c693c4a771d553aa423d864e4e45e63bbc66946c4f4a6270af4705abded77f9c

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
Size

6.1MB
MD5

d9d9cb1fbfb437799808ead1dff841a0
SHA1

84dde02c10436da90e7422c0f2c90f5ecc2d58c4
SHA256

c693c4a771d553aa423d864e4e45e63bbc66946c4f4a6270af4705abded77f9c
SHA512

eb429d2fecc439da460fb715badfaab3373a5235914a183ff4aa5baffbb80b5723d2fe2ebe603937fa6afbd77c607dcbde9da1624bd074632e01905824d1c39e
SSDEEP

196608:A6q0HkQgN1DmfJLO03/Vnaiq2L8dET6WBse0aUCeVMRmLnP9b:A6jCKLO03ZFn846WBsnaiVMRYnN

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX37B6.tmp	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3F3A.tmp	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3459.tmp	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX4100.tmp	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
2792	d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d9d9cb1fbfb437799808ead1dff841a0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
6.1MB

MD5
54413a0793635097c9527adc0dd030e3

SHA1
ade4e069f3ed4df29c9199c5527cc80f5c23bec2

SHA256
18c3c8b5beae4856968a508345bf3e46b906496a61ccb6bee68c96a951d53cb9

SHA512
3a9c52963eaaec39c8ebb81e20e64ee569f5848cdc80ee421a575af2c381e628939f753d3f1209cac6642f54eea29d46ce3563222646c9d4337b2e5364ad52b4

Download Submit
memory/2792-5-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2792-2-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2792-7-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/2792-10-0x0000000000418000-0x0000000000767000-memory.dmp

Filesize
3.3MB

Download
memory/2792-15-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2792-1-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2792-3-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2792-6-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/2792-4-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2792-0-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2792-8-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2792-23-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2792-31-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2792-32-0x0000000000418000-0x0000000000767000-memory.dmp

Filesize
3.3MB

Download
memory/2792-33-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/2792-34-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download