Analysis Overview
SHA256
8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99
Threat Level: Known bad
The file 8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Azov
Renames multiple (143) files with added filename extension
Renames multiple (7418) files with added filename extension
Modifies file permissions
Reads user/profile data of web browsers
Enumerates connected drives
Adds Run key to start application
Drops file in Program Files directory
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-28 06:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 06:49
Reported
2024-06-28 06:52
Platform
win7-20240611-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Azov
Renames multiple (7418) files with added filename extension
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Processes
C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe"
Network
Files
memory/2032-4-0x0000000000110000-0x0000000000115000-memory.dmp
memory/2032-3-0x0000000000110000-0x0000000000115000-memory.dmp
memory/2032-8-0x0000000000110000-0x0000000000115000-memory.dmp
memory/2032-7-0x0000000000120000-0x0000000000124000-memory.dmp
memory/2032-6-0x00000000000E0000-0x00000000000E7000-memory.dmp
memory/2032-2-0x000000013FAD0000-0x000000013FB17000-memory.dmp
memory/2032-0-0x0000000000120000-0x0000000000124000-memory.dmp
C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt
| MD5 | 78ede93114e65f9160fd03d3357c56e6 |
| SHA1 | 88d531b101e57655f1d0d26c6b3257aa2468d460 |
| SHA256 | c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5 |
| SHA512 | 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21296_.GIF
| MD5 | 0d6efe9e22f4663da48b74abfb8d6e3c |
| SHA1 | f22e480caf4d1f1648ee711697595251c0c4faaa |
| SHA256 | 87ae0c9fc09e0df730afb5dad3535626355b79db030053a16357711f9fce6d7f |
| SHA512 | 21237bd01e4d9bf02615e99fc0d75733b5cd0eee716d216738ad9a925451c63cd49d7674bbe35bdc5c0162b6acd06dd9d4016f04372af2a198e488b40340e155 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF
| MD5 | 92971e56da6d183be1cb602785d8eb52 |
| SHA1 | a605512ebed29ebf739a0e84870697f3ec13ad18 |
| SHA256 | 63500e52b291c993b1ef85755669bd7161baaa62985e80c98fecff2162b9f308 |
| SHA512 | 5db3ee734f8494acc445abb8bfa2b9b6841877d3b84a2ee106d06a2cdaed9fbfeaf457602a529bd0017b26e88bb8913f94a177c781a5fd3dbd125bdbb7fdc071 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF
| MD5 | cbc4fb2d071aa9ac265b468c8d6e38bd |
| SHA1 | 5755b8a817916931f4a0d4e4934228551230b3d3 |
| SHA256 | cb727e38440c4427412cc1658c706ff88e6c17e155ccf8a7a26f260fe8245fe3 |
| SHA512 | c4caecc61453f86f1774b2d2c9a3fd96ebd39c7dc9be2999006a1e523cf299b49f3d9851863d5ed87a5c2ae97a9058d791036ccb2cca1c7367eb4755e41f799e |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21300_.GIF
| MD5 | e6addf1b14151e3723fd27cbfb7ab844 |
| SHA1 | a049cae20ce7b726170a15c23c9b02cfe83e4d0e |
| SHA256 | b7370e850d55eba528ee967c085ecb4c962f5fd3906a5dddb3885f52e36494a8 |
| SHA512 | d1139d8d2b06ea9ad27d4669d0d3f1a5a4891da4b5d71e5cebab553991fb632f1d202a8df835cdb6a03554e81cbcd614f4ef841adacf8ba142c4675c9e326ecc |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21302_.GIF
| MD5 | fe4f22290cded8d8079754a3144c6719 |
| SHA1 | 5dd190403f45f1093fa6d6241643001f4ea7f0e9 |
