Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 14:40
Static task
static1
Behavioral task
behavioral1
Sample
826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exe
-
Size
247KB
-
MD5
9836c183d2eb80c94b1fb4bc6ff19cc0
-
SHA1
9690819c84cc85c05d1471a22243b9acd87ad782
-
SHA256
826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8
-
SHA512
19ce76396ce26e47491a3c0653e4eefa77f4a04eee9d21a211b528fe8370d48df7b1c1897d27d3405bd9464cf8fb216aef8b86c4170b572ad2c3689b02109c6a
-
SSDEEP
3072:pP/C1+jwRw7CyzzyPcaMmliFHyznF9zS0+NdRB3p9aKfsul8wDo/PCq5fHlPdg:9/kS7C8yUqliNyjSrB59a6scjDyX5R
Malware Config
Extracted
cobaltstrike
http://8.137.114.224:8012/ESda
-
user_agent
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exedescription pid process target process PID 4980 wrote to memory of 1504 4980 826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exe cmd.exe PID 4980 wrote to memory of 1504 4980 826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\system32\cmd.exe"cmd" /C start C:\Users\Admin\AppData\Local\Temp/gnome.png2⤵PID:1504