Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 07:38
Static task
static1
Behavioral task
behavioral1
Sample
69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe
-
Size
36KB
-
MD5
69bd2376715fb9458a80e7e527832b00
-
SHA1
17200cc250b5eef179fff58a463bfe8eb017436c
-
SHA256
c8468234c23f6e2a7985cdb3dfda34a3f0a357f762e3e54d369f19d94fb5d7e2
-
SHA512
964d2c3bd8cfe44f4ae7d644bb084d35b171036e9e126d9b71122f7a333837bda20ea0bca4efcf1adb81759dbede8ce17f88e6b63a8f9a8aeeebc252a54a65b2
-
SSDEEP
384:KrxUgV8y88phTy4byzLeReRbn0BJr6OjWD3f8VsWswisr+Ht9mNKPKBnUDnrg:es18phTQi3LbjOP8maiC0fmNKPK+Drg
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrkWks = "C:\\Users\\Admin\\AppData\\Local\\TrkWks.exe" regedit.exe -
Runs .reg file with regedit 1 IoCs
pid Process 2848 regedit.exe -
Suspicious behavior: RenamesItself 2 IoCs
pid Process 2980 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe 2980 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2848 2980 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2848 2980 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2848 2980 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2848 2980 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2848 2980 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2848 2980 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2848 2980 69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\69bd2376715fb9458a80e7e527832b00_NeikiAnalytics.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg2⤵
- Adds Run key to start application
- Runs .reg file with regedit
PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164B
MD5815dc60dafb80c98b73d7e2677e354c0
SHA14719d47bddca660bc7ea913f66567bb6f963e73d
SHA256eae9854927aa4f85a269d29ecc0c48ff074d46ebb3d02899a859c0468c4e959a
SHA512e72fa7b3fe4c0188db7f5721ce56a6ba66ce7d2f0f0de6ecbe3b21d87267f0d2b3988ce97d2ffac897a9984e950ac33648abbd6e2949a74158a254794333e5e7
-
Filesize
36KB
MD549abb714dd72f6dee2e102a7de9e2011
SHA123fd610b88bd5347fb5033f5cf2ae6e0cd836408
SHA25666ec041bf7e59850aa93fd7f350da2cb4e02a6aa03066d619cc5860ff6b47412
SHA512f89f47f5c71f546a73538df967b7949ba5289b2eddcfdc0737fecbb74dcefd27b1f54a21c71688765661c0a1fab72f521b5a1f3170aed040d2f80d31dc084073