| SHA256 | 33e3259e76116b7c02d327d2bed50311e09c15cf6805f6bec45a9e73c0683e74 |
| SHA512 | 99be9ad0728f741ec282caa658ba962be36756b9561ed08ff87d8ca332bbac23c298396444fada1d5722a28cf5f5fecfc8fb222e257218e8f7a597e56f572ad9 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21306_.GIF
| MD5 | 3d221da4d5274afa329c53c0604af3fc |
| SHA1 | 184745aff0f567c9aa1e8913ec40f8768395b709 |
| SHA256 | 6790645e033b8c3e8499c76cf50f6ee8160cc5cf17988aec4776b89834178157 |
| SHA512 | 1dfac52f950c4fb58acad92ffc25476b8b2b56065412e1e9b8d0f029ea4e3c3d50da1fc8276bbd40f473dfb2f2db278e3de3946bc638ac1dbf4cc0f1c3521196 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF
| MD5 | 69306e65dba4dd314dce299e32464996 |
| SHA1 | a3b7d38609e7993f5ff9044725992f2783b70c66 |
| SHA256 | 690eed720fbc614c277c7ae974a48466d2a52d9120b1d2ead1abb04234da27cf |
| SHA512 | 43400ed2770cf60073bfff04c2b9817f49c47996b526da7b090f2c815286fe5fd752f6657bbbe57229b3e1305a0ae7054ec6562ba479b8c8cfc408a1821d1fc3 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF
| MD5 | 7a7ca15fb4f02caae3c6a039a0ad2b90 |
| SHA1 | 9b2a97ba1cf38dc6202192d8bf2d3aa318fe2575 |
| SHA256 | dab8c4ffb87ed70d8b03d4f2bad2a82f06b0593e4651bb180932a05ffbf7a6ba |
| SHA512 | 1640715cf04f1c11b403a290d7b566ff706418aec6ec5e4e419536f0e1175f48ae19babe9ec30e5e122f615fed8af447e27fd5cba0ca1febfe208128e5cfc3b3 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF
| MD5 | eef511fff9c69d2b6697a37cd53e730e |
| SHA1 | 82cf8fa9b81354a972be38a1058a22ee3c9d7ef4 |
| SHA256 | 757e43b3ba35d43eca4f56f848dd627eb42994e420eb01bcea11c4ad0985e5b2 |
| SHA512 | cb80830c05c4906184514a7e157b27992809866a31db8f0527a9170e05a5842997f5876c65fe60e399db42efd63964fa6fab965609e69fcaaa6c63123da990c1 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF
| MD5 | 6cb41a9d42860d4aeb4dfa017aaf9865 |
| SHA1 | 5af3f2730665fe2b7d33eac3a7f5bfb92b25576d |
| SHA256 | 9decd78a144292fa22639e57644701a741fbcd17ac2cce863ccf652abc8c3b6d |
| SHA512 | 986edbb10a48c7177bf8c093a42e20484014c01e24bad588db52773209749e6e5e3d842fec1f2e4ea12b66076ed4c5082c23a617c642c0ead72c9df56f6c43fe |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF
| MD5 | c2a0d5408dbbfcef9b2dbf24efb5f342 |
| SHA1 | 8883d01165b930a1074e184160b3abf64164163b |
| SHA256 | e659da8dacab3ab3a7582771a09582b1ef0cfadd563ea5fbc4a5641d46372523 |
| SHA512 | b3a091d933f790238daff39aada3fce18e2cfca24b54bfb7ce669e27c259145a76bfe2db4f39bdf21206a2718f7c164bf447e240bf0267f54e4579763f0e7ac1 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF
| MD5 | 6ccda9b42fe1b5dd04b65d6c9d95b636 |
| SHA1 | be7c6b9aa4d831c28a1e69aa9feaffe06328b8d2 |
| SHA256 | c2c28bf504cb821de6c576736d2548bc48e64e8fb7d6aaba45b3fd3223c28bd4 |
| SHA512 | a895a1e139288552f4486a841fc83808323e5d7174cdba09f019ec779a6cba8efacb8400cf480a30ce3b597be11817f153c11d17d1245a01f6f4dcd13deec90e |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21339_.GIF
| MD5 | c39bb6b315815250949bbef2fd3e80a5 |
| SHA1 | 8757bb38193df7b5d21ed22d7ec32457e5e38e9d |
| SHA256 | 7beb914935e788d46104f62f7d9307dc532020a80937524a94408a2f7ae8c844 |
| SHA512 | 7992cec3a7cfc555951afe2e0d19889450d5385e4bf3a231ae3892fdf524144510ed4f0e3d3c20145d0cbf590a9d7f3c0be3176dc785baed30ee5ac3d00a3af5 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF
| MD5 | 424486436f2839e5861f53bc5e6bf90a |
| SHA1 | 2b111fb676a2a24fec18ee2bb55ed9cf9771174a |
| SHA256 | 0080d6e331b9c4c338bc6d0b7c192f61037a836a3fdebcd1aca296b67474a9d2 |
| SHA512 | 59d78b7d4c3599fe9e90b99cf723cc79048418a97c84ce108b07af3f39de06937d7539874e3f16b7a19011cbd72b14737b6f296644b329ed91bcae695e28f151 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF
| MD5 | 238e67e2a529bb2cd4c82d1f3a5b9066 |
| SHA1 | b536050beb3c1573e132df7df2c18acb53d4c227 |
| SHA256 | 887c99c5d13f521f3e59a2535e87b72b6a7b8e90b0bf0b09a54db4ce87533868 |
| SHA512 | ce7610855c9cf1b7b5b6d08b2ebf36cb995dd2e7934df744252e205724ba107848c83a2f5f61f75ef9f09e8b0b07e07b1f425bf0e47d532b2b2c210fb3ac87c2 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21344_.GIF
| MD5 | 129dc1fee57881485baaf2d5d25ed774 |
| SHA1 | 4dd427b10adca4910241cf20bc285f13f56c3245 |
| SHA256 | 27f54009cb51fde755838ed00684f3ed56526287c3c24fc7b42d65aee11ab013 |
| SHA512 | cbcb7d3f4e7d1bddb417aa317ebcca644c37b9dd2580207e55bf99ec3a2796fd6df0b01d966314d0d5649316b954814b00a8b9c3ed569d5847287b36bf8a3be1 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF
| MD5 | d6dff69d5bcc595bd1ff84293a46e136 |
| SHA1 | b078acc015de4b1a22bab03d852b0231bef4c441 |
| SHA256 | f8d0e44fe7d1449f34a77ef0c091e3e8a1826cf60c8596c683c0775094c2cc82 |
| SHA512 | 46f044bd5e40ce27fbf7713009ba9b5b6cf7d578a1cada211e1d3d33081684c83f402099d4a2e65b295146e186f0033a645283f9b650b5dd9abacd1a48dd3e23 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF
| MD5 | 5f53333ea55a47067901f3205d72330c |
| SHA1 | 8c60b066429d9377ec2543f93f21b3f3f32c3fc5 |
| SHA256 | 3a117a2f235aca27ed9640a501a47403a9fec16158736808e02d238903818a11 |
| SHA512 | 557bb544f78e4f645c69d2a811eef2e6dfde4979f41138a058232c3dd4c00c478845431d00c4686334c74336209dbaa667d684a35561056d6a3639a7b0481c43 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF
| MD5 | ab32b90e581deb3f1737330d03d3e5a0 |
| SHA1 | 81a413c21e33a4fd990129119dec44654eb032e1 |
| SHA256 | de556da713b661bb80df503197fcb13323f42f3ff49f5ab4a09e37bc12fb3f9c |
| SHA512 | 935b4f29efc636b4b97a285959af150e102e97f33887184c540c5dbf0ba71bc7d81c124b47392cea368e0dd4bc61fb6fe05332f101e453a61ab21b3a6ee4efbe |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF
| MD5 | da058ecd5f75e1674e69d4e3ad428cfc |
| SHA1 | 64f4ef69cc356756ead8b87852291e1521a8fe00 |
| SHA256 | 8d9fda9b6616dc3655b2074c2d03cebca80969cf9038be0148161f8e80a7561b |
| SHA512 | 1c974618f7bc0b3273c58072c8f917520cdf2691823a3702669b4ded7ec1f69573ae0707511e403a7df9c20afe39b5f8fd75650f48da8e6869ab6bf95e466c2d |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF
| MD5 | 066303bf4ab6bf857ad72717830cbed7 |
| SHA1 | 5353b05bc60f6c4907941a88f452e26a50e7108b |
| SHA256 | e6d6b09fd8ba6ad88eba412de561a85cd48cc2d706c82a02aa2c52a9e0148fd0 |
| SHA512 | 34835e49ff737920128693ac7e054fa70deaef16ce20d7f33c797a5fc57fcf11e0671342cf1833f76ad3386bc22d9702cfb430e72dbfbac01b806b93ccadfff0 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21376_.GIF
| MD5 | fd95e22817c815954d724858a5edc1c5 |
| SHA1 | b57f1e8e4bdb5dfae334aeae955e33bc0172bcfe |
| SHA256 | 0af5fec21ba86a5a76e5ec00760d2d233805c7ce0b2882f38350602508b542fa |
