07b40675b4003bff65d795498f5dd78a7e17c2f2d16bebb066930312c3076310

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe
Size

114KB
MD5

27574d1a4e9c677b95f8fa8287007480
SHA1

b55f4fc8ec24ce7e50df98f8dac6719b37eeef8a
SHA256

07b40675b4003bff65d795498f5dd78a7e17c2f2d16bebb066930312c3076310
SHA512

eeba3cc04af091a88e982b32955fb20bb2cfca0ef9f1b5ec598258248538ca7dd570327879384d7503fbf7b64d8ce5b8bde1760427ea541dad0825bff1043e15
SSDEEP

768:3x/5inm+cd5rHemPXKqUEphjVuvios1rPr4adL0NqlJMU6wiK1rEKlcIQ1TTGfo8:3xRsvcdCQjosnvnZ6grfQ1b4L

Score

10^/10

upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1708	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2952	27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe
2952	27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2952-0-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/files/0x003500000001568c-5.dat	upx
behavioral1/memory/2952-12-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1708-13-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe
1708	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 1708	2952	27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe	28
PID 2952 wrote to memory of 1708	2952	27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe	28
PID 2952 wrote to memory of 1708	2952	27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe	28
PID 2952 wrote to memory of 1708	2952	27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\27574d1a4e9c677b95f8fa8287007480_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
114KB

MD5
597112a767d9c3e21ecdac39f8b88eb9

SHA1
36dcd6857b4eb1d421b595a939d4ef73c9766a5a

SHA256
9d7c6f8853dbfda17cd33455b94e016be215a3128b547ec26b47490fce43ed61

SHA512
b164b07e8758024c404a7709775d2e88f0ea6acbade8e5d97e8502373f478cad23aa1df16d76a1b651a26f3413f97eb9478979e6299a94b858b67889b5351a90

Download Submit
memory/1708-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2952-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2952-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download