General
-
Target
6baa3e56e0dd8846f349e11b6026d466e5f89f9760c6d4785c85d92994ca5898_NeikiAnalytics.exe
-
Size
7.9MB
-
Sample
240621-n79cjayflc
-
MD5
22bfebf9e2c17c9224b6f9bbc6666550
-
SHA1
298d8882cac0f61cff3b3b5e77041088058eea8b
-
SHA256
6baa3e56e0dd8846f349e11b6026d466e5f89f9760c6d4785c85d92994ca5898
-
SHA512
1a22d45580a1715d798ff52c49f9b9f542a5da1ae4148fabcb85538063db719acf1b05e0e8dc43f08f22d7ea00b8369ff654c9115be1938b45705a8a69b1eabe
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Malware Config
Targets
-
-
Target
6baa3e56e0dd8846f349e11b6026d466e5f89f9760c6d4785c85d92994ca5898_NeikiAnalytics.exe
-
Size
7.9MB
-
MD5
22bfebf9e2c17c9224b6f9bbc6666550
-
SHA1
298d8882cac0f61cff3b3b5e77041088058eea8b
-
SHA256
6baa3e56e0dd8846f349e11b6026d466e5f89f9760c6d4785c85d92994ca5898
-
SHA512
1a22d45580a1715d798ff52c49f9b9f542a5da1ae4148fabcb85538063db719acf1b05e0e8dc43f08f22d7ea00b8369ff654c9115be1938b45705a8a69b1eabe
-
SSDEEP
196608:MxygkmknGzwHdOgEPHd9BRX/nivPlTXTYo:Y5jz0E51/iv1
Score10/10-
Disables service(s)
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Contacts a large (27259) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
XMRig Miner payload
-
mimikatz is an open source tool to dump credentials on Windows
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates a Windows Service
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1