3580de435072309f9680bb8c8a7a5046f5a8f05aef5915c4df0a2afbdf652393

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3580de435072309f9680bb8c8a7a5046f5a8f05aef5915c4df0a2afbdf652393_NeikiAnalytics.exe
Size

37KB
MD5

0ea6321d998cdc7afc450353198415e0
SHA1

7373b39d225f6d18745220de7a179b8c9cf06f75
SHA256

3580de435072309f9680bb8c8a7a5046f5a8f05aef5915c4df0a2afbdf652393
SHA512

ee795ad60b926a6688f37c44bd38b9410e63649f978e47c51ebfb0e495098931817ac5a88908556d5e0be6343524be11fec9a90cb691554eb44064f4e7d590db
SSDEEP

768:DqPJtsA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhY:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wY4

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2972	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2972	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	3580de435072309f9680bb8c8a7a5046f5a8f05aef5915c4df0a2afbdf652393_NeikiAnalytics.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	3580de435072309f9680bb8c8a7a5046f5a8f05aef5915c4df0a2afbdf652393_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 2972	4772	3580de435072309f9680bb8c8a7a5046f5a8f05aef5915c4df0a2afbdf652393_NeikiAnalytics.exe	83
PID 4772 wrote to memory of 2972	4772	3580de435072309f9680bb8c8a7a5046f5a8f05aef5915c4df0a2afbdf652393_NeikiAnalytics.exe	83
PID 4772 wrote to memory of 2972	4772	3580de435072309f9680bb8c8a7a5046f5a8f05aef5915c4df0a2afbdf652393_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\3580de435072309f9680bb8c8a7a5046f5a8f05aef5915c4df0a2afbdf652393_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3580de435072309f9680bb8c8a7a5046f5a8f05aef5915c4df0a2afbdf652393_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
37KB

MD5
12ac7759ebb8c1d56aa8cdb6b4505c86

SHA1
7a9102cd383d563b48a4ce88d019c2bc68a27ee9

SHA256
e6146c049cba437a080281f32ef117760af6f58be3b5e09b8b361306315600b3

SHA512
127baf447add971f9c399d5d2c68a02a8d462a3dc13274bfdd8c788df4cd0e241c6bdea795ae21bc513d3bd4dcc2ab18f702548328f8f404a27d08e785a90715

Download Submit
memory/2972-6-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4772-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4772-4-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads