25b8d12a8ec62971da061e19853e91c442547602f1054478698e39cb959fe3b3

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17/06/2024, 08:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe
Size

1.9MB
MD5

670020512a47a1faaac1617fd17b01c0
SHA1

459d4e5d3b4fb14e6d2d09fa05d60adfbb8e8421
SHA256

25b8d12a8ec62971da061e19853e91c442547602f1054478698e39cb959fe3b3
SHA512

4f4e30d52473d928373f31859459f8624c78ec43f428960435386056b9d4149460374afcae230b2263f57891c2d23aaa726a5be51aad18bbce4f3619684db9e7
SSDEEP

24576:hQRr47XdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4oMak:h64BbTChxKCnFnQXBbrtgb/iQvu0UHO0

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2676	@AE5F20.tmp.exe
2736	670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe
2296	WdExt.exe
660	launch.exe
328	wtmps.exe
1388	mscaps.exe

Loads dropped DLL 11 IoCs

pid	Process
1532	explorer.exe
1532	explorer.exe
2676	@AE5F20.tmp.exe
1532	explorer.exe
2264	cmd.exe
2264	cmd.exe
2296	WdExt.exe
1772	cmd.exe
1772	cmd.exe
2108	cmd.exe
2108	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2676	@AE5F20.tmp.exe
2296	WdExt.exe
660	launch.exe
660	launch.exe
660	launch.exe
660	launch.exe
660	launch.exe
660	launch.exe
660	launch.exe
660	launch.exe
660	launch.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1532	2996	670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe	28
PID 2996 wrote to memory of 1532	2996	670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe	28
PID 2996 wrote to memory of 1532	2996	670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe	28
PID 2996 wrote to memory of 1532	2996	670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe	28
PID 2996 wrote to memory of 1532	2996	670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe	28
PID 2996 wrote to memory of 1532	2996	670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe	28
PID 1532 wrote to memory of 2676	1532	explorer.exe	29
PID 1532 wrote to memory of 2676	1532	explorer.exe	29
PID 1532 wrote to memory of 2676	1532	explorer.exe	29
PID 1532 wrote to memory of 2676	1532	explorer.exe	29
PID 1532 wrote to memory of 2736	1532	explorer.exe	30
PID 1532 wrote to memory of 2736	1532	explorer.exe	30
PID 1532 wrote to memory of 2736	1532	explorer.exe	30
PID 1532 wrote to memory of 2736	1532	explorer.exe	30
PID 2676 wrote to memory of 2264	2676	@AE5F20.tmp.exe	31
PID 2676 wrote to memory of 2264	2676	@AE5F20.tmp.exe	31
PID 2676 wrote to memory of 2264	2676	@AE5F20.tmp.exe	31
PID 2676 wrote to memory of 2264	2676	@AE5F20.tmp.exe	31
PID 2676 wrote to memory of 1792	2676	@AE5F20.tmp.exe	33
PID 2676 wrote to memory of 1792	2676	@AE5F20.tmp.exe	33
PID 2676 wrote to memory of 1792	2676	@AE5F20.tmp.exe	33
PID 2676 wrote to memory of 1792	2676	@AE5F20.tmp.exe	33
PID 2264 wrote to memory of 2296	2264	cmd.exe	35
PID 2264 wrote to memory of 2296	2264	cmd.exe	35
PID 2264 wrote to memory of 2296	2264	cmd.exe	35
PID 2264 wrote to memory of 2296	2264	cmd.exe	35
PID 2296 wrote to memory of 1772	2296	WdExt.exe	36
PID 2296 wrote to memory of 1772	2296	WdExt.exe	36
PID 2296 wrote to memory of 1772	2296	WdExt.exe	36
PID 2296 wrote to memory of 1772	2296	WdExt.exe	36
PID 1772 wrote to memory of 660	1772	cmd.exe	38
PID 1772 wrote to memory of 660	1772	cmd.exe	38
PID 1772 wrote to memory of 660	1772	cmd.exe	38
PID 1772 wrote to memory of 660	1772	cmd.exe	38
PID 1772 wrote to memory of 660	1772	cmd.exe	38
PID 1772 wrote to memory of 660	1772	cmd.exe	38
PID 1772 wrote to memory of 660	1772	cmd.exe	38
PID 660 wrote to memory of 2108	660	launch.exe	39
PID 660 wrote to memory of 2108	660	launch.exe	39
PID 660 wrote to memory of 2108	660	launch.exe	39
PID 660 wrote to memory of 2108	660	launch.exe	39
PID 660 wrote to memory of 2108	660	launch.exe	39
PID 660 wrote to memory of 2108	660	launch.exe	39
PID 660 wrote to memory of 2108	660	launch.exe	39
PID 2108 wrote to memory of 328	2108	cmd.exe	41
PID 2108 wrote to memory of 328	2108	cmd.exe	41
PID 2108 wrote to memory of 328	2108	cmd.exe	41
PID 2108 wrote to memory of 328	2108	cmd.exe	41
PID 2108 wrote to memory of 328	2108	cmd.exe	41
PID 2108 wrote to memory of 328	2108	cmd.exe	41
PID 2108 wrote to memory of 328	2108	cmd.exe	41
PID 328 wrote to memory of 1388	328	wtmps.exe	42
PID 328 wrote to memory of 1388	328	wtmps.exe	42
PID 328 wrote to memory of 1388	328	wtmps.exe	42
PID 328 wrote to memory of 1388	328	wtmps.exe	42
PID 328 wrote to memory of 1388	328	wtmps.exe	42
PID 328 wrote to memory of 1388	328	wtmps.exe	42
PID 328 wrote to memory of 1388	328	wtmps.exe	42

