92bd605ed01806eb871cafdb4471a022ef991629c20ec7671c01a6b478347d6a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 07:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2cd7aa5d6acc34d72c3df6f027ef9c80_NeikiAnalytics.exe
Size

36KB
MD5

2cd7aa5d6acc34d72c3df6f027ef9c80
SHA1

fcc282472babb41af5db3d6a802dd7e8e2743b2e
SHA256

92bd605ed01806eb871cafdb4471a022ef991629c20ec7671c01a6b478347d6a
SHA512

78420cd4b178d72708b2fb57f1e9f6d8b1af4b666938de5f078fee789bdf7c519b73ae5d39722de8619260294bcf223111bb435b3fbb39a0741fdd06c5543ffe
SSDEEP

384:KrxUgoBxN6m7py4OyzLeReRunnU8s3pnsm811Z+JrTsKoRkWowfadhLg:eSvXTiVU8s3pnsmUsxo6XL7Lg

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinHttp = "C:\\Users\\Admin\\AppData\\Local\\WinHttp.exe"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5108	regedit.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
3472	2cd7aa5d6acc34d72c3df6f027ef9c80_NeikiAnalytics.exe
3472	2cd7aa5d6acc34d72c3df6f027ef9c80_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 5108	3472	2cd7aa5d6acc34d72c3df6f027ef9c80_NeikiAnalytics.exe	80
PID 3472 wrote to memory of 5108	3472	2cd7aa5d6acc34d72c3df6f027ef9c80_NeikiAnalytics.exe	80
PID 3472 wrote to memory of 5108	3472	2cd7aa5d6acc34d72c3df6f027ef9c80_NeikiAnalytics.exe	80

C:\Users\Admin\AppData\Local\Temp\2cd7aa5d6acc34d72c3df6f027ef9c80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2cd7aa5d6acc34d72c3df6f027ef9c80_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
166B

MD5
f44153ef26be29552cf320325ad8b72e

SHA1
74ac72ba2ff0f871e59b11c95ad707372662370c

SHA256
767009fb8726500a4bc54b2ee744cc3ada64fdf16a44e22ff9dfe7652e2a439f

SHA512
1d42a4dba1d8d0df9f8fedfba384ffdbcff3103c8ba360f255b5d7e8a46128f40521e4d16cf6de04365b3b6ffad8bc681cf7042d92867ab3d912601a3d5e6e65

Download Submit
C:\Users\Admin\AppData\Local\WinHttp.exe

Filesize
36KB

MD5
fde4f41b9ef3a4ec577e9faaea35988f

SHA1
6f365a5b344b51d84e105607de99e3a0aa490f12

SHA256
05c233d0e1ecf850456413c79d0bb6a57e3343447a577aca5ccbb1fab7c3aa35

SHA512
f9455b9e0a2e2770896b8526f2b4570862c1ab6bdc96ab71f3c8370ac632cf6010f8726903a85200b3326baa329659766ff572e88e6b8456b396e86d2bb88e65

Download Submit
memory/3472-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3472-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads