92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe
Size

68KB
MD5

c83e60fd26bba4078d2a8bd361d93d20
SHA1

d7dbdf9a2a354e8396eabba8ba66eee47efd54bc
SHA256

92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae
SHA512

80b621d9e21f54d824723c656238d7dbaf11476b3f6251769ac9c8c5e72086a614bef91c55b4a208cb804cb6faa571e12d8dc913aaa35f96646fd665ee13020a
SSDEEP

1536:CdXkE87nccOtwqsIcGIjAPdrl88QpFk0cb:uUE87cxtplAKri8WKb

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1700	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2456	92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe
2456	92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\c9ba06ba\jusched.exe	92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe
File created	C:\Program Files (x86)\c9ba06ba\c9ba06ba	92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1700	2456	92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe	28
PID 2456 wrote to memory of 1700	2456	92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe	28
PID 2456 wrote to memory of 1700	2456	92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe	28
PID 2456 wrote to memory of 1700	2456	92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\92e4b860eddef38deefb66714841d66f488bfc8aa536b9afbe65428489e114ae_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files (x86)\c9ba06ba\jusched.exe
  "C:\Program Files (x86)\c9ba06ba\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\c9ba06ba\c9ba06ba

Filesize
17B

MD5
4d77d6b250ffb567743b8dbcdad695b8

SHA1
d5a8f98f9433f6d36c74df463cef3e2cf524462d

SHA256
7ec7a3a23890c3592f5b762aecf11adbf8831fad11b8048aedfa7315d599c5f2

SHA512
5655153049101fd67125d484c81f1ad30b44f36f00e3aabfe8d730a21661f4b394357b60da549289def4311b4cc7bd508d8fd6b8db254cd442b2152f8902bd71

Download Submit
\Program Files (x86)\c9ba06ba\jusched.exe

Filesize
68KB

MD5
6a36522d3521396b18edeca4a0b2283b

SHA1
c5f7c04ac37ad60b4dee2b3c51cb8409d7ba27c9

SHA256
d6fc0d7fda2cd5b173affe36aefe64989d852563bac2fc55a1b34af6378ee876

SHA512
b44bf62e69109c472b5f2cae04dd739749fc2f4464f978178ea33cde4140c8ab4558c42946dc089d819f71191b74ea9a519af70719d6d04ac62ab811c05c0e47

Download Submit
memory/1700-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1700-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1700-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1700-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1700-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2456-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2456-4-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2456-3-0x0000000000320000-0x0000000000328000-memory.dmp

Filesize
32KB

Download
memory/2456-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2456-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download