Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 06:25
Behavioral task
behavioral1
Sample
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe
-
Size
1.8MB
-
MD5
c48d3c62e9034dd9a5403dad78bb06b0
-
SHA1
3819c3caf9f78e9245c0c621f15260d9b014912d
-
SHA256
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552
-
SHA512
28be800f6ac75e0cf2a9e8b62b77c8f43ae120cc122df800dcfe7047da03928b2d948f13247ecaefaece0dabfc5951600ad15cf387950e920e199c1157949b31
-
SSDEEP
24576:Dr0TxazTID9UhQtRlA6Jz7kzSRciXSD3FbbBN/IyZJbOOEHqBh3SWgSklWNyH:DZzED7tRX8SWwWpNN/IyjEOBST1WNyH
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\TWJGUI.LRV family_blackmoon -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SKinH_EL.dll acprotect -
Executes dropped EXE 1 IoCs
Processes:
TWJGUI.LRVpid process 2496 TWJGUI.LRV -
Loads dropped DLL 4 IoCs
Processes:
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exeTWJGUI.LRVpid process 2832 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe 2832 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe 2496 TWJGUI.LRV 2496 TWJGUI.LRV -
Processes:
resource yara_rule behavioral1/memory/2832-34-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-47-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-46-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-44-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-42-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-40-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-38-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-36-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-32-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-30-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-29-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-26-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-25-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-21-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-16-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-14-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-12-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-10-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-8-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-6-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-4-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-3-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2832-2-0x0000000010000000-0x000000001003E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\SKinH_EL.dll upx behavioral1/memory/2496-100-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-77-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-75-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-73-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-71-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-69-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-67-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-65-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-63-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-61-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-59-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2496-58-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
TWJGUI.LRVdescription ioc process File opened for modification C:\Windows\SysWOW64\ESPI11.dll TWJGUI.LRV File created C:\Windows\SysWOW64\ESPI11.dll TWJGUI.LRV -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
TWJGUI.LRVpid process 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TWJGUI.LRVdescription pid process Token: SeDebugPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV Token: SeIncBasePriorityPrivilege 2496 TWJGUI.LRV Token: 33 2496 TWJGUI.LRV -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exeTWJGUI.LRVpid process 2832 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe 2832 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe 2832 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe 2496 TWJGUI.LRV 2496 TWJGUI.LRV 2496 TWJGUI.LRV -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exeTWJGUI.LRVdescription pid process target process PID 2832 wrote to memory of 2496 2832 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe TWJGUI.LRV PID 2832 wrote to memory of 2496 2832 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe TWJGUI.LRV PID 2832 wrote to memory of 2496 2832 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe TWJGUI.LRV PID 2832 wrote to memory of 2496 2832 48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe TWJGUI.LRV PID 2496 wrote to memory of 2780 2496 TWJGUI.LRV netsh.exe PID 2496 wrote to memory of 2780 2496 TWJGUI.LRV netsh.exe PID 2496 wrote to memory of 2780 2496 TWJGUI.LRV netsh.exe PID 2496 wrote to memory of 2780 2496 TWJGUI.LRV netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\48a4f5d4f41fd4defc691c5113b9e2d09c97f8dbc21aad00659043acde868552_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\TWJGUI.LRV"C:\Users\Admin\AppData\Local\Temp\TWJGUI.LRV"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\netsh.exenetsh winsock reset3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2780
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
MD5c3adbb35a05b44bc877a895d273aa270
SHA18afe20d8261d217fd23ccfe53bd45ad3bec82d2d
SHA256b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c
SHA512614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc
-
Filesize
86KB
MD5114054313070472cd1a6d7d28f7c5002
SHA19a044986e6101df1a126035da7326a50c3fe9a23
SHA256e15d9e1b772fed3db19e67b8d54533d1a2d46a37f8b12702a5892c6b886e9db1
SHA512a2ff8481e89698dae4a1c83404105093472e384d7a3debbd7014e010543e08efc8ebb3f67c8a4ce09029e6b2a8fb7779bb402aae7c9987e61389cd8a72c73522
-
Filesize
1.8MB
MD57bce6bb8fadc809ac5dd266990d17713
SHA1f285ffee778fbfa721e828b13e274f97fd068edc
SHA2561f3fa3e039bfb7cacfaf8c7476890f668102f747c16718966a47a65eb227772f
SHA5120972ae3f45d19f33c0f3ebb3bb52538eca5ad16e718dcad77bdd871de3799fd1fc2f0f3c2433b5c44c51ff6bc2679ebd8455dc9157ced4220ac2367ba1c76580