8bb26c77e06514a25ace6f8d8a5845165588c842cb745526efeefda2b6a97efb

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bb26c77e06514a25ace6f8d8a5845165588c842cb745526efeefda2b6a97efb_NeikiAnalytics.exe
Size

7KB
MD5

695d2e8f1782edb70bd93eb738b95620
SHA1

bad5f8239cf9a0bc1da14977c8b552ab65895932
SHA256

8bb26c77e06514a25ace6f8d8a5845165588c842cb745526efeefda2b6a97efb
SHA512

5182ee930593c35c192b1fc9b78978b572aaafa155db9601c7b7bb6ac63e23dfc56ead1bca926b204049c9c24f4cfc1ad8115124be7f3019409760999a6feedd
SSDEEP

96:v5P815C7AVlqjZTYkYlY6An4Nvr/wgW07swHfAgzNt:lD7wl+YkYGrCvrhLT

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2648	powershell.exe
624	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2648	powershell.exe
624	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2720	2248	8bb26c77e06514a25ace6f8d8a5845165588c842cb745526efeefda2b6a97efb_NeikiAnalytics.exe	29
PID 2248 wrote to memory of 2720	2248	8bb26c77e06514a25ace6f8d8a5845165588c842cb745526efeefda2b6a97efb_NeikiAnalytics.exe	29
PID 2248 wrote to memory of 2720	2248	8bb26c77e06514a25ace6f8d8a5845165588c842cb745526efeefda2b6a97efb_NeikiAnalytics.exe	29
PID 2720 wrote to memory of 2648	2720	cmd.exe	31
PID 2720 wrote to memory of 2648	2720	cmd.exe	31
PID 2720 wrote to memory of 2648	2720	cmd.exe	31
PID 2720 wrote to memory of 624	2720	cmd.exe	32
PID 2720 wrote to memory of 624	2720	cmd.exe	32
PID 2720 wrote to memory of 624	2720	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\8bb26c77e06514a25ace6f8d8a5845165588c842cb745526efeefda2b6a97efb_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8bb26c77e06514a25ace6f8d8a5845165588c842cb745526efeefda2b6a97efb_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\wCU1vX9b.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-Content '8bb26c77e06514a25ace6f8d8a5845165588c842cb745526efeefda2b6a97efb_NeikiAnalytics.exe') -replace '\.exe\b', '.exe' | Set-Content 'C:\Users\Admin\AppData\Local\Temp\8bb26c77e06514a25ace6f8d8a5845165588c842cb745526efeefda2b6a97efb_NeikiAnalytics.exe' -Encoding ASCII"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-Content 'ose00000.exe') -replace '\.exe\b', '.exe' | Set-Content 'C:\Users\Admin\AppData\Local\Temp\ose00000.exe' -Encoding ASCII"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wCU1vX9b.bat

Filesize
1KB

MD5
a15605c9cad74ea44e112ae447ca1e9c

SHA1
02e6c6e09d8813971baf8df3c01c8295b720b312

SHA256
2bbc48a597bc7443515a194699fa67d8446f8cba0ce4fd0e15a6b6271ac0c6f5

SHA512
8d52de00e32fa0f14a81c941f34d755f0a1f1ef8a3ee7db3054e4d8c0c9f36346fb36a94197a7cb626e66e228959a3a49f60c0826f42739a9066ef3a2c176fd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e762edb5ac867f93f21fe955b39a3a28

SHA1
19f4f2ccd4b255fb3ed5c8dc55563c2c079bb658

SHA256
01ade8c84a501268fa920cf125bb967e57b3f2d04bf75f1b9f1ba30feb5c7495

SHA512
27adfc645904c900b77b64677c089d4c1d6776e24738a115384ee84733d56bdd36d9c2ea9a4a02932b96d273ed073e08864938bfc894b1348c4aeba83329c44b

Download Submit
memory/624-24-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/624-25-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2248-0-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/2248-26-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/2648-16-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/2648-17-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2648-18-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download