Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 01:08
Behavioral task
behavioral1
Sample
41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe
Resource
win10v2004-20240611-en
General
-
Target
41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe
-
Size
1.9MB
-
MD5
8d7f2ae1fd4cb68ad3977e671c3ad3a0
-
SHA1
78a9a25da81877035ddbfcf93131987739d78838
-
SHA256
41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538
-
SHA512
3673aac441578124e1f89df089fcc53843e12619443112bbeda65f6a56b2487126949031532dc99cb54a906cefa2b7dced005f0b190fa2a52fa91ed8544beace
-
SSDEEP
24576:JMKuWz0vnWbF36tUehZEY+5cMsGNyNlyarXwe:h0vnWbF36jhZE55cMZiprXw
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exepid process 2248 41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2248-1-0x0000000000F20000-0x0000000001100000-memory.dmp agile_net -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2228 2248 WerFault.exe 41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exedescription pid process target process PID 2248 wrote to memory of 2228 2248 41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe WerFault.exe PID 2248 wrote to memory of 2228 2248 41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe WerFault.exe PID 2248 wrote to memory of 2228 2248 41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe WerFault.exe PID 2248 wrote to memory of 2228 2248 41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\41775fe48e934c36796432a83b790dfc48511b816f2a67bdecb63762bc3e7538_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 6162⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\464a933c-874e-490c-ae31-008a45949341\AgileDotNetRT.dllFilesize
136KB
MD554ab56509d910c969b9c287fde10026d
SHA1b0929cd61e4428d57191b0c41ad60765236bed4c
SHA256998b95107a40360c441b4d1211f9f2e5ea9d004017baa383ffbe1a46cf08bfd0
SHA512b16722ac2662362d6ee37620f1ab2dcee05e0a54b49dbc8bb2d93561f35f2f09e4dd8f0bc6139d57a5424a7b76c62dafef62a7f355ea1963e7fcdce180cdd2e8
-
memory/2248-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmpFilesize
4KB
-
memory/2248-1-0x0000000000F20000-0x0000000001100000-memory.dmpFilesize
1.9MB
-
memory/2248-2-0x0000000073FD0000-0x00000000746BE000-memory.dmpFilesize
6.9MB
-
memory/2248-9-0x0000000073700000-0x0000000073737000-memory.dmpFilesize
220KB
-
memory/2248-10-0x0000000073DD0000-0x0000000073E50000-memory.dmpFilesize
512KB
-
memory/2248-11-0x0000000073FDE000-0x0000000073FDF000-memory.dmpFilesize
4KB
-
memory/2248-12-0x0000000073FD0000-0x00000000746BE000-memory.dmpFilesize
6.9MB
-
memory/2248-13-0x0000000073700000-0x0000000073737000-memory.dmpFilesize
220KB