52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe
Size

72KB
MD5

c16d227aec3ae258f29e9c46158ae110
SHA1

3450172bf4a7076ee27f54c8f5b65dac01131827
SHA256

52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989
SHA512

64c39066865e2e465eda4811690a3d01b1623a620396cdd3c3ac365b8c4c7b5c8c1ac2110c93ac6fac89827380fa4a1cbf8791580d8f4400b84a5551749bd375
SSDEEP

768:/O3Kqc8DdKGiDehcICROxr23vUUaxRuuErO8HlUl8UkPnptrhIW5zEBR+J/1zYt8:/OKqhdPi9zarnjs24JOYWoLBxUw

Score

1^/10

Malware Config

Signatures

Kills process with taskkill 1 IoCs

evasion

pid	Process
2152	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2528	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3324	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 2152	3324	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	90
PID 3324 wrote to memory of 2152	3324	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	90
PID 3324 wrote to memory of 2152	3324	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	90
PID 3324 wrote to memory of 1612	3324	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	91
PID 3324 wrote to memory of 1612	3324	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	91
PID 3324 wrote to memory of 1612	3324	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	91
PID 3324 wrote to memory of 5084	3324	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	93
PID 3324 wrote to memory of 5084	3324	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	93
PID 3324 wrote to memory of 5084	3324	52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe	93
PID 5084 wrote to memory of 2528	5084	cmd.exe	96
PID 5084 wrote to memory of 2528	5084	cmd.exe	96
PID 5084 wrote to memory of 2528	5084	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /F /IM 52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics_upgrade.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /F /Q "C:\Users\Admin\AppData\Local\Temp\52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics_upgrade.exe"
  2⤵
  PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C schtasks /create /sc onstart /tn Dchk /tr "C:\Users\Admin\AppData\Local\Temp\52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe" /ru System<Nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc onstart /tn Dchk /tr "C:\Users\Admin\AppData\Local\Temp\52e3100698598caf17dd5e83ed020aca086f9d59681d9c462bbe41004b8e5989_NeikiAnalytics.exe" /ru System
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4296,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=3756 /prefetch:8
1⤵
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads