8533ad2f8448f682218fefd8798365fd3344d46b3c8c9b5654512323954f46b6

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 11:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe
Size

124KB
MD5

ceb0b2440ef3c7cc25d63bf7c74d8490
SHA1

c5f3db2f3a3cca8f497369530de474fb99f5a4c1
SHA256

8533ad2f8448f682218fefd8798365fd3344d46b3c8c9b5654512323954f46b6
SHA512

4e357c9dc3819ab249f220f9a86724f61da0a8c88e99e0a1f05f18b478924524283c96bf6e3f192ec3059a58843fec12ec45f9eb6aba4da15f93df6dead0c47c
SSDEEP

3072:BaAfUEix0rQKGcNqnGrD6uvIepyJS6f1Frej:BhfiWrQKGciwQJr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xiyet.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2532	xiyet.exe

Loads dropped DLL 2 IoCs

pid	Process
1812	ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe
1812	ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /D"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /t"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /V"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /v"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /d"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /r"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /S"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /g"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /Q"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /m"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /R"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /e"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /f"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /N"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /A"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /P"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /C"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /i"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /s"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /L"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /W"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /w"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /Y"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /y"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /q"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /x"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /k"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /E"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /Z"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /X"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /n"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /a"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /K"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /M"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /U"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /b"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /O"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /l"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /I"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /h"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /u"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /c"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /F"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /B"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /H"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /G"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /p"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /F"	ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /o"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /z"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /T"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /J"	xiyet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiyet = "C:\\Users\\Admin\\xiyet.exe /j"	xiyet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1812	ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe
2532	xiyet.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1812	ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe
2532	xiyet.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2532	1812	ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe	28
PID 1812 wrote to memory of 2532	1812	ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe	28
PID 1812 wrote to memory of 2532	1812	ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe	28
PID 1812 wrote to memory of 2532	1812	ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ceb0b2440ef3c7cc25d63bf7c74d8490_NeikiAnalytics.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\xiyet.exe
  "C:\Users\Admin\xiyet.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\xiyet.exe

Filesize
124KB

MD5
ac7c8aa5f7c29c63f68e07ca3188383b

SHA1
8e80395c5806e6ac16cfae91e9b67ed2a6e155e0

SHA256
530ea69bd811f8ce43f5805fae0c83364778d8c4a213eab2cc80beef67bbe29d

SHA512
c6ab1c3396805b204d68ffce6ebe01de7ba2c55a21921784614104d4e076672ecbc5edfd811bd4a3191b55340a3fef9e948a7730a09739f04c9417a7462f0ec7

Download Submit