c432cfcfbfc7f44056ef3aec4ac951fdbc753439647a0e2b835bab297a83b6f3

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe
Size

95KB
MD5

3db5b5bfb3b1895d0f588f21a56a6cf0
SHA1

5daff830c0efe149a73233cdf81fa7be4ddaf835
SHA256

c432cfcfbfc7f44056ef3aec4ac951fdbc753439647a0e2b835bab297a83b6f3
SHA512

c2147f1dd2a2767561144cf166b83938a5448df24277da30834f099b7886ce06bed7ffc43803f8bedb08727565d10ad43c59b0d297cdd7276a19abef20e62d09
SSDEEP

1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU6N:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/Au

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2616	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	rMX.exe
2284	rMX.exe.exe

Loads dropped DLL 4 IoCs

pid	Process
2940	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe
2940	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe
2580	cmd.exe
2580	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	\??\c:\windows\nk.txt	cmd.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2804	2940	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 2804	2940	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 2804	2940	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 2804	2940	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe	28
PID 2804 wrote to memory of 2980	2804	rMX.exe	29
PID 2804 wrote to memory of 2980	2804	rMX.exe	29
PID 2804 wrote to memory of 2980	2804	rMX.exe	29
PID 2804 wrote to memory of 2980	2804	rMX.exe	29
PID 2804 wrote to memory of 2580	2804	rMX.exe	30
PID 2804 wrote to memory of 2580	2804	rMX.exe	30
PID 2804 wrote to memory of 2580	2804	rMX.exe	30
PID 2804 wrote to memory of 2580	2804	rMX.exe	30
PID 2940 wrote to memory of 2656	2940	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe	31
PID 2940 wrote to memory of 2656	2940	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe	31
PID 2940 wrote to memory of 2656	2940	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe	31
PID 2940 wrote to memory of 2656	2940	3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe	31
PID 2580 wrote to memory of 2284	2580	cmd.exe	35
PID 2580 wrote to memory of 2284	2580	cmd.exe	35
PID 2580 wrote to memory of 2284	2580	cmd.exe	35
PID 2580 wrote to memory of 2284	2580	cmd.exe	35
PID 2284 wrote to memory of 2552	2284	rMX.exe.exe	36
PID 2284 wrote to memory of 2552	2284	rMX.exe.exe	36
PID 2284 wrote to memory of 2552	2284	rMX.exe.exe	36
PID 2284 wrote to memory of 2552	2284	rMX.exe.exe	36
PID 2656 wrote to memory of 2616	2656	cmd.exe	37
PID 2656 wrote to memory of 2616	2656	cmd.exe	37
PID 2656 wrote to memory of 2616	2656	cmd.exe	37
PID 2656 wrote to memory of 2616	2656	cmd.exe	37
PID 2552 wrote to memory of 2492	2552	cmd.exe	39
PID 2552 wrote to memory of 2492	2552	cmd.exe	39
PID 2552 wrote to memory of 2492	2552	cmd.exe	39
PID 2552 wrote to memory of 2492	2552	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3db5b5bfb3b1895d0f588f21a56a6cf0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2940
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\99.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\99.vbs"
        6⤵
        
        PID:2492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\76.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\76.vbs"
    3⤵
    - Deletes itself
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\76.vbs

Filesize
219B

MD5
e8ced48552561cb2487c3d135877a87e

SHA1
3341836e2cf9887fda4f80abd7573dda7a73ed5a

SHA256
c717544b9483f758f4aa6b7245555e761a9f899bfd455856dff215786ce16e99

SHA512
1bed96cbf7397f56c8028141e4c29e1cc8bd6957ddeda6657b834d49a13aa840d03c14dde3535d4bf9fef45e690a3f9691819725c1369ca184c4730a83aca5f8

Download Submit
C:\99.vbs

Filesize
162B

MD5
10a39caa2d7472b60a063fe798cf5c81

SHA1
fe3d98fcae0f60981e24ce2d284bb5a674e57883

SHA256
f8a1869858d7d61799a57c50db3b9c77abeb2c67c463cc989f223f9e0c068837

SHA512
14a4ea22451435c5b866e9ef84ac5a0b91822719886943446fd47562e23d9c01a5295f90676e3304088f16a51ecca0a3275f2a9073ba47bb65916a9e06d7ce63

Download Submit
C:\Windows\VWFLH\rMX.exe

Filesize
95KB

MD5
3db5b5bfb3b1895d0f588f21a56a6cf0

SHA1
5daff830c0efe149a73233cdf81fa7be4ddaf835

SHA256
c432cfcfbfc7f44056ef3aec4ac951fdbc753439647a0e2b835bab297a83b6f3

SHA512
c2147f1dd2a2767561144cf166b83938a5448df24277da30834f099b7886ce06bed7ffc43803f8bedb08727565d10ad43c59b0d297cdd7276a19abef20e62d09

Download Submit
\Windows\VWFLH\rMX.exe.exe

Filesize
95KB

MD5
5a8ba2d7fa2055c0c0567c7aef5f50ed

SHA1
cf9461f0b3a48befbc6887f93db8de70ef1862a4

SHA256
fb61137569f7ff9c5a7d9c97b0e9c16223d9ed78cd41653b0223efe1eba2f67a

SHA512
bfa34cae8ad3819a72aa1639d422df23c9d5afe325d20c88993eb3ecf02b0ba041f23c5a99227bbc05cbc7ecfff56c71ef593993382aa853670b002cb5cde1dc

Download Submit
memory/2284-33-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2804-14-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2940-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download