1013dce4599a22213701ced317819b275b73341369bbaeb72172751326581bd1

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1013dce4599a22213701ced317819b275b73341369bbaeb72172751326581bd1_NeikiAnalytics.exe
Size

79KB
MD5

6073fb93f34c45ba47d81a52dfc95930
SHA1

ede4366152d7c2f29a7776807f8819a5a9ac50df
SHA256

1013dce4599a22213701ced317819b275b73341369bbaeb72172751326581bd1
SHA512

3350fae1d5517ff9e3c7e73b1ae6b391ecfb44178ba3c05cb3cbbf3074f292a3162c6915c173632c9f33160c1b1fe08b4f0307a2d07c8877435c51f866a9a825
SSDEEP

768:QtqMwjf/ugo+z1767yotAfjFuYwJCu12JglzXxDIIIIIIIIIIRIIIIIIIIIIIII2:NDxJ0Nmfg7JBx8to+zTRiD3

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4688	icacls.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 2740	1564	1013dce4599a22213701ced317819b275b73341369bbaeb72172751326581bd1_NeikiAnalytics.exe	81
PID 1564 wrote to memory of 2740	1564	1013dce4599a22213701ced317819b275b73341369bbaeb72172751326581bd1_NeikiAnalytics.exe	81
PID 2740 wrote to memory of 4688	2740	java.exe	82
PID 2740 wrote to memory of 4688	2740	java.exe	82

C:\Users\Admin\AppData\Local\Temp\1013dce4599a22213701ced317819b275b73341369bbaeb72172751326581bd1_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1013dce4599a22213701ced317819b275b73341369bbaeb72172751326581bd1_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT -classpath "r2launcher.exe;C:\Users\Admin\AppData\Local\Temp\r2launcher.exe" de.robotron.tools.r2launcher.SignR2LaunchStub
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Modifies file permissions
    PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
a2c20195ce63f9dd6291df96b7c1684a

SHA1
ddb002a98876aac9113f9150833ba32f7f7ff044

SHA256
3f70146bcad04c265ef66ca76fd4171191811350ebd8a20a9513f23892945f78

SHA512
612620156d0b8ce435922faa030f932a51a5828f4303f28220919e83c7db82a847d1c5e52fac6dc15d064d9252f3e665612546a2ac5828322e0b347c6af3b749

Download Submit
memory/1564-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2740-2-0x000002886C9E0000-0x000002886CC50000-memory.dmp

Filesize
2.4MB

Download
memory/2740-12-0x000002886C9C0000-0x000002886C9C1000-memory.dmp

Filesize
4KB

Download
memory/2740-13-0x000002886C9E0000-0x000002886CC50000-memory.dmp

Filesize
2.4MB

Download