03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe
Size

32KB
MD5

afdd7a49c5a1b88779ef43e7d6142490
SHA1

dc51449b88dad09c8bbcf40b4bb52376ddc26148
SHA256

03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced
SHA512

cbd5466cab7b57276a5eb76834828ecf183399f84f14427528219a25b0ced1c2f265a4a14fe21e56914a8b9133bf66f9dcabdda498ebee6c3bdd0824dbfb39c5
SSDEEP

384:Q98xUHQ+i8EBepM5Oy4Ng8zLeiUerZaGULt0BTfCAx7ZXQUwG5kAyAe0g:TweTCM8/gop1aGUJcOG9wGzY0g

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\napagent = "C:\\Users\\Admin\\AppData\\Local\\napagent.exe"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1664	regedit.exe

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
1696	03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe
1696	03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1664	1696	03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe	28
PID 1696 wrote to memory of 1664	1696	03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe	28
PID 1696 wrote to memory of 1664	1696	03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe	28
PID 1696 wrote to memory of 1664	1696	03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe	28
PID 1696 wrote to memory of 1664	1696	03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe	28
PID 1696 wrote to memory of 1664	1696	03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe	28
PID 1696 wrote to memory of 1664	1696	03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\03ad5c7c8fb5e90d46a6b7b762a37a826e147b052632b3541588f3e121a58ced_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\~dfds3.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~dfds3.reg

Filesize
168B

MD5
d92f873af0453e98952fd432fc658d58

SHA1
55f91c96082419d27e5ac83e39dc340cfc8c5406

SHA256
0d7f3ea2ff7db85982b16e530bea12187c5ee7d8c1f4f7edbf9ecdc600b074c7

SHA512
2a621a79a252e2f48ff594da9824b27c8e894951e18d71546c91841ac7d17f1a344d1f4a9c70895f0857b443c50fd83ce4d9a51694942efdd052ba8f4a96f893

Download Submit
C:\Users\Admin\AppData\Local\napagent.exe

Filesize
32KB

MD5
6772d5febd1fea5e3997b303d988703e

SHA1
a7932f5f83875382f1300477f26f44078e50bacb

SHA256
87b6cf4c02ef568be03cc21deb13807c75754937f7f6c14733a02908e03fb762

SHA512
48b1cb94d143563cc077a079b945412a9d55de395a4d59a4f2dc2ecf77d753baaaf23c2d7c02be402041e691ca06e5e43dbfd36b97ba8dd7612547b5aea9fa57

Download Submit
memory/1696-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1696-1-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1696-2-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download
memory/1696-12-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1696-13-0x0000000000020000-0x0000000000028000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads