52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe
Size

72KB
MD5

c16d227aec3ae258f29e9c46158ae110
SHA1

3450172bf4a7076ee27f54c8f5b65dac01131827
SHA256

52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989
SHA512

64c39066865e2e465eda4811690a3d01b1623a620396cdd3c3ac365b8c4c7b5c8c1ac2110c93ac6fac89827380fa4a1cbf8791580d8f4400b84a5551749bd375
SSDEEP

768:/O3Kqc8DdKGiDehcICROxr23vUUaxRuuErO8HlUl8UkPnptrhIW5zEBR+J/1zYt8:/OKqhdPi9zarnjs24JOYWoLBxUw

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
2568	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2540	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2568	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 2568	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 2568	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 2568	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 2596	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 2596	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 2596	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 2596	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	31
PID 2240 wrote to memory of 2564	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	32
PID 2240 wrote to memory of 2564	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	32
PID 2240 wrote to memory of 2564	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	32
PID 2240 wrote to memory of 2564	2240	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	32
PID 2564 wrote to memory of 2540	2564	cmd.exe	35
PID 2564 wrote to memory of 2540	2564	cmd.exe	35
PID 2564 wrote to memory of 2540	2564	cmd.exe	35
PID 2564 wrote to memory of 2540	2564	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /F /IM 52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics_upgrade.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /F /Q "C:\Users\Admin\AppData\Local\Temp\52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics_upgrade.exe"
  2⤵
  PID:2596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C schtasks /create /sc onstart /tn Dchk /tr "C:\Users\Admin\AppData\Local\Temp\52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe" /ru System<Nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc onstart /tn Dchk /tr "C:\Users\Admin\AppData\Local\Temp\52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe" /ru System
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads