Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 02:04
Behavioral task
behavioral1
Sample
2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe
Resource
win7-20231129-en
General
-
Target
2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe
-
Size
156KB
-
MD5
be3fd09e273c6247739ac1cb38d37b50
-
SHA1
fa59cce73e58761a21e23e559d8ac08535071258
-
SHA256
2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d
-
SHA512
527beac98b828f7d123e2f85116429d1752cc75e78244960e1213ca19f1bf593901a006a6a112d95142fb420773be571022f42d38ee0babc4b03dce8cb105a08
-
SSDEEP
1536:ej+zUtBIBU+2Da4lH4Iiue58o/ZDv4GMfcHZIlVKAn5ZAcXeOqbZ6NjkEVnouy8J:eqSe5OmiEoAcCbZ6FNoutbN
Malware Config
Signatures
-
Detect Blackmoon payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3784-0-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon C:\7rflffx.exe family_blackmoon behavioral2/memory/3784-6-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon behavioral2/memory/3148-9-0x0000000000400000-0x0000000000429000-memory.dmp family_blackmoon -
Executes dropped EXE 1 IoCs
Processes:
7rflffx.exepid process 3148 7rflffx.exe -
Processes:
resource yara_rule behavioral2/memory/3784-0-0x0000000000400000-0x0000000000429000-memory.dmp upx C:\7rflffx.exe upx behavioral2/memory/3784-6-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3148-9-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
Processes:
7rflffx.exedescription ioc process File created \??\c:\windows\friendl.dll 7rflffx.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exedescription pid process target process PID 3784 wrote to memory of 3148 3784 2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe 7rflffx.exe PID 3784 wrote to memory of 3148 3784 2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe 7rflffx.exe PID 3784 wrote to memory of 3148 3784 2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe 7rflffx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2d3b3d3c08f5d5142de85d7088c4563cc0e2a01190fd43388465a1d58bed206d_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
\??\c:\7rflffx.exec:\7rflffx.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3148
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5f531c74b28b26466055dfd0959271d77
SHA1fe5d7e91ed76a9fb2a1f4d8b1eaccb53d1b49dcd
SHA256de64284fa41dd1b57746029c4b5db924b8fdd6811f59f100996648c929f29b69
SHA5127b771e0eb011bbcc6e5a6a69584c8f48b09dd0e7d0d0939261a818a24410d2d6e060333737fbd5c59d89b5785e4cadf91ba6684bc525d7496adbb8fb748e63c2
-
Filesize
117B
MD5d1938c17479074c33223b90600e740c9
SHA1f670690453fde8464ce1a982f3490860efae8058
SHA2563d83b2d0d506139087de7fa5894a090e66f53cc33f932c4c6e565e083c0a0edf
SHA512f2b12ab2c995cafd24c20d833e56bedea5abab33b9aa003c29c9bcf092e51206688a2a185cf7bca598c05a4d31287b79d65bb0b289f1287419dca561f1ddb560