342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
Size

85KB
MD5

5a81bc1750bc9785b3aefa3de0c58340
SHA1

29fcf5b7272b36ea48d9b8252d610e7d17de1a21
SHA256

342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2
SHA512

0fc4c21c8ec1b470a04eb6955a451dfcd0a1c8835ccb0ec290a4252d5240ac3d1b4debd9bd6ef154f7d3706393ace7b2de4367c4a16dac0f161e012d62ebff9b
SSDEEP

1536:ldd0YXOQFinmQH+iSfBgE78/thOYsuN7htqisKldR:tXnemQeiSZgC8/7OYsuN7bnV

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\runouce.exe	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe

description	pid	process	target process
PID 2432 wrote to memory of 1864	2432	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
PID 2432 wrote to memory of 1864	2432	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
PID 2432 wrote to memory of 1864	2432	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
PID 2432 wrote to memory of 1864	2432	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
PID 2432 wrote to memory of 1864	2432	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
PID 2432 wrote to memory of 1864	2432	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
PID 2432 wrote to memory of 1864	2432	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
PID 2432 wrote to memory of 1192	2432	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe	Explorer.EXE
PID 2432 wrote to memory of 1192	2432	342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe"
2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Local\Temp\342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\342e4c5558f96ae0d5da658a3a8264967039285079611c26ace2cf950a8b0ea2_NeikiAnalytics.exe"
3⤵
PID:1864

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-6-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1192-5-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1864-2-0x0000000000FB0000-0x0000000000FC8000-memory.dmp

Filesize
96KB

Download
memory/1864-3-0x0000000000FB0000-0x0000000000FC8000-memory.dmp

Filesize
96KB

Download
memory/2432-0-0x0000000000FB0000-0x0000000000FC8000-memory.dmp

Filesize
96KB

Download
memory/2432-1-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2432-7-0x0000000000FB0000-0x0000000000FC8000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads