a28a6eb2c8da3442017630757606739f938dd9751091e3f2a0932c371a193e56

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a28a6eb2c8da3442017630757606739f938dd9751091e3f2a0932c371a193e56_NeikiAnalytics.exe
Size

37KB
MD5

fa00ce41b7df5ede18b803c9343b62b0
SHA1

95745f7340ecf5ba5ce78cf2cd45d62e0cad039b
SHA256

a28a6eb2c8da3442017630757606739f938dd9751091e3f2a0932c371a193e56
SHA512

065a53af2f56e97fe23bc307b804d0f033e0fec4605ac1a3f99ecc3fed516a40d29700c8753a99d83212f8fb7d08ec0fc86afb1894e294ff024f6327425d20d4
SSDEEP

768:DqPJtsA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhF:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYl

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2356	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2356	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	a28a6eb2c8da3442017630757606739f938dd9751091e3f2a0932c371a193e56_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	a28a6eb2c8da3442017630757606739f938dd9751091e3f2a0932c371a193e56_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 2356	792	a28a6eb2c8da3442017630757606739f938dd9751091e3f2a0932c371a193e56_NeikiAnalytics.exe	81
PID 792 wrote to memory of 2356	792	a28a6eb2c8da3442017630757606739f938dd9751091e3f2a0932c371a193e56_NeikiAnalytics.exe	81
PID 792 wrote to memory of 2356	792	a28a6eb2c8da3442017630757606739f938dd9751091e3f2a0932c371a193e56_NeikiAnalytics.exe	81

C:\Users\Admin\AppData\Local\Temp\a28a6eb2c8da3442017630757606739f938dd9751091e3f2a0932c371a193e56_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a28a6eb2c8da3442017630757606739f938dd9751091e3f2a0932c371a193e56_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
37KB

MD5
6d0008161c512247709c57a83f8c6721

SHA1
aa703cde44a53a158b5b312d6c7ebcbd1fd6cf14

SHA256
50d80f6094cf7c906d7ea2fb9de997c5718c564e2262c94adabdd939b4157c48

SHA512
0e4b96ecae3105ea94bdac290556c8b0cae329e1b32c93dce2d9178827bad2180e04ef2c0f65612dfb06a387c7167f95bf7599de0f56112a06173aacabdb94b2

Download Submit
memory/792-4-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2356-5-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads