398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9_NeikiAnalytics.exe
Size

25KB
MD5

1f60e8db59d71db737a4c6079ea0e700
SHA1

6a491cd8eb8b0883d98b4fe80ef17175e1736f4b
SHA256

398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9
SHA512

fd83497d7fd82fe6aeb80730aed0f0e9d59e1cc92159d858ca6172e1961ef0a174687bf2114563c6b4f2183641391af471e6b02a9b9245d4e46edda285066ea3
SSDEEP

384:T4yJGYp9M7R7U+is4WSE/Fs1iAyEudnDwiZ:EYG8ye+isOEdsWfdDFZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2104	quip.exe

Loads dropped DLL 2 IoCs

pid	Process
2600	398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9_NeikiAnalytics.exe
2600	398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2104	2600	398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9_NeikiAnalytics.exe	28
PID 2600 wrote to memory of 2104	2600	398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9_NeikiAnalytics.exe	28
PID 2600 wrote to memory of 2104	2600	398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9_NeikiAnalytics.exe	28
PID 2600 wrote to memory of 2104	2600	398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\398f67b66894f7094bf9e4b49fe9e7cb8f826f11069a6d020906a765974d76f9_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Users\Admin\AppData\Local\Temp\quip.exe
  "C:\Users\Admin\AppData\Local\Temp\quip.exe"
  2⤵
  - Executes dropped EXE
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\quip.exe

Filesize
25KB

MD5
4691a30e5e8f2b07cce6b7c127b0e396

SHA1
9a286cfda3307054608853766d30e731b7af3a1f

SHA256
e7b72116b33dd16b5b8e17828c1156ea5a7a007ba2d8b811e25e4b36fddeb613

SHA512
db1e701d9f34ffcf7c084a298e82447206ade49840fd9111e8cd79b42cd0bc8671e0d92d9a8af31f3665b8d8abf0ace41c6b7a0f5fa08d99ddb5f8517ca84c01

Download Submit
memory/2600-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download