C:\Users\Admin\AppData\Local\Temp\670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\@AE5F20.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AE5F20.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2296
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\mscaps.exe
        
        "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        10⤵
        Executes dropped EXE
        
        PID:1388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      PID:1792
- - C:\Users\Admin\AppData\Local\Temp\670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe"
    3⤵
    - Executes dropped EXE
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7475.tmp

Filesize
406B

MD5
37512bcc96b2c0c0cf0ad1ed8cfae5cd

SHA1
edf7f17ce28e1c4c82207cab8ca77f2056ea545c

SHA256
27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

SHA512
6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6603.tmp

Filesize
1.0MB

MD5
df2c63605573c2398d796370c11cb26c

SHA1
efba97e2184ba3941edb008fcc61d8873b2b1653

SHA256
07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8

SHA512
d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
4a9038379f0a158e801076207fb590e9

SHA1
056926de3f60fa6f930021e07755a9e7a6a8afcd

SHA256
f8da9b8a0d3d79f4e5a24267f306e5e90649194fa077a472420b449a335d3967

SHA512
2a82c563b385ff522e33acd599f440088ba4f8f17aa4ad09a7790bc0351b1e284bdae15026a3bcc3dc22926590d08d49a03a2bbc9d4c13310878ccc6ed01ea51

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
102B

MD5
1d68f046cd6a9197038fb2445d2bea05

SHA1
d8dca54cfa0b2ad404bce32d5d94634bcfc9b2d7

SHA256
9cddd4b2ac719f01052deef3aa558fbfbcd21d5728215651345c3d2b9ba250d9

SHA512
2720d071fd02b2cf0d9f1de8dd19117fd128f213dd7f66fa8adb00d7873a5de58d2f2618100d28eec85db707d9e34d20258f9a1f76acf75fe668e66722e1cc4c

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
126B

MD5
5a102436ac054506679c3a6da7514269

SHA1
9b25a4c09d80ea8f4873a214970360f66a9385dc

SHA256
a6f705088921963e178a86900327002dfe29eb916b3a96d115d0b542388bf527

SHA512
7f0918d58cf73d1d0d6e8ac34319beecd3ead5f9b27cdc67b51e85e9ba3c623d3418bb2cd46a268d1fdd1231a12049afc837072e741250d63c65984e8a6ff159

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
52874efa2a828e80b4a9cf73321f2fa2

SHA1
63c6be2b760e6fcaecc323bd3ee420aeb2375bdf

SHA256
36366ffc9aa7c673af6127198df950f796d20097f73040dce16b022b31219bda

SHA512
72e89b7c1ac6140a9d3361d6b51c74e8a55098ae0ae3b1c5157cac786081e6054880786d14643fa0698f1a9f8b80feba8eb578e36e4e7d25b7fa758975c5e887

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
78d3c8705f8baf7d34e6a6737d1cfa18

SHA1
9f09e248a29311dbeefae9d85937b13da042a010

SHA256
2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

SHA512
9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

Download Submit
\Users\Admin\AppData\Local\Temp\670020512a47a1faaac1617fd17b01c0_NeikiAnalytics.exe

Filesize
141KB

MD5
5a432a042dae460abe7199b758e8606c

SHA1
821b965267ee15c6c59178777ae7a8dcfc80f4ba

SHA256
6e5d1f477d290905be27cebf9572bac6b05ffef2fad901d3c8e11f665f8b9a71

SHA512
72823cc212c585a8080122c416e66fe28cb5a1787ae384d52b2068aec4a16944ed10731c622c1db0d8035aee7b5706bc7d2a4e6295a6ce3e50eb4895cc968c75

Download Submit
\Users\Admin\AppData\Local\Temp\@AE5F20.tmp.exe

Filesize
1.7MB

MD5
55a578058a969d82855517d38d1ec5be

SHA1
fbf0af59e1c017b4b82b82074ee43df2a1fd40c0

SHA256
f4d99e11312e71a9d917a10aec1a76664d8ef06fbf23228b37543d60d3c22c46

SHA512
6a00b15ccba0490c3008830cf7a94daeb8e8bb68717ca909bbdc67ebb4327c1f24a7c677fe616b2e8c6420fb9a53e21176c968d407b99da058aa0c8d2081ac6b

Download Submit
\Users\Admin\AppData\Local\Temp\wtmps.exe

Filesize
276KB

MD5
75c1467042b38332d1ea0298f29fb592

SHA1
f92ea770c2ddb04cf0d20914578e4c482328f0f8

SHA256
3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

SHA512
5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/660-291-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1532-1-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2676-12-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download