| SHA512 | 50e8f6170b0740a770239bf5dec1b9026488098b69d0018d59a9880047b7adfe8dfdb7ba30a0f0d00555e07e1891c14b073cd3b44e44dde2799a63a803f614dd |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF
| MD5 | c8d57c9cd6015869266da901098099d8 |
| SHA1 | 15397f627115ba9a082235e5c8393202dee28cf7 |
| SHA256 | 9d1bf22e0e1ce6a2168a20a29cc71d97eade0304d6270f2b930ee01e214144e8 |
| SHA512 | d11a118bd6cb8cd8e5409f788ec8a2e4b74e2a09aa98f55d2bd6ed8c2a441bc2768f3d0feaf5d5b5debae08f4535c05b0a3e9db01805c2fba9681967d1e53886 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF
| MD5 | dd2149a4dd1ca32ef809aca4d788d3b1 |
| SHA1 | 81c1ada7a63d3d4c8b16d38555592433b4f44cb5 |
| SHA256 | 25043567cd473f932f1dc742d92656d3e061c812b3aa1d28e2fedae1e7daa4c8 |
| SHA512 | 07dfcabf0049dcee791cad982c3b24a9b48d4347e3cc7847f449b8cd9b6e4bd25374535a33ce99115ac48e87fd6cdaadda14a4b57291de06b969c3163e1531ad |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF
| MD5 | 01d82756f0218d5cf53215eb090af1df |
| SHA1 | 7d8c56117d2e9177312022c6c11a29cbd0e6dae8 |
| SHA256 | 75c951b7a3befbd02236ccd7e8f821eaa4c6c791d1a224f04bd260ae73277fea |
| SHA512 | 26490e03520185c0bbb2deb0b582704076869e20f39c956d962c596c7e4fa68ca55fa17291195b32ee761bc0a547d8be31d57717263fb0f2153b5e4a51d7c3f0 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF
| MD5 | 2fdea54a65caa145b311a2b52c0eae76 |
| SHA1 | 4c7e07c0a4dc7e6f8fb760b287c6ae6c7c802a7f |
| SHA256 | e5d457d268d67194dc4bb37f1179f4c0e765dee5d038c23150b09ce1b0324272 |
| SHA512 | 847c82203586a8ca46bacdd21db3ca33b38feb8685eb77482aba3db19be254972ea7b43df5150d310d5569ded4325370ec55d492e9360210bfe5e88f893dc936 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21423_.GIF
| MD5 | 0b0327e3bca1606a635e3ad541b515f3 |
| SHA1 | 3057380f3c99d9eff0ee0f43dfaa3cf8c92fc029 |
| SHA256 | c42c618486eb2bf315f9b816ace0b19cbe150ba356fc34c040b6838b6c21f6d4 |
| SHA512 | 48181b1a5ec4f2442c9df257cb212fb27ee28bf739db637139438e853043ccf7372acc247f4420a49ef7f57213d9b34d7be48fbf7fba736dcd615c6022692a04 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF
| MD5 | f09247d218c558f88384de133d991619 |
| SHA1 | f23f8609a50ed2af817e2980b130b539e62b221f |
| SHA256 | ddfb00e42795205f8283a34dfeae002c3f689716e989e171fb33a13af564b951 |
| SHA512 | 1095fb950c6f89428babb54ca9b2421628c26ebe251d5d42e9fabd53d71349a44076f77c2d70ba7ab7d042c31c359de6dda81bb2a4d7e73193fcbf0502407d68 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF
| MD5 | 3778970e9c5b1bb55bc9208351a1f19d |
| SHA1 | 903847d5b9eb9e0bf2f5f6023b09fccdf6e23c34 |
| SHA256 | caa8f33297938b168e2027f34f9adc612442984bc2f234fb503c4d26168c3054 |
| SHA512 | 1acfdcfacd08d41ad16223ec73675a2e4c1ae7514e4f52be5ac17a103cea326c470c7fd65ebcef5c8ee761f9408d2dc99f4ec4cd799e6c6c001d30cc954d157c |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF
| MD5 | eca6a840b2d26c2ea5ac6fbc5c8cf677 |
| SHA1 | 523ad909ca4d3f6a57d0889c1440a4f3615e6096 |
| SHA256 | e025b40bb8662b36050c0073ac019e4eb71a12bcf6456aa888380442fa139a81 |
| SHA512 | 89654e0b28dc9f00826419c2fc88ca87478b6ac8dce2c4ff5f44b8646a8ffd5a6c5c2c2c9c537dcedde7ca0825be1db2e20658cd77400c526824cdcaabc0cea7 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF
| MD5 | 66440ef0e44db3b1b726c16259df89f1 |
| SHA1 | 6768ab319ce698bd943cdff114c25b23b72ae610 |
| SHA256 | 99f4ae8090a633f21385f31305de6c9c574dfcabff7e18c4f74ead64b1c47abd |
