00aca96c37b587c8dc04756bdf8c9a5d1beadf81b450331aaf59e298a6d7e807

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13/06/2024, 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe
Size

76KB
MD5

7129434d69a97970d3e9d1c6641b1570
SHA1

2559f4d403ba01746ec2a6955f9a14efd6853530
SHA256

00aca96c37b587c8dc04756bdf8c9a5d1beadf81b450331aaf59e298a6d7e807
SHA512

2eb01b351398df484546b39922127a289f5ec04be5b3b7f8780ac1681d748c095202899b8b3ce6e4b2fec0d877e52156c2c172589961abd3c40227e93ed398c3
SSDEEP

768:2iIrC66UWlziHvc+xOF4/i/BEYkp7P6lweQDhDmpU5GFrrEzWsdSE0d8pUHIkI09:2/3WdYxO+2G40OIkaO5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2620	riogoo.exe

Loads dropped DLL 7 IoCs

pid	Process
2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe
2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2460	2176	WerFault.exe	27
2596	2620	WerFault.exe	29

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe
2620	riogoo.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2620	2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe	29
PID 2176 wrote to memory of 2620	2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe	29
PID 2176 wrote to memory of 2620	2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe	29
PID 2176 wrote to memory of 2620	2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe	29
PID 2176 wrote to memory of 2460	2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe	30
PID 2176 wrote to memory of 2460	2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe	30
PID 2176 wrote to memory of 2460	2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe	30
PID 2176 wrote to memory of 2460	2176	7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe	30
PID 2620 wrote to memory of 2596	2620	riogoo.exe	31
PID 2620 wrote to memory of 2596	2620	riogoo.exe	31
PID 2620 wrote to memory of 2596	2620	riogoo.exe	31
PID 2620 wrote to memory of 2596	2620	riogoo.exe	31

C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7129434d69a97970d3e9d1c6641b1570_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\riogoo.exe
  "C:\Users\Admin\riogoo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 860
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1000
  2⤵
  - Program crash
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\riogoo.exe

Filesize
76KB

MD5
9149516a0fb43c049ceae1b3aced6507

SHA1
9173351a3853b374c479b0de83fdff865a43310b

SHA256
676313f3b219ba2acc758d735e986506ef1b085bfa7e9fe8b34277cc1568f43f

SHA512
ff96d8e89a150e25fc9c2962f185c51b62e2ed870aa6cd082f49448330cfef010b156cfd2878c7806d689c23ac41fac9f8729b9274398a15e6a8f7e4cc4cd680

Download Submit