fd397e099239c8637047d721f1eb843cf0a9742693a70120126dfee0795f7c68

General

Target

46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Size

438KB
MD5

46dcc2fc391188af04b65634bdfa0b60
SHA1

d945fa119f41c2e33c3792319eb61d79c12bb7b6
SHA256

fd397e099239c8637047d721f1eb843cf0a9742693a70120126dfee0795f7c68
SHA512

8b29d95bd6b14e2bca269b89f8e7720938fe8d2b7629994ce8e7299f3b9f993925100c80d0890ba704284fbeebfffc82543aa562f06bdfa6715ced9fa5a67f14
SSDEEP

6144:LdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70Nqx:J8kxNhOZElO5kkWjhD4AF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2932	TBZ.EXE

Loads dropped DLL 2 IoCs

pid	Process
3008	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
3008	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\VYXF.EXE \"%1\" %*"	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	TBZ.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HCZFJMT.EXE = "C:\\Users\\HCZFJMT.EXE"	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\E:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\G:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\L:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\M:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\T:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\P:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\S:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\I:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\N:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\O:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\U:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\V:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\H:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\J:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\K:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\HARL.EXE	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File created	C:\Program Files\VYXF.EXE	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files\VYXF.EXE	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\OMUVHIF.EXE	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened for modification	C:\Windows\OMUVHIF.EXE	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files\\VYXF.EXE %1"	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files\\HARL.EXE %1"	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Windows\\OMUVHIF.EXE \"%1\""	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\VYXF.EXE \"%1\" %*"	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	TBZ.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files\\VYXF.EXE \"%1\""	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2932	TBZ.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2932	3008	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 2932	3008	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 2932	3008	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe	28
PID 3008 wrote to memory of 2932	3008	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008
- C:\PerfLogs\TBZ.EXE
  C:\PerfLogs\TBZ.EXE
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\OMUVHIF.EXE

Filesize
438KB

MD5
f945068c761eb1935ddf7bcd368ba331

SHA1
78589ec7764d7741b4ad437ac93818080ca6200e

SHA256
5f8cc82f1281760f06081b0f063b30abf05af826e48c97c41c7cef7e5e7cd448

SHA512
68497e39301394c556a0b4b05d7a1002f345b27558e6bd49ffc2ea793f00db5ef3bce83941e0c3628765b40b6a045d0ab9233da80b7eb8938f423ee607908a2f

Download Submit
\PerfLogs\TBZ.EXE

Filesize
438KB

MD5
073561d59d58fc4b4c66c9f328066b3c

SHA1
f61ab64d5d173346e150d9e1b8e51a84efd0326c

SHA256
eab1338b5e42b2a70bb1e32c4a73d9a0664e950631c614c654f217e432a92007

SHA512
89e0d1008720abb783b99ee795d7fef6af82780bf093553ddc294c6c47202c8ef740fac573f69f405f0d3d594189d63e2a6bc323260ab42dd345bb8acca86774

Download Submit
memory/2932-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2932-30-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2932-32-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2932-33-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3008-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3008-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3008-27-0x0000000002140000-0x00000000021AE000-memory.dmp

Filesize
440KB

Download
memory/3008-26-0x0000000002140000-0x00000000021AE000-memory.dmp

Filesize
440KB

Download
memory/3008-31-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads