Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-06-2024 14:40

General

  • Target

    826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exe

  • Size

    247KB

  • MD5

    9836c183d2eb80c94b1fb4bc6ff19cc0

  • SHA1

    9690819c84cc85c05d1471a22243b9acd87ad782

  • SHA256

    826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8

  • SHA512

    19ce76396ce26e47491a3c0653e4eefa77f4a04eee9d21a211b528fe8370d48df7b1c1897d27d3405bd9464cf8fb216aef8b86c4170b572ad2c3689b02109c6a

  • SSDEEP

    3072:pP/C1+jwRw7CyzzyPcaMmliFHyznF9zS0+NdRB3p9aKfsul8wDo/PCq5fHlPdg:9/kS7C8yUqliNyjSrB59a6scjDyX5R

Malware Config

Extracted

Family

cobaltstrike

C2

http://8.137.114.224:8012/ESda

Attributes
  • user_agent

    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\826c68194497a68adc8fb95b9df7b7b899b67e08e9d821f01042a5565489d3b8_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Windows\system32\cmd.exe
      "cmd" /C start C:\Users\Admin\AppData\Local\Temp/gnome.png
      2⤵
        PID:1504

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4980-0-0x0000014BBF0B0000-0x0000014BBF0B1000-memory.dmp

      Filesize

      4KB