559af69105a24acad9517769873c54aeb35c91516bb58a3ed9582fb9eebc92400a022d0956627cd44e2829920e1cb2c08f30c1bc4988c9d434