b2f0ef084784923eaf4b5fe0f0ff60bf4086cfec428d08a7e562874cc2984d22

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2f0ef084784923eaf4b5fe0f0ff60bf4086cfec428d08a7e562874cc2984d22_NeikiAnalytics.exe
Size

28KB
MD5

71c76dce7056dcb697e31bffaa9a90d0
SHA1

372686eaf2abd9ad21c89d9947792dced0ad1011
SHA256

b2f0ef084784923eaf4b5fe0f0ff60bf4086cfec428d08a7e562874cc2984d22
SHA512

5ba0c8f9a152bf08aef8ed6c09b215d0d99c599a5a6fc16ccd5990bdde4711b83d0c8826d712e67275ca186eac283a4cd865ceb0d61f09c4ad1419cbb8085a1a
SSDEEP

384:Xng4j8Gs/sRHSv9W705ZqSA7hyTM/0uOhXmaVsLl:XnDj8GsmIlAFyTqUhWaS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1872	winupd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3596	1468	WerFault.exe	83

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1468	ipconfig.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2304	b2f0ef084784923eaf4b5fe0f0ff60bf4086cfec428d08a7e562874cc2984d22_NeikiAnalytics.exe
1872	winupd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1872	2304	b2f0ef084784923eaf4b5fe0f0ff60bf4086cfec428d08a7e562874cc2984d22_NeikiAnalytics.exe	82
PID 2304 wrote to memory of 1872	2304	b2f0ef084784923eaf4b5fe0f0ff60bf4086cfec428d08a7e562874cc2984d22_NeikiAnalytics.exe	82
PID 2304 wrote to memory of 1872	2304	b2f0ef084784923eaf4b5fe0f0ff60bf4086cfec428d08a7e562874cc2984d22_NeikiAnalytics.exe	82
PID 1872 wrote to memory of 1468	1872	winupd.exe	83
PID 1872 wrote to memory of 1468	1872	winupd.exe	83
PID 1872 wrote to memory of 1468	1872	winupd.exe	83
PID 1872 wrote to memory of 1468	1872	winupd.exe	83
PID 1872 wrote to memory of 1468	1872	winupd.exe	83

C:\Users\Admin\AppData\Local\Temp\b2f0ef084784923eaf4b5fe0f0ff60bf4086cfec428d08a7e562874cc2984d22_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b2f0ef084784923eaf4b5fe0f0ff60bf4086cfec428d08a7e562874cc2984d22_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe"
    3⤵
    - Gathers network information
    PID:1468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 272
      4⤵
      Program crash
      PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1468 -ip 1468
1⤵
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe

Filesize
28KB

MD5
9c40428ed573361d520e61be84778eb0

SHA1
cf727de3c53440c9e8f923ad78ea5affd6eed376

SHA256
2bc8a59cfc473cfd44bd959b6046e30bc15ccf8afdc04b9baf03d27dfc22b136

SHA512
d24f3f12a196f858b36b8632322a469087c04baac31f722d03d7251aaf8487f3be01b98edba82aa993535621c42849cf88538ea80a09ad96a32e45b9dc285777

Download Submit