25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe
Size

100KB
MD5

d1d73678477e150ceebbfc9daec53070
SHA1

5f8597ad91251c6f13d13596864a5dfd542872b4
SHA256

25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59
SHA512

bf70ce0429791261c030dff001077fdc950d5183b1afac03e0cfe5ef75115243e24f878c1eaead7d9bdcc1b6353c550e2c7fd78d33ead300b12c4cd2b54c837d
SSDEEP

1536:YyYCkvjnFk/6jW8JX/3jtzUYx5QRpeTi+ORyBeRQ2R:YyY1bFCcW8JX/zeYxVT8RMeye

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sqRLkphNDkWHwD.exe

pid process

2036 sqRLkphNDkWHwD.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1216 25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe

pid	process
2036	sqRLkphNDkWHwD.exe

description	pid	process
Token: SeDebugPrivilege	1216	25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe

description	pid	process	target process
PID 1216 wrote to memory of 2036	1216	25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe	sqRLkphNDkWHwD.exe
PID 1216 wrote to memory of 2036	1216	25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe	sqRLkphNDkWHwD.exe
PID 1216 wrote to memory of 2036	1216	25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe	sqRLkphNDkWHwD.exe

C:\Users\Admin\AppData\Local\Temp\25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59_NeikiAnalytics.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\sqRLkphNDkWHwD.exe
"C:\Users\Admin\AppData\Local\Temp\sqRLkphNDkWHwD.exe"
2⤵
- Executes dropped EXE
PID:2036

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sqRLkphNDkWHwD.exe
Filesize
100KB

MD5
d1d73678477e150ceebbfc9daec53070

SHA1
5f8597ad91251c6f13d13596864a5dfd542872b4

SHA256
25b6c8b51b839bc310e54200948099b5d16eb6a3f5ef6165c7a9f21c08b99d59

SHA512
bf70ce0429791261c030dff001077fdc950d5183b1afac03e0cfe5ef75115243e24f878c1eaead7d9bdcc1b6353c550e2c7fd78d33ead300b12c4cd2b54c837d

Download Submit
memory/1216-0-0x000007FEF627E000-0x000007FEF627F000-memory.dmp

Filesize
4KB

Download
memory/1216-9-0x000007FEF5FC0000-0x000007FEF695D000-memory.dmp

Filesize
9.6MB

Download