Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08/06/2024, 07:12
Behavioral task
behavioral1
Sample
977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe
-
Size
1.3MB
-
MD5
977d436f6b994ebd49a3a195c47ed9c0
-
SHA1
1009e3b0df7faeb187fb3a410367126e28c3b1a0
-
SHA256
5a0e0ffda4d8ddeed62772838878b03af6064e78635fb4ec6f440ec4818dbc1d
-
SHA512
3ee7b3d0f5492a26a5b849a2b7e146515b7ccf828571885500e8b3f2475128c4f8802f38401afe4cf0bf0a50c94a3fda965b2bf92f18e9fe8ea420ac90500d80
-
SSDEEP
24576:nAD3HRNtvJ2QY6ynjTdcpLmBtMs51aoflG4/iMtQkSNSFkeKvvvvLpphd7d8ddP7:nkpBs5dlG4/i0QkSoeeKvvvvLpphd7dq
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
resource yara_rule behavioral1/memory/2368-0-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/files/0x000b00000001226d-9.dat upx behavioral1/memory/2368-14-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2368-17-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2368-20-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2368-24-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2368-27-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2368-30-0x0000000000400000-0x000000000054E000-memory.dmp upx behavioral1/memory/2368-33-0x0000000000400000-0x000000000054E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2612 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 28 PID 2368 wrote to memory of 2612 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 28 PID 2368 wrote to memory of 2612 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 28 PID 2368 wrote to memory of 2612 2368 977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\977d436f6b994ebd49a3a195c47ed9c0_NeikiAnalytics.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵PID:2612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92B
MD50a09f354748324840a98a09a15172fb8
SHA141dc1d5cb5f99590ea7b83516be4ca616707932a
SHA25631a81ee87f0c6987d56d48ccac000d92e2a4efdb6b2f84787e9ef420d9f91c7d
SHA512f21a7c0f5f13285b5faa1fdaca04d15460d9b436eda4bb98a761bdb02b802f00c1c5727d84c97565891d317cd2dbc92ac370ecb8c248082a83a51558cd63bda8
-
Filesize
736B
MD5de6eebab6b36f9ae12b5b01429bb54aa
SHA1d688b459ede876ae63c50ab26ef6204101c590fd
SHA2564599607c660eee2c763fdef2950961c6bd6fe014f71f7ce88d69cb50e2cf2c0a
SHA5120c2bb364ca266929ca3ffc325d1a51b8e0441c4bdab8550a838dfa5852805f8355223d0980bb23fdf700077cf018416eca0d5ef269cb4cdfe031e873535b7a9b
-
Filesize
1.3MB
MD5d0bdcafbec62b21f02b2da1861fde3d0
SHA176db0e03d3ee996335ee9708c41a8d8b1b58d649
SHA2564d273a9b64cc53928a08b4edc2d3359be2746761c3d72941f78a716774dc6c81
SHA5122f979ee5ad1812f25d2f5eff51da0295cf2053a05d042c35c86b1c73e6758358256129909a494ea05b4c8a25ba4d5c0447dd34bc55be95973b466bea46da0fa7