2a744f7c1c54127ac7746eae3616aeeb39b17410eb4057823fe6fa26bb6fe97e

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Size

203KB
MD5

7b871b5d253fb86bdd5a0b1b34844390
SHA1

f563dceacc1a3ef970a1cbf37e793d271e63f4b9
SHA256

2a744f7c1c54127ac7746eae3616aeeb39b17410eb4057823fe6fa26bb6fe97e
SHA512

78cdf1ac70ca72fc3287ff8aee98d8a06c5fcae187f7ffeb76ed1ac0df16607ac8ed4e643db9182792f75de95cc320e9ffd2f54122eed271a334341aa7820d62
SSDEEP

3072:IyrN/sVywaEj1UsPyrN/sVywaEj1Us10nfWGQJehM75M/0Wt/Sz0CchNoZUrET0W:Nh9wv1U7h9wv1UveG27u/Ht/U0ChZAW

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2644	lcss.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1668-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x0038000000014c0b-5.dat	upx
behavioral1/files/0x000700000001552d-25.dat	upx
behavioral1/memory/2644-27-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x000b000000012274-30.dat	upx
behavioral1/files/0x000700000001562a-28.dat	upx
behavioral1/memory/1668-31-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2644-32-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Modifies WinLogon 2 TTPs 15 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\DLLName = "wlogon.dll"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Asynchronous = "1"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Logon = "EvWinLogon"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\StartShell = "EvWinLogon"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Startup = "EvWinLogon"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon\Impersonate = "1"	lcss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wlogon.dll	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\net.cpl	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\lcss.exe	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\crypto.dll	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID\ = "WinCryptography.Encrypt.1"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\ = "Windows Cryptography"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\ = "Windows Cryptography"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ProgID	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\ = "Windows Cryptography"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1"	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ThreadingModel = "Both"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt\CurVer\ = "WinCryptography.Encrypt.1"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID\ = "{310DE29C-0AD3-4A43-A2DB-221F1160CACB}"	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32	lcss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\InprocServer32\ = "crypto.dll"	lcss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinCryptography.Encrypt.1\CLSID	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{310DE29C-0AD3-4A43-A2DB-221F1160CACB}\VersionIndependentProgID\ = "WinCryptography.Encrypt"	lcss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1668	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Token: SeDebugPrivilege	1668	7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
Token: SeTakeOwnershipPrivilege	2644	lcss.exe
Token: SeDebugPrivilege	2644	lcss.exe

C:\Users\Admin\AppData\Local\Temp\7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7b871b5d253fb86bdd5a0b1b34844390_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\lcss.exe
C:\Windows\SysWOW64\lcss.exe
1⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\crypto.dll

Filesize
224KB

MD5
108ed71adbc6637baa9558b2e026c782

SHA1
5efa067ce9cbd5b1ce464dc6c89154034b9d6c3e

SHA256
4730f464dd65f6279919cfa48b828714c504628342343300b4d2a9a97ed678ad

SHA512
ebd50dfd0dda454e8c7f1625f5dfeb46b539bab357b3c938e5ef1bc3829ab962569412fad41f5cadb8df375f2df824b3e055608307cbce1f523acfee4a75d9c3

Download Submit
C:\Windows\SysWOW64\lcss.exe

Filesize
160KB

MD5
218faf138e27f696f19e21ebda5e7be3

SHA1
db977f03fec2154510974e9a3ed3015bb5433206

SHA256
bd4671edc274fe08560ab49401ae4206052768ef2938c36a10e9baef9d5b4810

SHA512
3b2ec44b7906aaf41a794fb33beb84ec3c03605ef8ae191e1591462bfec01188adf51f3c6ac5cf1c70714ddbf1e9429327107e45394b05ea4e2d7e9c5a270b8d

Download Submit
C:\Windows\SysWOW64\net.cpl

Filesize
150KB

MD5
4be9faeec4b353c2d7431dd95e9649df

SHA1
3db3907e77996ffeb733c1bde3787f71ef05854c

SHA256
d9e2e2edce0065773df4dfd9111ae0666f6cc805453e6830d319f4c7ccf71e74

SHA512
1fcf7a7dcd903ff63f816ecfb32958a94ac2cf03adcbdda58ecfd9cfa6946cb073b172064dcd1c83c0e88d6a626809c9d128bd30434f8713eb3423e54a765657

Download Submit
C:\Windows\SysWOW64\wlogon.dll

Filesize
171KB

MD5
fdb22a15f381804d3b1ffe037a56b7a4

SHA1
f48143e588ed4c2bda35d800d8b34600437a8905

SHA256
67f180f1372dc582ec6acf954c51a550ec3202f4ac906a7cc1c734837f4ef7ee

SHA512
57d856175e892ea15f665f38fb1225931cbb003d2bf18366c9a0a0a2254a75509befbf43a978c89233c0bf31f202092d1b93602b8dd4ad349973a282ac06b920

Download Submit
memory/1668-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1668-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2644-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2644-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads