87d174905d45ddbf8eb1b94969c301c4960e50318c12e6afe3c3262a1de06201

Analysis

max time kernel
131s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 05:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

87d174905d45ddbf8eb1b94969c301c4960e50318c12e6afe3c3262a1de06201_NeikiAnalytics.exe
Size

526KB
MD5

2e169937d32406d72f4c980367e27f40
SHA1

d1e2c630b2b3285e82fcbf3437e3a354791c81d1
SHA256

87d174905d45ddbf8eb1b94969c301c4960e50318c12e6afe3c3262a1de06201
SHA512

a5fb7f767020ebfd26a000b4f792ed0f5e5556405cbc8cbceb450cdb315375cc2290711946df1c35d74d3d28d059e3f8ebde4dc416252c8e8c5808e3373793fd
SSDEEP

12288:NyAfDcgcTQhgpZBDtoRAG01LqTl2mZoiX510lOPMb:vDVBADt1ZKlX40Eb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2368	EXE35C5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2368	EXE35C5.tmp
2368	EXE35C5.tmp

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 2368	940	87d174905d45ddbf8eb1b94969c301c4960e50318c12e6afe3c3262a1de06201_NeikiAnalytics.exe	82
PID 940 wrote to memory of 2368	940	87d174905d45ddbf8eb1b94969c301c4960e50318c12e6afe3c3262a1de06201_NeikiAnalytics.exe	82
PID 940 wrote to memory of 2368	940	87d174905d45ddbf8eb1b94969c301c4960e50318c12e6afe3c3262a1de06201_NeikiAnalytics.exe	82
PID 2368 wrote to memory of 2972	2368	EXE35C5.tmp	83
PID 2368 wrote to memory of 2972	2368	EXE35C5.tmp	83

C:\Users\Admin\AppData\Local\Temp\87d174905d45ddbf8eb1b94969c301c4960e50318c12e6afe3c3262a1de06201_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\87d174905d45ddbf8eb1b94969c301c4960e50318c12e6afe3c3262a1de06201_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:940
- C:\Users\Admin\AppData\Local\Temp\EXE35C5.tmp
  "C:\Users\Admin\AppData\Local\Temp\EXE35C5.tmp" "C:\Users\Admin\AppData\Local\Temp\OFM35C6.tmp" "C:\Users\Admin\AppData\Local\Temp\87d174905d45ddbf8eb1b94969c301c4960e50318c12e6afe3c3262a1de06201_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EXE35C5.tmp

Filesize
968KB

MD5
0f619e7352920d8d21926f2b715e0794

SHA1
cdd75d72647b1c75477c069b51b5f8ab5dc63e50

SHA256
e6090962c2504441c1cd5f6ee75dd5ffbddc38062f02807f0d44176d8f464381

SHA512
380592a1382f40d80839efea429619470b09fc0c0aad8666c6392d8dbd112f5e8719538fc93044454f4ce67375aaae8da59e09563b167ff8adf34240be684dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFM35C6.tmp

Filesize
112KB

MD5
e1d05fb9be51c29362e1c587ffdb156e

SHA1
7a9def9077f758d8e7a2397be62570dc66650b73

SHA256
c12b75796630557e2318e66049e4b123421edf19a8b0bd7713a3cf1156bd38d9

SHA512
7768ff585e9073c5c4424bf0324aefcf8d03a28ac8a7b034c6eac18648798279ef9b4fd13991a938338ae60fd38518a18f321a8e4f5e0a8e5e7258c04cf5fcb3

Download Submit