82bc7287f044d9daffd476e57c2662b40b57d3cd9aa486d06348983e67fb9dc3

Analysis

max time kernel
139s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe
Size

50KB
MD5

3c739903781d94a528576b94c044b7d0
SHA1

c23457f7ebb57f203e18093711355d8cd7a179de
SHA256

82bc7287f044d9daffd476e57c2662b40b57d3cd9aa486d06348983e67fb9dc3
SHA512

0810ecb9ed69b7287d61ac6fc699f2743e4c6c485005bab1e715e554f8d85cd59f492db8c7bf255b453147e71e6c8313baecade236b0fe585c3da03767479ec2
SSDEEP

768:9qSqC8+N5ozQQRncwxWmNXMX3cX8tcXmcX8/XrX8/uUjycy:9rqfzQQRamN88xjm7c7Ocy

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1704	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2588	3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe
2588	3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\125ccb2b\jusched.exe	3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\125ccb2b\125ccb2b	3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe
1704	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1704	2588	3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe	28
PID 2588 wrote to memory of 1704	2588	3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe	28
PID 2588 wrote to memory of 1704	2588	3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe	28
PID 2588 wrote to memory of 1704	2588	3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3c739903781d94a528576b94c044b7d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Program Files (x86)\125ccb2b\jusched.exe
  "C:\Program Files (x86)\125ccb2b\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\125ccb2b\125ccb2b

Filesize
13B

MD5
f253efe302d32ab264a76e0ce65be769

SHA1
768685ca582abd0af2fbb57ca37752aa98c9372b

SHA256
49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

SHA512
1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

Download Submit
\Program Files (x86)\125ccb2b\jusched.exe

Filesize
50KB

MD5
ff61a1fab5e8ed1e1cc115a34d58c5a1

SHA1
4a94f372918f77fe916943ef608ae23314996701

SHA256
8903c535511928765f4c77d09697c499f5170fac40da4e5963641d94e680f8c7

SHA512
0f90dce73068d6006154404a0850a7f473532fdfee5133423c41717260ad3bba50e7b7324f5af6fe06bac4f1abb9070dccbdc1b93345a2b669c01c34ed25edec

Download Submit
memory/1704-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1704-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-5-0x0000000000401000-0x0000000000406000-memory.dmp

Filesize
20KB

Download
memory/2588-4-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2588-3-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-18-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-16-0x0000000004930000-0x0000000004974000-memory.dmp

Filesize
272KB

Download
memory/2588-15-0x0000000004930000-0x0000000004974000-memory.dmp

Filesize
272KB

Download