Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 02:04
Behavioral task
behavioral1
Sample
2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe
-
Size
156KB
-
MD5
be3fd09e273c6247739ac1cb38d37b50
-
SHA1
fa59cce73e58761a21e23e559d8ac08535071258
-
SHA256
2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d
-
SHA512
527beac98b828f7d123e2f85116429d1752cc75e78244960e1213ca19f1bf593901a006a6a112d95142fb420773be571022f42d38ee0babc4b03dce8cb105a08
-
SSDEEP
1536:ej+zUtBIBU+2Da4lH4Iiue58o/ZDv4GMfcHZIlVKAn5ZAcXeOqbZ6NjkEVnouy8J:eqSe5OmiEoAcCbZ6FNoutbN
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-2-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon C:\xrlxflr.exe family_blackmoon behavioral1/memory/2184-8-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral1/memory/2184-11-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Deletes itself 1 IoCs
Processes:
xrlxflr.exepid process 2184 xrlxflr.exe -
Executes dropped EXE 1 IoCs
Processes:
xrlxflr.exepid process 2184 xrlxflr.exe -
Processes:
resource yara_rule behavioral1/memory/1936-2-0x0000000000400000-0x0000000000429000-memory.dmp upx C:\xrlxflr.exe upx behavioral1/memory/2184-8-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2184-11-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
Processes:
xrlxflr.exedescription ioc process File created \??\c:\windows\friendl.dll xrlxflr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exedescription pid process target process PID 1936 wrote to memory of 2184 1936 2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe xrlxflr.exe PID 1936 wrote to memory of 2184 1936 2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe xrlxflr.exe PID 1936 wrote to memory of 2184 1936 2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe xrlxflr.exe PID 1936 wrote to memory of 2184 1936 2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe xrlxflr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
\??\c:\xrlxflr.exec:\xrlxflr.exe2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
PID:2184
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5aa0e1972ce4015a0337ca497556f53c4
SHA13e8475adf24a98a87310ff2646df11b1b02e4e88
SHA256a9e0d5b1b97fb108dd601fd275a97f52c8e9a0fdb97d2abf552d219e24041c86
SHA512b6b3f697dbf7a5990fcf2e790d567de9082babe95bade21b258d3295b17be8b615ccb69d49ee92f3205dbf5c6a70f6683ce429044b4c68b26d76f973cef97a68
-
Filesize
117B
MD5d1938c17479074c33223b90600e740c9
SHA1f670690453fde8464ce1a982f3490860efae8058
SHA2563d83b2d0d506139087de7fa5894a090e66f53cc33f932c4c6e565e083c0a0edf
SHA512f2b12ab2c995cafd24c20d833e56bedea5abab33b9aa003c29c9bcf092e51206688a2a185cf7bca598c05a4d31287b79d65bb0b289f1287419dca561f1ddb560