207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe
Size

4.4MB
MD5

4a8099ca44ad78fa5414bab4f54ba030
SHA1

ad1e9ee328d7eb870ebdaf9cf592a183f838f459
SHA256

207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342
SHA512

b1f905210d372c8352c07ea6c27bd71f12f7ee3a1e40375925bc6cb295b08d07d5bd9407e4da6e7d303a0951fb19e060a652951bfdf67f1151f19720e8698d03
SSDEEP

49152:0fhvX07qcsIUv5z95W+diSQJAoCWFf4z6X5MS/tl3odglPCpgVS84OH:+hc7qcvWzE4OX53C+V5r

Score

7^/10

Malware Config

Signatures

.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource yara_rule

behavioral1/memory/2180-1-0x00000000012B0000-0x0000000001716000-memory.dmp net_reactor

resource	yara_rule
behavioral1/memory/2180-1-0x00000000012B0000-0x0000000001716000-memory.dmp	net_reactor

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe

pid	process
2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe
2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe
2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe
2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe
2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 2180 207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe

description	pid	process	target process
PID 2180 wrote to memory of 316	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 316	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 316	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 316	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2788	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2788	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2788	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2788	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2536	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2536	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2536	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2536	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2532	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2532	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2532	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2532	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2552	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2552	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2552	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe
PID 2180 wrote to memory of 2552	2180	207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\207fb4aeffd47811049fe5c6366f09f70b859c6987883dcd9244a915af91a342_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2552

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x00000000012B0000-0x0000000001716000-memory.dmp

Filesize
4.4MB

Download
memory/2180-3-0x0000000074A20000-0x000000007510E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-2-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/2180-4-0x0000000000E90000-0x0000000000F5E000-memory.dmp

Filesize
824KB

Download
memory/2180-5-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/2180-6-0x0000000000AD0000-0x0000000000AEC000-memory.dmp

Filesize
112KB

Download
memory/2180-7-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-8-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-10-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-12-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-14-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-16-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-18-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-20-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-24-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-58-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-66-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-64-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-62-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-60-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-56-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-54-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-52-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-50-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-49-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-46-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-44-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-42-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-40-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-38-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-36-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-34-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-32-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-30-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-28-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-26-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-22-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

Filesize
84KB

Download
memory/2180-67-0x0000000074A20000-0x000000007510E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-68-0x0000000074A20000-0x000000007510E000-memory.dmp

Filesize
6.9MB

Download