Overview

overview

7

Static

static

3

a7d713b5c5...cs.exe

windows7-x64

7

a7d713b5c5...cs.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14/06/2024, 05:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a7d713b5c5afd331d0f61a235e72cd40_NeikiAnalytics.exe

  • Size

    464KB

  • MD5

    a7d713b5c5afd331d0f61a235e72cd40

  • SHA1

    944b379de5feb71c58b6ef47d1f4f7d001aff5bc

  • SHA256

    a7c3917d9a373260010ad28f74786005155daec97dde20abc21cf3e489e8c332

  • SHA512

    e956111ff631647cc956749f7e47890d4a6b855d204089ccae5aed51e44de99d094812ce70ab2369855f46b9b39f37797f332c35fad31577c1fecd07fa9c9e06

  • SSDEEP

    12288:Qslc87eqqV5e+wBV6O+Yx8yy9jB+/TZ8ZCBgS67X:QsSqqHeVBxlxR61+d7j6D

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1396
    • C:\Users\Admin\AppData\Local\Temp\a7d713b5c5afd331d0f61a235e72cd40_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\a7d713b5c5afd331d0f61a235e72cd40_NeikiAnalytics.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Users\Admin\AppData\Roaming\bthuelog\RMAcfWrp.exe
        "C:\Users\Admin\AppData\Roaming\bthuelog"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Users\Admin\AppData\Local\Temp\~62F7.tmp
          1396 475656 1856 1
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2600
  • C:\Windows\SysWOW64\ctfmerpt.exe
    C:\Windows\SysWOW64\ctfmerpt.exe -s
    1⤵
    • Executes dropped EXE
    PID:2620

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~62F7.tmp
          Filesize

          8KB

          MD5

          86dc243576cf5c7445451af37631eea9

          SHA1

          99a81c47c4c02f32c0ab456bfa23c306c7a09bf9

          SHA256

          25d2a671e1b5b5b95697ac0234ce4d46e0d0894919521b54aabebd9daecf994a

          SHA512

          c7310524f9b65f811146c1eb6ae944966351ac88a95fbc1ac422d8810730e5e212a7e28090ad758ea23c96ba38073e7fcf42460575e7f09dbc759a45c5d5a4a4

          Download Submit

        • \Users\Admin\AppData\Roaming\bthuelog\RMAcfWrp.exe
          Filesize

          464KB

          MD5

          ef4beb03988ef70fadd5faba52f295f9

          SHA1

          5bb6d997b5aa58fc4db590bddc42215788da10b4

          SHA256

          f637377989ee28bd016f3b464473d5762c7bb5d9922adadfddf9117db9f09412

          SHA512

          71bd5ed0dcb10ac0848efbc63d4496e24ca790db71beedfab3c6f8343de908cd19ae9cf62a5b57e3dadc41623ad77dfd0fd34cf718939962e577be388db07ca5

          Download Submit

        • memory/1396-20-0x0000000003A70000-0x0000000003AF4000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1396-27-0x00000000026F0000-0x00000000026FD000-memory.dmp

          Filesize

          52KB

          Download

        • memory/1396-26-0x0000000002150000-0x0000000002156000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1396-25-0x0000000003A70000-0x0000000003AF4000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1396-21-0x0000000003A70000-0x0000000003AF4000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1856-24-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

          Download

        • memory/1856-16-0x0000000000250000-0x0000000000255000-memory.dmp

          Filesize

          20KB

          Download

        • memory/1856-14-0x0000000000480000-0x00000000004FD000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2620-32-0x0000000000220000-0x000000000029D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2620-33-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

          Download

        • memory/2764-1-0x00000000002F0000-0x000000000036D000-memory.dmp

          Filesize

          500KB

          Download

        • memory/2764-5-0x0000000000480000-0x00000000004FB000-memory.dmp

          Filesize

          492KB

          Download

        • memory/2764-12-0x0000000000480000-0x00000000004FB000-memory.dmp

          Filesize

          492KB

          Download

        • memory/2764-0-0x0000000000400000-0x000000000047B000-memory.dmp

          Filesize

          492KB

          Download