Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 04:30
Behavioral task
behavioral1
Sample
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe
Resource
win7-20240220-en
General
-
Target
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe
-
Size
431KB
-
MD5
958d1b88d6e33021458a2f1b47d383b0
-
SHA1
bd9ff9b24f1955c73bb2dd3d3bbdf47a5eb13b1d
-
SHA256
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7
-
SHA512
2beb4ee9f743c566e02c3074c5a8b8cd04da8b3a0c980893f84415dcb105e25db09080419d53a57e45dbca867310b19b5e8e554afe42ecc6ae96a1a8aae6ea78
-
SSDEEP
6144:cT5J63Fm3b7yOE7Hvpu5CaGi4mUf95TtC4uP2scqAO:c4Fm3b7yOAHNar4mUf9lJ82scqAO
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Systemrehms.exe family_blackmoon -
Deletes itself 1 IoCs
Processes:
Systemrehms.exepid process 2588 Systemrehms.exe -
Executes dropped EXE 1 IoCs
Processes:
Systemrehms.exepid process 2588 Systemrehms.exe -
Loads dropped DLL 2 IoCs
Processes:
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exepid process 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exeSystemrehms.exepid process 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe 2588 Systemrehms.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exedescription pid process target process PID 840 wrote to memory of 2588 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe Systemrehms.exe PID 840 wrote to memory of 2588 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe Systemrehms.exe PID 840 wrote to memory of 2588 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe Systemrehms.exe PID 840 wrote to memory of 2588 840 3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe Systemrehms.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3c68ee71a6ed72c64b866c5dbea8d235c34cf2d03695ed88097916fb844d18c7_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\Systemrehms.exe"C:\Users\Admin\AppData\Local\Temp\Systemrehms.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
117B
MD539a6ad471d41bfb9cb334d5abfcb759b
SHA1f11f37039c94dc6b041c150d2fa0b9bb562a2954
SHA2561ab620a9bc3645fc6c400712a8437c264a53956599089e1d30b155ecfa853f21
SHA5125d28ec0c46c8b547c896ba443d9ed201bbb00456226671feba95b841cd56b272eb01ec8a4c3849235283e777d8d5c5d68dc407178446269bbf58f0f600a85af7
-
Filesize
431KB
MD5db69d1ca36fdd76247fe27eedb33e63e
SHA1d60482cea9338e8638fbd865d20b211d50dcb28e
SHA2566dac6c28ad287ad4fd7e31ced3ae5e7216f6b9030fab2e6867fcf38831aba796
SHA512e56d65a8ebc9ac45f2963fd93e362043e2752c09c7c959f051b0faecdc00cb182293cdd8f5fe46a1348e0f4b5eccb4fdb544fda25b656062ff49e772c9d50473