7aab73569774be15157a1f0fc69ef80c3ff8e1c92c7a3436940150161abf89c2

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aab73569774be15157a1f0fc69ef80c3ff8e1c92c7a3436940150161abf89c2_NeikiAnalytics.exe
Size

42KB
MD5

ffe2a53d7730b2a3861da7335d2bc250
SHA1

44fe8b0c756c3001797c500a3fb182d4c97ad502
SHA256

7aab73569774be15157a1f0fc69ef80c3ff8e1c92c7a3436940150161abf89c2
SHA512

332ade7a124d962d838c6bb5958bbd6bcf1256f9015ea46e826eeb36a141799d29727d425fa6ecb97d041df8841ac07c24f728a3cded9d36d0d04efc37ed662d
SSDEEP

768:mUz4HXnmTggggggLvggggggggSvNltsdUk7Nz1XzTx6QXTDcVivMHG:BMH3lNMKkPzT8Qsk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2176	zzyap.exe

Loads dropped DLL 1 IoCs

pid	Process
1540	7aab73569774be15157a1f0fc69ef80c3ff8e1c92c7a3436940150161abf89c2_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2176	1540	7aab73569774be15157a1f0fc69ef80c3ff8e1c92c7a3436940150161abf89c2_NeikiAnalytics.exe	28
PID 1540 wrote to memory of 2176	1540	7aab73569774be15157a1f0fc69ef80c3ff8e1c92c7a3436940150161abf89c2_NeikiAnalytics.exe	28
PID 1540 wrote to memory of 2176	1540	7aab73569774be15157a1f0fc69ef80c3ff8e1c92c7a3436940150161abf89c2_NeikiAnalytics.exe	28
PID 1540 wrote to memory of 2176	1540	7aab73569774be15157a1f0fc69ef80c3ff8e1c92c7a3436940150161abf89c2_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\7aab73569774be15157a1f0fc69ef80c3ff8e1c92c7a3436940150161abf89c2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7aab73569774be15157a1f0fc69ef80c3ff8e1c92c7a3436940150161abf89c2_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\zzyap.exe
  "C:\Users\Admin\AppData\Local\Temp\zzyap.exe"
  2⤵
  - Executes dropped EXE
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\zzyap.exe

Filesize
42KB

MD5
aac6d98f5239a07fa59edf397b24eb2d

SHA1
1fdaada81bedc02e7cb7ab0a2c4dbfbce06d20d3

SHA256
f9adb254312f7eb8455bf3a8c4438d90e89ee824b7a691c691597803ad6f5703

SHA512
a16a73ba5e25859b61bdd8f9972a00645f8dfc7df64b0235ace1d9645fa396dbd5eb828502aea8cfaee4e1ec53410e42e109386243d83d46705a15f4cd6f17a4

Download Submit
memory/1540-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/2176-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download