Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 21:56
General
-
Target
11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe
-
Size
459KB
-
MD5
11d03a613a3df8fff9895c5a409e4f90
-
SHA1
6d9cc2824e484ff397d07e14216d4ac1c3a8c9ff
-
SHA256
6edfa5be11519c5d59adc911cb00eea34a17bd163bea0de58b4e5b9f7c66c327
-
SHA512
5acef25bcbe1a157c7292f6543a853924a803727f4a3b2999ba5bba9e7acd9823b8afba83172b738a1dd5e7ccb4c78f8b796dab10243ae4361a6f18cca34d791
-
SSDEEP
6144:GY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju4zu:9nWwvHpVmXpjJIUd2cUusvalxzu
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 6 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 42 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\11d03a613a3df8fff9895c5a409e4f90_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\LRX3Y6M.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"C:\Windows\LRX3Y6M.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\LRX3Y6M.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"C:\Windows\LRX3Y6M.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\LRX3Y6M.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\Windows\LRX3Y6M.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\LRX3Y6M.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"C:\Windows\LRX3Y6M.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
459KB
MD5413f9dba01e04b0acd2090ee74c26302
SHA1afc2b41e5c68c9c1d7f145132c3ecd1800312a97
SHA2568b6d9f8609728bf99c1361f5a23baece84be98a2bb1424ae44d0ad08a77be437
SHA512b30a55b90d9e78db8e5374c5d252673d3d11b8e8497ab29a714e496bd2c25a199967e7b15765bed8c3a9411ea9e474b6ee9d5f6db4173b968d76e719abe42f5e
-
Filesize
459KB
MD5f4722f5e3bfc114433671aac2adca931
SHA18b6b04aebf8658fbff836a16a24c7f9dc7182f75
SHA256538ba9bcaff65ab563548f6a701567ba5e56b22af4b7fcf5ce121faad46c873a
SHA5126d55665c78294f6deee3b158274398e9d019869883326fab83ead19256fec7d9b133b7d174e1b684172b625f020c1e1c7ebb7417be44cbada8582cb0250c2e18
-
Filesize
459KB
MD5c939e0b33d3b8f823912a405538be978
SHA138e472eb17bcebc46c257f409d225655a44fd393
SHA2561524e783ae7a22e18a8cf3bebe37b45ae26a7264fd8634811b4041c59e6a0fe2
SHA51213b27e7c1cefa8587d968e6aeef4fd00144a0f4898cdd73162a26a1a3d2a3e4f4b112a02a22df444c4d52094ca94e01452a5ca2b657ce241b007ec9c502e9084
-
Filesize
459KB
MD5454dcac02ba9822092fd81c770644b81
SHA197f5b122e99e6c17baa0a7869d6e535f492a5bcb
SHA256c031c0ae7fe9303c8157fe7164c716865b32e648256163a615e4298d3e476efa
SHA5126f87ced285b2449326c74ba93410e81e10271eaae649c25db6927f071ed7be41e135d175acfbe41ac3f07356405ba6a2ac13fe9176900d1f2d65d42678ced21a
-
Filesize
459KB
MD57d5236eba49a2f7cf41e87a2cca49e5b
SHA12b1cc8d070f2a92bccb44c64411666a490db2847
SHA256cbdac394fcc80deadca693827c57c01ed84b5873a6a3431006cb2a127c68365d
SHA512c2be65db15fdbf238affdd945afff47149347be085d26537b258bd2ae21f883f70b2c13129c4a49f1938d61a72532395a0aac6cc7e7018985e8e7cbb067661b2
-
Filesize
459KB
MD5fa707a1f86937b93b78437889d8d27cb
SHA19c47658c65ba69513e612f0017e2e263137263b3
SHA256f1b16255578c61f3662cfc91ca5f4913f46bf30d4d33b3eeb285f16fb837ea6a
SHA5120e15cff129148f9ca87677545294a152f3455b6fcccd021a738137e5be9f58b3d95508eed81b4adb7585f547839b05faa9d0bebb19f75cb51afdd60d4a1ac23a
-
Filesize
459KB
MD5370477a39a749ec9b034e7f0a1448fed
SHA1c4ac70e98c3715dc3110da1eb089f1953f86279e
SHA2563c83356a65381eafbd8e07a0dd5dbaa44273b6f7d8d697b61d73b7941990df55
SHA5122993690fd9f51718fc5dbed15be6999a8bbb8401eff64478f293c87e841274684f272884ec32ce1e4be76079e8158e7169643ad835d5fd56dfc925a856f344f2
-
Filesize
459KB
MD5f3db55c859084abafea3a163435a0526
SHA16aa94304bc3dada708d35976c06ad7450f25479a
SHA2560599a5be884e0e6d6f2ebba99bde9ee842bf888820914a7ba63c8896ef6e3da5
SHA51220b6d666663ea5849dc246e39b487a9b2d5d9cae8b58ca9f07a8402d58c751ceeb19a723f86647a64091be98c435f2d133b6f9f87cf47f2177b718b9b66eebc7
-
Filesize
459KB
MD501db8e1a80423dec8c117df2bed1d51d
SHA1c2f7fe4f86dc982727a342eb8618226dafff40ee
SHA25686746ce45a28f0f911b78e1c2afad04c9b42d656db135fd572cd06d0a9abbea1
SHA5123aef77d6f73fc05beb9bfab69a160db734b694e6c94d727954aefa4e5b7de9ab92e0c94f34946c123ffa17984d14964fda386aea06c64b794024b7245ef3208c
-
Filesize
459KB
MD5780bbca5ad7cf16c5739eaf0a40648ae
SHA1df7ddc45d5593e0cd57da1df326e6022e750d33c
SHA2564a9f456daa0715180744db2e869b6a0d3eb487478c624b42c70df3891a114ba0
SHA5129cde1566885c1909baedf8e82f020bb703e0828c3a017d9cafc4fc00b5c6ec93490d7a3730a82e72c14d320b40cf4bd77f60001cf07f0f898d355191f97271f8
-
Filesize
459KB
MD52ced9bbbcbe0d829bed187ee226a44af
SHA177b5b2e2a3c0b8f83bbf6c2a792258bce580eade
SHA256fda93900d74a1078f3963f9c2e02f7dbbc6e748bf3b410d7ee7abcd0d5d70e62
SHA512e1bc6af1e7ebb800121fc8142ad7256433f85ddd36619dc117727e7a26ca3c5532c9ef89f5a4f4d18824576e6d6e990c8ad7b00390449fa36bb6531d81aca480
-
Filesize
459KB
MD57ddc92237f7669e70ac16f210929e30d
SHA13bbbf68c525ae7ee1df9328f2fe36a28f9c9306a
SHA25644e3314b04d7d0cab94b0d776ca088538dff375ccf8176305fa905cc0c104b87
SHA512ce9c2959a0062b6e0b30189b590e4bc1ee09085e6eb0eebe44ea94c30992b802c38f48584284dcf970ad43db0a6c846827ffc3d27b0396e3487934f58c7f1628
-
Filesize
459KB
MD54a935d64310659fbca2aa672444b6d5c
SHA144fc6438cd83710e89394b248c620fce660c2450
SHA256062e81a2a278f2748fac027ce8b2f08afd59b537ea8695c03d744726c62234f6
SHA512d4312cda2b7b9f55a5fb4b0fc7556c3af3ed9145109818a6af7bf4c135bd0d6b0824321ac4e6ad690dd560c81c489845702b4fda83d26ce8785db74eb0ccbc40
-
Filesize
459KB
MD5d2450e552660e876b7bc89aac340bf27
SHA15051511baed0fb3157dde155ffd48352effa1ce5
SHA25641bc0a9d73a1356133f3ea7469379b360cd65e5e92692b95407f744a1e72dd66
SHA5128a9d061cc74cbc6e2d23d809b2373283b3a963ee49005ddd407abf949af7d3120592ad12584efe71fae645065e9dbba2dfe85f83d84829867dc3291a0f5406a6
-
Filesize
127B
MD51f39127df3268727f609b7b282112650
SHA1b3e28ba0d1d8e850291b0afb819815eaae6088f9
SHA256602703508a0753e13d89faf2f34824c2203f409bb254f7af749d1fd71f37d89e
SHA51267bb2b2dac29808e4e23c2dd09e81b74a3871296b7e05d89107c42989f664524b8951a44098397531b5c3658503a66cc3a64d42193e1a3c13706b9398c2e6d6e
-
Filesize
141B
MD5d38188a770b34065701326e2a840a4aa
SHA1e325989b8129821730a65e96c175250feb3b452e
SHA2568f3ddc895066288ccd19336a71087b21ac4863e2190091be9050676dbad9ff47
SHA51268a337eed766f51554d64ca055bfc8f07934cb0d88d469116cb8bc19bb98069446977cb31d8e7293909ef2b39b121ec6c47340586002df2f602523cbbdf7814f
-
Filesize
459KB
MD51fbb9e30edd1b300a9606f9694e87d2e
SHA19801fd2aace8e4199561d4e6ee592a1485087634
SHA2560eb131979f83647fc9cc631d7991b7b2363742573e419fdee2c2f87a4b35eb49
SHA512af60921356d74996e83ad1f2713383bd8fec3c2844e8dde6bc99202d63d77a7eedf26d795b29026a39398464a1a22e692d416006bca37b34a6297aaff00fbcbd
-
Filesize
459KB
MD55adcbbf22b6e553517b119d2b0c42951
SHA19fc540176bb2e872df2d46ed500e7509dffda572
SHA256352363e3bde1d276ba9261c6379f6c40b4dfaa587d8600c45bb4a03e413fd8e6
SHA512c30d380e8b6b585f2705b28a1c1d4e241d9471fd47f4638f5891121c808d9a86463467dba149cdda92268ad0564b5572c6f6511da7b77fcc62100ed122baf2ec
-
Filesize
459KB
MD593d44668c5114fe8d1a8f0cca9e87afe
SHA17289c34de7fe4a24d2c5f6c35aa8f2b724cda761
SHA2561d2e216e4bd6ce57491369b4937d823206660afd7755badb2a47d7dc54e296bc
SHA512abbaf2d501dbbab44cf642a625ce34dfed64eef7ea17c2e0ce0c1ec6fef3a42d29234cea2cad0c24fcf15d729059806003a0eb4cc5da0b8d78b2a2124b276708
-
Filesize
361KB
MD51e1e0ba48fa72dc5e7b482afd9d3a7e0
SHA12a930121ef6839a0905d253ddeae565b45a95782
SHA25694ca13a7007fb2c1db881f79c436a1b392e7a41ff8e126f5d3b4f32cfe2183c9
SHA51270e0886004a164817cad5829d588fda560527579842d4fed654a2bfbe2999e473aebd8f67ac733362c107c5c40245cbf58906e7934e6138e43ce630c850fcc7d
-
Filesize
361KB
MD5d1ee55dda1048bdb13953a00759a05f0
SHA19e1f5772c8eb0a1c0d748c5ae20fb23b2929b95e
SHA256a113b6c17a773b3eb04a0e7724c60de9479e52f7111de1e97b2f924b22b45432
SHA512b803d5aa05deb31f6e91cc2184e3e256a1df9a4a7cd90cea85d507b3b5366e949775d7c10763199ebb56c54fc917093c7e47e1703d43a1dbe5ff06cf763d0be7
-
Filesize
361KB
MD5743f8e737976b7b58abd2acf2f1082c6
SHA15b023c812e28f2b0cf442edc7cb558376c3a67c2
SHA256192d6a279fbc68fb01b483ea03197ec79e8b8289da57cd0f9aead7a6dbb4e7aa
SHA512342fcb283694c0fdfb348ccba711c5dc714cd93d875f1e997bc0e853017b80a0d836e2958eff8ece0717246c0781ba93508f4399530965cfa7e010a364129c34
-
Filesize
459KB
MD56599e676b7310756d9dd89393796724a
SHA128baae3822c8e196621a6a74cee9aba0bfc43b0a
SHA256b8d555e42780c27c578a8b36172ad6df212c5c10d7066c5c51c82f39032f093b
SHA512013f647bb52d57b2bc3070aa7f40da0c54ef3e329fed7c5a540d87b4b67c84c3bf232c5667b8bf5730e3ffca2a5e85c73acab8ed3cc7991c306f91ef809aec16
-
Filesize
65KB
MD5c55534452c57efa04f4109310f71ccca
SHA1b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61
SHA2564cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc
SHA512ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.4MB
MD59a9f3b124d45dc37a7f7ea0d56a2ce77
SHA10040ee250be20db1c54f20538422950f967a999c
SHA25618109fcda7b887d3462aea4c31baf1772ae0926ff1b13835f9ad7c24c3225b32
SHA512b20973d37eb109537c5889f8deb5b0da3ff3d89d11e2ce8bad0ed7b8627a539e22f9579c8913e51f24891892be9aff62b4ba99b9f51de717136c565aa21e4eaa
-
Filesize
1.4MB
MD552359c64a462359a82709353ce2122ae
SHA19891eff861a8a66e09540ee17b434bd25d124418
SHA256f2c4b15062621af63349c8e699046cf0e41f58d74645cffc3dc4b38b6c1c2f00
SHA512ba9c19f744f45421ff96516c11396cb4043b158adca2a5cee5d0f5acd3b640900f1aeb8f71a9172b507c1479fdc4523d51d30dbecc26fb0ea76bec2270723bf0
-
Filesize
1.4MB
MD5c79ec3a7a2675b90e0c9af40f8d1cab8
SHA1ec1d7cd4b3b2ecee295e178d4b0bc6afe16b4deb
SHA256104fcb338da8345db51670d5f8f60c4041ea2ab55ea48c18d408866afddfd5d9
SHA512dded4fa9b47f4e1e31639c3c5f20474cc94b634ed757ccc2da449619a2fa63dc8a5c59160279ec1458ac6160123f061f798f5a97798cbecb5df78873aa8be736
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
468KB
-
Filesize
460KB
-
Filesize
468KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB