fc62f285bec7f55ddbc81c54a9c463ea48b05a88fdba12155093b22d84489b07

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
Size

66KB
MD5

34b84c8cef4a522881e39da0cd344520
SHA1

7af9e69f498d3dbbe7e3678249283b1fad8c44ec
SHA256

fc62f285bec7f55ddbc81c54a9c463ea48b05a88fdba12155093b22d84489b07
SHA512

ad9da021ae68495b47f41dcaef27660c49dc30e1fcd45010e381f5ae7b55f187de289c09669a7d410796e66aa17451abb860265eaead4aba1313bac8fa78bcea
SSDEEP

1536:cOYEou5tJkkXQyWaMGLzLsxNkdEMOb2F2:5YVuikgyWF0vsXkdEMcc2

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1700	secpol.exe

Loads dropped DLL 2 IoCs

pid	Process
492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/492-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/files/0x000f000000012028-6.dat	upx
behavioral1/memory/2948-20-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2948-23-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1700-39-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2948-28-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/2948-25-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/492-41-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\I:	secpol.exe
File opened (read-only)	\??\M:	secpol.exe
File opened (read-only)	\??\N:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\W:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\E:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\H:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\U:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\S:	secpol.exe
File opened (read-only)	\??\X:	secpol.exe
File opened (read-only)	\??\Q:	secpol.exe
File opened (read-only)	\??\I:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\P:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\L:	secpol.exe
File opened (read-only)	\??\O:	secpol.exe
File opened (read-only)	\??\R:	secpol.exe
File opened (read-only)	\??\Z:	secpol.exe
File opened (read-only)	\??\L:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\M:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\O:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\G:	secpol.exe
File opened (read-only)	\??\K:	secpol.exe
File opened (read-only)	\??\U:	secpol.exe
File opened (read-only)	\??\J:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\R:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\X:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\E:	secpol.exe
File opened (read-only)	\??\N:	secpol.exe
File opened (read-only)	\??\T:	secpol.exe
File opened (read-only)	\??\W:	secpol.exe
File opened (read-only)	\??\Y:	secpol.exe
File opened (read-only)	\??\G:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\V:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\H:	secpol.exe
File opened (read-only)	\??\P:	secpol.exe
File opened (read-only)	\??\S:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\T:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\J:	secpol.exe
File opened (read-only)	\??\V:	secpol.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\secpol.exe	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\secpol.exe	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\syswow64\secpol.exe	secpol.exe
File created	C:\Windows\SysWOW64\Dell.bat	secpol.exe
File created	C:\Windows\SysWOW64\Dell.bat	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 2948	1700	secpol.exe	30

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
1700	secpol.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 492 wrote to memory of 1700	492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	29
PID 492 wrote to memory of 1700	492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	29
PID 492 wrote to memory of 1700	492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	29
PID 492 wrote to memory of 1700	492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	29
PID 1700 wrote to memory of 2948	1700	secpol.exe	30
PID 1700 wrote to memory of 2948	1700	secpol.exe	30
PID 1700 wrote to memory of 2948	1700	secpol.exe	30
PID 1700 wrote to memory of 2948	1700	secpol.exe	30
PID 1700 wrote to memory of 2948	1700	secpol.exe	30
PID 1700 wrote to memory of 2948	1700	secpol.exe	30
PID 1700 wrote to memory of 2948	1700	secpol.exe	30
PID 1700 wrote to memory of 2948	1700	secpol.exe	30
PID 1700 wrote to memory of 2948	1700	secpol.exe	30
PID 1700 wrote to memory of 3048	1700	secpol.exe	31
PID 1700 wrote to memory of 3048	1700	secpol.exe	31
PID 1700 wrote to memory of 3048	1700	secpol.exe	31
PID 1700 wrote to memory of 3048	1700	secpol.exe	31
PID 492 wrote to memory of 2876	492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	33
PID 492 wrote to memory of 2876	492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	33
PID 492 wrote to memory of 2876	492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	33
PID 492 wrote to memory of 2876	492	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	33

C:\Users\Admin\AppData\Local\Temp\34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:492
- C:\Windows\SysWOW64\secpol.exe
  C:\Windows\system32\secpol.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1700
- - \??\c:\windows\SysWOW64\svchost.exe
    c:\windows\system32\svchost.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\Dell.bat
    3⤵
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\Dell.bat
  2⤵
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dell.bat

Filesize
135B

MD5
dda2ec0a66127879085137addb426bbf

SHA1
c2b889a04ebc027a68652fec0af347afaa3a4ad9

SHA256
916750d6ac1c701efd046db2bda2a104c0f2f54974e3425c7eaaf472572c5c7c

SHA512
27afb8472498a5b6bea4ae1fe7bcb212cc92cb495a7f6fe29c3de9634eecaac410511924eb7a1dc3bebb506f4eac07fcdc693f79ab78042d02698177f5505e51

Download Submit
\Windows\SysWOW64\secpol.exe

Filesize
66KB

MD5
34b84c8cef4a522881e39da0cd344520

SHA1
7af9e69f498d3dbbe7e3678249283b1fad8c44ec

SHA256
fc62f285bec7f55ddbc81c54a9c463ea48b05a88fdba12155093b22d84489b07

SHA512
ad9da021ae68495b47f41dcaef27660c49dc30e1fcd45010e381f5ae7b55f187de289c09669a7d410796e66aa17451abb860265eaead4aba1313bac8fa78bcea

Download Submit
memory/492-12-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/492-13-0x0000000000230000-0x0000000000242000-memory.dmp

Filesize
72KB

Download
memory/492-41-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/492-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1700-39-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2948-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2948-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2948-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2948-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2948-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2948-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download