fc62f285bec7f55ddbc81c54a9c463ea48b05a88fdba12155093b22d84489b07

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
Size

66KB
MD5

34b84c8cef4a522881e39da0cd344520
SHA1

7af9e69f498d3dbbe7e3678249283b1fad8c44ec
SHA256

fc62f285bec7f55ddbc81c54a9c463ea48b05a88fdba12155093b22d84489b07
SHA512

ad9da021ae68495b47f41dcaef27660c49dc30e1fcd45010e381f5ae7b55f187de289c09669a7d410796e66aa17451abb860265eaead4aba1313bac8fa78bcea
SSDEEP

1536:cOYEou5tJkkXQyWaMGLzLsxNkdEMOb2F2:5YVuikgyWF0vsXkdEMcc2

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4480	secpol.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2740-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0006000000023308-8.dat	upx
behavioral2/memory/1980-13-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1980-12-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4480-20-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/2740-21-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1980-11-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	secpol.exe
File opened (read-only)	\??\O:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\Z:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\G:	secpol.exe
File opened (read-only)	\??\M:	secpol.exe
File opened (read-only)	\??\O:	secpol.exe
File opened (read-only)	\??\W:	secpol.exe
File opened (read-only)	\??\E:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\U:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\Y:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\R:	secpol.exe
File opened (read-only)	\??\S:	secpol.exe
File opened (read-only)	\??\T:	secpol.exe
File opened (read-only)	\??\V:	secpol.exe
File opened (read-only)	\??\K:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\V:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\U:	secpol.exe
File opened (read-only)	\??\X:	secpol.exe
File opened (read-only)	\??\L:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\H:	secpol.exe
File opened (read-only)	\??\J:	secpol.exe
File opened (read-only)	\??\P:	secpol.exe
File opened (read-only)	\??\H:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\J:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\I:	secpol.exe
File opened (read-only)	\??\N:	secpol.exe
File opened (read-only)	\??\I:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\P:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\R:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\E:	secpol.exe
File opened (read-only)	\??\K:	secpol.exe
File opened (read-only)	\??\Y:	secpol.exe
File opened (read-only)	\??\G:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\N:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\W:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\L:	secpol.exe
File opened (read-only)	\??\Q:	secpol.exe
File opened (read-only)	\??\M:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\S:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\T:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened (read-only)	\??\X:	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dell.bat	secpol.exe
File opened for modification	C:\Windows\SysWOW64\Dell.bat	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\secpol.exe	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\secpol.exe	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\SysWOW64\secpol.exe	secpol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4480 set thread context of 1980	4480	secpol.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2696	1980	WerFault.exe	84

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2740	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
4480	secpol.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4480	2740	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	83
PID 2740 wrote to memory of 4480	2740	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	83
PID 2740 wrote to memory of 4480	2740	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	83
PID 4480 wrote to memory of 1980	4480	secpol.exe	84
PID 4480 wrote to memory of 1980	4480	secpol.exe	84
PID 4480 wrote to memory of 1980	4480	secpol.exe	84
PID 4480 wrote to memory of 1980	4480	secpol.exe	84
PID 4480 wrote to memory of 1980	4480	secpol.exe	84
PID 4480 wrote to memory of 1980	4480	secpol.exe	84
PID 4480 wrote to memory of 1980	4480	secpol.exe	84
PID 4480 wrote to memory of 1980	4480	secpol.exe	84
PID 4480 wrote to memory of 4768	4480	secpol.exe	86
PID 4480 wrote to memory of 4768	4480	secpol.exe	86
PID 4480 wrote to memory of 4768	4480	secpol.exe	86
PID 2740 wrote to memory of 2232	2740	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	88
PID 2740 wrote to memory of 2232	2740	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	88
PID 2740 wrote to memory of 2232	2740	34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe	88

C:\Users\Admin\AppData\Local\Temp\34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\34b84c8cef4a522881e39da0cd344520_NeikiAnalytics.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\secpol.exe
  C:\Windows\system32\secpol.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4480
- - \??\c:\windows\SysWOW64\svchost.exe
    c:\windows\system32\svchost.exe
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 12
      4⤵
      Program crash
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\Dell.bat
    3⤵
    PID:4768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\Dell.bat
  2⤵
  PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1980 -ip 1980
1⤵
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dell.bat

Filesize
245B

MD5
fbe888640cb728bdf7d14a9b3b92bb72

SHA1
86c72d76caae8264c0bbc14e5d3726a0ec84b45a

SHA256
f528b3c9bca57a88872d96b036db083c875e7663ee282f20b4842227a390bbe8

SHA512
a3a336f9b8000163dd2dc59405a541ff54552ac1d5e37a199d7a4fc05a74e4fed694e5079b63ebc8fde662ffc0456198cd452397524fff20ada32a37f0112050

Download Submit
C:\Windows\SysWOW64\secpol.exe

Filesize
66KB

MD5
34b84c8cef4a522881e39da0cd344520

SHA1
7af9e69f498d3dbbe7e3678249283b1fad8c44ec

SHA256
fc62f285bec7f55ddbc81c54a9c463ea48b05a88fdba12155093b22d84489b07

SHA512
ad9da021ae68495b47f41dcaef27660c49dc30e1fcd45010e381f5ae7b55f187de289c09669a7d410796e66aa17451abb860265eaead4aba1313bac8fa78bcea

Download Submit
memory/1980-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1980-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1980-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4480-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download