| SHA512 | 09171c58619345b673912fff0b4dd2c15b93622c6161769d673047574ec28ddf3cb9548d4a024143c6a8783514123f531e47d696d4b51763f8e2d54d3db370cc |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF
| MD5 | a97ddf7b25f112dd895efdb3b909df48 |
| SHA1 | 2a475c0a8fe9e78b098190f9e9f0ca498eaaa47e |
| SHA256 | 6093cea73a8cea9ae50066401e424e61962f2cda8fb629e102f76ea204819bc5 |
| SHA512 | 9b2fccb4474411cb2a2bd4baf90ae064e7e601c54317c0f8233b6071c29c857e431e1c09b3704cc2cde1d46e9a0874078498e60c65dac69d219c1ca46e493c54 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21535_.GIF
| MD5 | dc50bf861b55178558478e900d06a41c |
| SHA1 | b40f0624a109a316c0d8d358f551bccd85ab0088 |
| SHA256 | 9415ce34e8f9715d6aeeacc02dc7012a73264e982b4ddd65d91cd557c71c4d31 |
| SHA512 | 6132740b46ea88db595edd8b21d42717a3affb0df212582c636c52a6a1fc8fd9a00f7540a54e355e37c6dfb11a05061eb2554ac06248a07c7a44fb6b70ec1113 |
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115834.GIF
| MD5 | 8f1ec6baae2b0741be7f0b45d5c24701 |
| SHA1 | d146cba3ab00ca044ba4f498e45d0b7f38958f81 |
| SHA256 | 17a1540bc96d1a428fb168de44de7d3252e87421880ee5fcb1306f0d86d0ac1e |
| SHA512 | 9cfed3b4aef58fb8acc1894877f80fb360b23d5b3d6f928cea18c4351327c7cb99f07f45c1bdb64a3de8da7063f3bfabbcfabca91ab74c8ba78667efb9773589 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 06:49
Reported
2024-06-28 06:52
Platform
win10v2004-20240508-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Azov
Renames multiple (143) files with added filename extension
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2468 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe | C:\Windows\system32\icacls.exe |
| PID 2468 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8a9ffacfca77b279def049baa151fc79cec36d8203b3ba7d2f933756a1e5ef99_NeikiAnalytics.exe"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2468-3-0x0000016748030000-0x0000016748035000-memory.dmp
memory/2468-2-0x00007FF6CC290000-0x00007FF6CC2D7000-memory.dmp
memory/2468-0-0x0000016748040000-0x0000016748044000-memory.dmp
memory/2468-4-0x0000016748030000-0x0000016748035000-memory.dmp
memory/2468-7-0x0000016748040000-0x0000016748044000-memory.dmp
memory/2468-6-0x0000016746760000-0x0000016746767000-memory.dmp
memory/2468-11-0x0000016748030000-0x0000016748035000-memory.dmp
C:\Program Files\7-Zip\Lang\RESTORE_FILES.txt
| MD5 | 78ede93114e65f9160fd03d3357c56e6 |
| SHA1 | 88d531b101e57655f1d0d26c6b3257aa2468d460 |
| SHA256 | c97412fbf88da8f91099a52888dea4c3f222cd95af3e681e3271cbca8b6b7bb5 |
| SHA512 | 074a4c741273902ccacb6f573b96d8accedb2ee405dbd04350cdbf54d180c1fd577a4e90c2aae26bf72f3782403f4494db6e3501a04cfd9d7d81a6bc14884b9d |
memory/2468-164-0x0000016748790000-0x0000016748A00000-memory.dmp
memory/2468-403-0x0000016748110000-0x0000016748111000-memory.dmp
memory/2468-427-0x0000016748790000-0x0000016748A00000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 5a3b209f5ccb92ec08ded37233d5ed1e |
| SHA1 | ae2f89002e90806f5ea1977701053858b8bc2b01 |
| SHA256 | 6a7b3255aad98eb56bcc5a54258c27fb6b03a5f4349c704d671b8865b02d8af0 |
| SHA512 | e1da8a9be79bd613afb00714758e49e5961a56cda875f15e0499437a6456f1a79175ad9b6715f35908773a9854cef30d651dcdcd35d109a04b6c3480eaa75eab |