fd397e099239c8637047d721f1eb843cf0a9742693a70120126dfee0795f7c68

General

Target

46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Size

438KB
MD5

46dcc2fc391188af04b65634bdfa0b60
SHA1

d945fa119f41c2e33c3792319eb61d79c12bb7b6
SHA256

fd397e099239c8637047d721f1eb843cf0a9742693a70120126dfee0795f7c68
SHA512

8b29d95bd6b14e2bca269b89f8e7720938fe8d2b7629994ce8e7299f3b9f993925100c80d0890ba704284fbeebfffc82543aa562f06bdfa6715ced9fa5a67f14
SSDEEP

6144:LdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70Nqx:J8kxNhOZElO5kkWjhD4AF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4260	FFGW.EXE

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\FFGW.EXE \"%1\" %*"	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	FFGW.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FFGW.EXE = "C:\\Program Files (x86)\\FFGW.EXE"	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\K:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\M:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\I:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\L:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\Q:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\S:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\V:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\J:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\N:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\O:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\P:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\R:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\E:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\G:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\T:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened (read-only)	\??\U:	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FFGW.EXE	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\FFGW.EXE	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files (x86)\\FFGW.EXE %1"	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	FFGW.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files (x86)\\FFGW.EXE \"%1\""	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files (x86)\\FFGW.EXE \"%1\" %*"	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files (x86)\\FFGW.EXE \"%1\""	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files (x86)\\FFGW.EXE %1"	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4260	FFGW.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4260	4748	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe	82
PID 4748 wrote to memory of 4260	4748	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe	82
PID 4748 wrote to memory of 4260	4748	46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe	82

C:\Users\Admin\AppData\Local\Temp\46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\46dcc2fc391188af04b65634bdfa0b60_NeikiAnalytics.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Program Files (x86)\FFGW.EXE
  "C:\Program Files (x86)\FFGW.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\FFGW.EXE

Filesize
438KB

MD5
f09acb336b084aa848fe77868c610c9b

SHA1
fdc112360cd689e015942a83d4246baee79f936e

SHA256
21d7cb48b6139963cbbe0cb1b22dd167000913ecbbc3146844675d9fd5ef2f9f

SHA512
55bc13311ba2d9011fa55748afe321e08eb9b6114f55b306a57f6db5b2a869e608c0d761d00e92a08f9bdb70e116286b8f678a5a63a6f4b051ca02af4155fa89

Download Submit
C:\filedebug

Filesize
297B

MD5
eb4bd939f9909bef18125bbc0fe2c5cd

SHA1
04cf8c0e0d30f191655ad8056c0b087a0de1114b

SHA256
3553136f13af4a346b02fddf2d47d63110fc8266a35e7f2279ff8e0bb9f31e3b

SHA512
d52036370cbd0ebd4752bca873cb70a7f98a904f14413107d05deadd07ece9e53da52d5046352b6770a92422d3bf63c960c5a0f43d802ed29473ee96e82b43bc

Download Submit
memory/4260-23-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4260-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4260-26-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4748-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4748-1-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/4748-24-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads