Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 04:14
Behavioral task
behavioral1
Sample
32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe
Resource
win7-20240611-en
General
-
Target
32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe
-
Size
266KB
-
MD5
5697ab83962cdd7ef04a84b230ac1c00
-
SHA1
afbd779643d78f1667958ff1a2c9b271420d2334
-
SHA256
32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a
-
SHA512
8290631716813c997782afd6e832393a5910c0258a4198e45881c60dafd7157b8848c93a2fd03a035348b8c9c9a8f4cdadfd09d7f15b6266e4016baa4d92b338
-
SSDEEP
6144:RZibQcmlVD+BgotLvTtehd1wLIE92FJ1wZycp3HiTJ/:R0q+BgotLvTtehd1wd92FJ1Nl
Malware Config
Extracted
urelas
112.175.88.208
112.175.88.207
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2120 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
huter.exepid process 1648 huter.exe -
Loads dropped DLL 1 IoCs
Processes:
32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exepid process 1784 32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exedescription pid process target process PID 1784 wrote to memory of 1648 1784 32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe huter.exe PID 1784 wrote to memory of 1648 1784 32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe huter.exe PID 1784 wrote to memory of 1648 1784 32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe huter.exe PID 1784 wrote to memory of 1648 1784 32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe huter.exe PID 1784 wrote to memory of 2120 1784 32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe cmd.exe PID 1784 wrote to memory of 2120 1784 32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe cmd.exe PID 1784 wrote to memory of 2120 1784 32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe cmd.exe PID 1784 wrote to memory of 2120 1784 32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\32a8633e85d46b2ac179622c8a339a94670cffe9eebc1cc1f4e243b48aee735a_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\huter.exe"C:\Users\Admin\AppData\Local\Temp\huter.exe"2⤵
- Executes dropped EXE
PID:1648
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "2⤵
- Deletes itself
PID:2120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512B
MD5a2de452e45db47c817b5ada178bd2e83
SHA144b16b5c0e400a2af95299d0c08a6a4fda14bc4c
SHA256516ba3f510ebfd821b47f63ac2c47faa15d5f2ba8732c79c0265fa8aa3ad8fd4
SHA5128799d95d502764a4266c37c1c5fbb24fb9ab94983310962deafd5e246c5900993dffb2c2b06ab6709cc4141aab3346a9cf65b2a62744dbf11c7d381af654be85
-
Filesize
368B
MD5924cda1f4f9eaec4bf0b72dc710f6abd
SHA1b4f988e8b66986730b152910b15e7b8e66da0f63
SHA256e04be363d1cf4b7db48087efcaf672182c6444deafc9c55dee193129d3ed71eb
SHA512a7cd549c1732e4e3d314b7117ead50d5898809faa7b91b205349288b34c529a40587dbfa760bec9a10350e872a70a50fbe6ef68e8d5ec7759e3e082b7a9bd423
-
Filesize
266KB
MD5bca516555fd461a5a682a3037cc6c894
SHA1247e613b3f9bbae21a785e7eb1e7e74734191e12
SHA25648d628165ae881d747488d9d9e6b37e38e29b2c545d1f54432c798ca31d5a567
SHA5129fd83e312d248e1185a73c0ce7f03723389c2308527dd21e387898f0d398b004d3e248013ff10bd50c62e9c25da42f9e8d77aeb02deb3d2c448e0692bf78f088