c693c4a771d553aa423d864e4e45e63bbc66946c4f4a6270af4705abded77f9c

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
Size

6.1MB
MD5

d9d9cb1fbfb437799808ead1dff841a0
SHA1

84dde02c10436da90e7422c0f2c90f5ecc2d58c4
SHA256

c693c4a771d553aa423d864e4e45e63bbc66946c4f4a6270af4705abded77f9c
SHA512

eb429d2fecc439da460fb715badfaab3373a5235914a183ff4aa5baffbb80b5723d2fe2ebe603937fa6afbd77c607dcbde9da1624bd074632e01905824d1c39e
SSDEEP

196608:A6q0HkQgN1DmfJLO03/Vnaiq2L8dET6WBse0aUCeVMRmLnP9b:A6jCKLO03ZFn846WBsnaiVMRYnN

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1297.tmp	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ClearStart.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2948	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
6.1MB

MD5
d9d9cb1fbfb437799808ead1dff841a0

SHA1
84dde02c10436da90e7422c0f2c90f5ecc2d58c4

SHA256
c693c4a771d553aa423d864e4e45e63bbc66946c4f4a6270af4705abded77f9c

SHA512
eb429d2fecc439da460fb715badfaab3373a5235914a183ff4aa5baffbb80b5723d2fe2ebe603937fa6afbd77c607dcbde9da1624bd074632e01905824d1c39e

Download Submit
memory/2948-18-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2948-126-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2948-20-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2948-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2948-43-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2948-46-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2948-35-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2948-33-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2948-30-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2948-28-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2948-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2948-23-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2948-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2948-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2948-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2948-47-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2948-48-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2948-11-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2948-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2948-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2948-15-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2948-123-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2948-124-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2948-125-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2948-127-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2948-0-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download