02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e_NeikiAnalytics.exe
Size

7.0MB
MD5

c6c1d15625dd359bda30d90f77229730
SHA1

e500b051e7562ed7daf598e975a3cc53eb3e048c
SHA256

02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e
SHA512

1ba3a2450f2b46f94fd0c0b926f698da6284ebc549167696f727ab9387acdf9f74776f8acc5a91abc0da57d58705bdb02c9557356002d6f542cdb2fe722099cc
SSDEEP

98304:BKP0BVz9DqrVDGYG9zWdYtgg5blzoa8kHorAa3riymKA4JrJrHv9QciYZ0MNCrGG:BKPmVz9eJPYmUb90kHC0NYJbvRCrXgaV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1248	miressr.exe

Executes dropped EXE 2 IoCs

pid	Process
1248	miressr.exe
1812	176¸´¹ÅÐ¡¼«Æ·.exe

Loads dropped DLL 1 IoCs

pid	Process
1248	miressr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	176¸´¹ÅÐ¡¼«Æ·.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1812	176¸´¹ÅÐ¡¼«Æ·.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 1248	2084	02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 1248	2084	02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 1248	2084	02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e_NeikiAnalytics.exe	28
PID 2084 wrote to memory of 1248	2084	02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e_NeikiAnalytics.exe	28
PID 1248 wrote to memory of 1812	1248	miressr.exe	29
PID 1248 wrote to memory of 1812	1248	miressr.exe	29
PID 1248 wrote to memory of 1812	1248	miressr.exe	29
PID 1248 wrote to memory of 1812	1248	miressr.exe	29

C:\Users\Admin\AppData\Local\Temp\02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\miressr.exe
  C:\miressr.exe C:\Users\Admin\AppData\Local\Temp\02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\Desktop\176¸´¹ÅÐ¡¼«Æ·.exe
    C:\Users\Admin\Desktop\176¸´¹ÅÐ¡¼«Æ·.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\176¸´¹ÅÐ¡¼«Æ·.exe

Filesize
6.9MB

MD5
809d5ab576d38f680c072a75f2451b1d

SHA1
cae8d330a2992fd48eda7f22c77d0f506d7b3476

SHA256
2006cc931b5e063bee89d8e100e25498f7531afdeeb4116379207559091b4c37

SHA512
15f5c8175468bfeeb39adbdb16199203ac8c7d33fdea821da85a47fc4fdc021ad8837a3df6e8d1aef4ec11880d54fa46f3960c8fd5bd1ebe3d32ed917cebbdd7

Download Submit
C:\miressr.exe

Filesize
7.0MB

MD5
c6c1d15625dd359bda30d90f77229730

SHA1
e500b051e7562ed7daf598e975a3cc53eb3e048c

SHA256
02d1da142850d8a3498ab6a2703e386a8a1b8386ad2c9f487f17482015c8074e

SHA512
1ba3a2450f2b46f94fd0c0b926f698da6284ebc549167696f727ab9387acdf9f74776f8acc5a91abc0da57d58705bdb02c9557356002d6f542cdb2fe722099cc

Download Submit
memory/1248-14-0x0000000010000000-0x0000000010B80000-memory.dmp

Filesize
11.5MB

Download
memory/1812-15-0x0000000010000000-0x0000000010B80000-memory.dmp

Filesize
11.5MB

Download
memory/1812-16-0x0000000010000000-0x0000000010B80000-memory.dmp

Filesize
11.5MB

Download
memory/1812-19-0x0000000010007000-0x0000000010008000-memory.dmp

Filesize
4KB

Download
memory/1812-20-0x0000000010000000-0x0000000010B80000-memory.dmp

Filesize
11.5MB

Download
memory/1812-18-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1812-21-0x0000000010000000-0x0000000010B80000-memory.dmp

Filesize
11.5MB

Download
memory/1812-22-0x0000000010000000-0x0000000010B80000-memory.dmp

Filesize
11.5MB

Download
memory/1812-23-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download