Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 22:38
Behavioral task
behavioral1
Sample
5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe
-
Size
56KB
-
MD5
5f23c5fe29d4e99c992b6c5bb69799e0
-
SHA1
77498d7bcd1a2292f5bbde0ccf6646c406da2cd8
-
SHA256
270b2bb94948fc12d73c9cb6766a4b9920e22172e8400afc13d5db4da533e621
-
SHA512
75e090a5a905e946357e87eeb9ba74a770b7b61201ce07cd38af6a9f80ec1c09fee88fb297edb555cfacefe845350d72f427d408fd3fa90b63a66d413b99ff99
-
SSDEEP
1536:6W82C0Db1edMckBI1kmJAhTPY6pnouy8W:6n25DbaMySmJAhbvoutW
Malware Config
Extracted
urelas
218.54.47.76
218.54.47.77
218.54.47.74
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2600 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
biudfw.exepid process 2848 biudfw.exe -
Loads dropped DLL 1 IoCs
Processes:
5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exepid process 2912 5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/2912-0-0x00000000000D0000-0x00000000000FC000-memory.dmp upx behavioral1/memory/2848-17-0x0000000000950000-0x000000000097C000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\biudfw.exe upx behavioral1/memory/2912-19-0x00000000000D0000-0x00000000000FC000-memory.dmp upx behavioral1/memory/2848-22-0x0000000000950000-0x000000000097C000-memory.dmp upx behavioral1/memory/2848-24-0x0000000000950000-0x000000000097C000-memory.dmp upx behavioral1/memory/2848-31-0x0000000000950000-0x000000000097C000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exedescription pid process target process PID 2912 wrote to memory of 2848 2912 5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe biudfw.exe PID 2912 wrote to memory of 2848 2912 5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe biudfw.exe PID 2912 wrote to memory of 2848 2912 5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe biudfw.exe PID 2912 wrote to memory of 2848 2912 5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe biudfw.exe PID 2912 wrote to memory of 2600 2912 5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe cmd.exe PID 2912 wrote to memory of 2600 2912 5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe cmd.exe PID 2912 wrote to memory of 2600 2912 5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe cmd.exe PID 2912 wrote to memory of 2600 2912 5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5f23c5fe29d4e99c992b6c5bb69799e0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\biudfw.exe"C:\Users\Admin\AppData\Local\Temp\biudfw.exe"2⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\biudfw.exeFilesize
56KB
MD533abf052c37bf9fa90f108a7f48add32
SHA198898fa96b3f2027804309a96e0dd2e38c3cde0d
SHA25670cbc1bf21370dd68fa3149e6d8991af754a28d9f6fd021cd26533c6b790c51c
SHA512f2d5d99af9eebdd74d7a9e362024b03ec716d7f144ff87b92717b8d1fb4128468c96401a5cc71a513222632ad6d24d444ae13837eaacbdcf47b1f0a3a87f1000
-
C:\Users\Admin\AppData\Local\Temp\golfinfo.iniFilesize
512B
MD5b4a86880004da8726288d7ec954885a8
SHA11bab1cfbdc2c540246210bc7852f8fe7e8357b31
SHA256c85016a9115aeb492bf116ab05791a9c3e6e30c39274767bd0476bd56a37db46
SHA51222758f6c6de591c99f8f9857c1b03e55c242f0a4987d376b08c30bc608027d1574a228a8230099ddac2a3214663396b016e85d085204155a5ec26f87a28496b4
-
C:\Users\Admin\AppData\Local\Temp\sanfdr.batFilesize
304B
MD53f149920e4d09e8d64558827835cc9af
SHA1dea72bc644c12b27fbfb3236e74b009b0ad7269b
SHA256f3b5c3f2d164ea317e03dd92a8f2c32ead90dd248bfa4b59cdbebabc6040bb8b
SHA5122f41fbdf2c99834d10fc93b9e2158bccf88997697c8a4154dbe56262ba4ad007668dcc210fbb73aee899e95c2c1bd628c0b9ed9e0e7787cfc03906b4199f9f77
-
memory/2848-17-0x0000000000950000-0x000000000097C000-memory.dmpFilesize
176KB
-
memory/2848-22-0x0000000000950000-0x000000000097C000-memory.dmpFilesize
176KB
-
memory/2848-24-0x0000000000950000-0x000000000097C000-memory.dmpFilesize
176KB
-
memory/2848-31-0x0000000000950000-0x000000000097C000-memory.dmpFilesize
176KB
-
memory/2912-0-0x00000000000D0000-0x00000000000FC000-memory.dmpFilesize
176KB
-
memory/2912-15-0x0000000000420000-0x000000000044C000-memory.dmpFilesize
176KB
-
memory/2912-19-0x00000000000D0000-0x00000000000FC000-memory.dmpFilesize
176KB