ba898f05f347722f00737f2e70d80daa934c102142154ff2a7208a5ae2f4000f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 21:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe
Size

95KB
MD5

8a4010ab205b0d866e3569278dec80d0
SHA1

34feead405b1fd554fa826fd712bb1addc10c4e9
SHA256

ba898f05f347722f00737f2e70d80daa934c102142154ff2a7208a5ae2f4000f
SHA512

1b34ccf7377f778529d87ed57fb9b1be851d912a11e61f0c44f632781598eaff68fe61cacea2fa81a5baf808b7a356e0e81bf74b1441dc941ecf3c0767122e87
SSDEEP

1536:EGqRGbQHSgOTw1BFxnsUdsdBhMgxRFy2kckEUEVvccRPAAXLSYPph/ATvYSByU65:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/AO

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2484	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
3036	rMX.exe
2704	rMX.exe.exe

Loads dropped DLL 4 IoCs

pid	Process
2356	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe
2356	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe
2208	cmd.exe
2208	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	\??\c:\windows\nk.txt	cmd.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 3036	2356	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 3036	2356	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 3036	2356	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	28
PID 2356 wrote to memory of 3036	2356	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	28
PID 3036 wrote to memory of 2396	3036	rMX.exe	29
PID 3036 wrote to memory of 2396	3036	rMX.exe	29
PID 3036 wrote to memory of 2396	3036	rMX.exe	29
PID 3036 wrote to memory of 2396	3036	rMX.exe	29
PID 3036 wrote to memory of 2208	3036	rMX.exe	30
PID 3036 wrote to memory of 2208	3036	rMX.exe	30
PID 3036 wrote to memory of 2208	3036	rMX.exe	30
PID 3036 wrote to memory of 2208	3036	rMX.exe	30
PID 2356 wrote to memory of 3064	2356	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	32
PID 2356 wrote to memory of 3064	2356	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	32
PID 2356 wrote to memory of 3064	2356	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	32
PID 2356 wrote to memory of 3064	2356	8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe	32
PID 2208 wrote to memory of 2704	2208	cmd.exe	35
PID 2208 wrote to memory of 2704	2208	cmd.exe	35
PID 2208 wrote to memory of 2704	2208	cmd.exe	35
PID 2208 wrote to memory of 2704	2208	cmd.exe	35
PID 2704 wrote to memory of 2600	2704	rMX.exe.exe	36
PID 2704 wrote to memory of 2600	2704	rMX.exe.exe	36
PID 2704 wrote to memory of 2600	2704	rMX.exe.exe	36
PID 2704 wrote to memory of 2600	2704	rMX.exe.exe	36
PID 3064 wrote to memory of 2484	3064	cmd.exe	38
PID 3064 wrote to memory of 2484	3064	cmd.exe	38
PID 3064 wrote to memory of 2484	3064	cmd.exe	38
PID 3064 wrote to memory of 2484	3064	cmd.exe	38
PID 2600 wrote to memory of 2480	2600	cmd.exe	39
PID 2600 wrote to memory of 2480	2600	cmd.exe	39
PID 2600 wrote to memory of 2480	2600	cmd.exe	39
PID 2600 wrote to memory of 2480	2600	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a4010ab205b0d866e3569278dec80d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2356
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\51.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\51.vbs"
        6⤵
        
        PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\72.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\72.vbs"
    3⤵
    - Deletes itself
    PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\51.vbs

Filesize
162B

MD5
c62dfa660bac6895cf009e2e33265347

SHA1
c0ca35400dcd7e7db069d63f08169adef99b1f6b

SHA256
8db28e197fe38cb938ac70cf19d4be19ed1a9e6386cc7fa5c67566928b00a73e

SHA512
683f8f388f2392413b980777539d4db12fcccea7fb752bebdf4f40f21164a4e5a02d5ac1c8b02fdc74698587de179753c027b0a74ae915724a2af9023803245e

Download Submit
C:\72.vbs

Filesize
219B

MD5
94b774463df9e48b3c5ad4a51af55285

SHA1
962d59e4991e4e81af9434d5f0f4c816c9e93592

SHA256
7180e26bc9c741a5d2d05ca32260d8defac1326db71ade7c7943114a450d3289

SHA512
a0bf8c6f25d2cd9eed91972b567c53caa9fb8d634fda65a4f2ba5b7f927178a2a2876da86dddc28a8a23d465756ecba6b78734f210d8050a852f4b9a4430c570

Download Submit
C:\Windows\VWFLH\rMX.exe

Filesize
95KB

MD5
8a4010ab205b0d866e3569278dec80d0

SHA1
34feead405b1fd554fa826fd712bb1addc10c4e9

SHA256
ba898f05f347722f00737f2e70d80daa934c102142154ff2a7208a5ae2f4000f

SHA512
1b34ccf7377f778529d87ed57fb9b1be851d912a11e61f0c44f632781598eaff68fe61cacea2fa81a5baf808b7a356e0e81bf74b1441dc941ecf3c0767122e87

Download Submit
\Windows\VWFLH\rMX.exe.exe

Filesize
95KB

MD5
b55ae59c75ecc6cd08a8a19c11ce292d

SHA1
842414450e85bd60722e275d5702bcb0e8cef183

SHA256
e42cfede4d9e51f5f27e88def0a7c3d1064bdc9dcf0529741b816deb4fd84e18

SHA512
4fdb68561cd07d72e7caf1ff7e9728ffd8e27bf9c7705e43d511aa0c4b6aa859ea956c893f493ca5cc53255df4bc42512e3356a3f9102b9538eda15aa8253def

Download Submit
memory/2356-15-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2704-28-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/3036-13-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download