cad518108ac38bddb179100e5c09d33edbd836a8601ec4fb9519dc3d60c697f3

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe
Size

402KB
MD5

d02b17c702bd5a504a23cdea7821f3b0
SHA1

70d452cf532ed278c4e8eb4a9eb194facebaf3bd
SHA256

cad518108ac38bddb179100e5c09d33edbd836a8601ec4fb9519dc3d60c697f3
SHA512

31d7627c12ba87ebb1c40d1cfdc6ef9575d68c9c0411006928862f9c27c0a15b7bd4c94271e97e3eae6308a4f8614cf8c2c57ee0875184060f85c4ed337415c3
SSDEEP

6144:jEpmvTk1y8f9OP2QgaZm3VVKhx4hKi3Io46kbV7k5K6PQLlhJ36FQjGLvWX1vaa+:jEeT2yI52clVDB4B12636mrvaaaaa

Score

7^/10

persistence upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2852	bM28262BiOpN28262.exe

Executes dropped EXE 1 IoCs

pid	Process
2852	bM28262BiOpN28262.exe

Loads dropped DLL 2 IoCs

pid	Process
2884	d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe
2884	d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2884-3-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral1/memory/2884-18-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral1/memory/2852-25-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral1/memory/2852-29-0x0000000000400000-0x00000000004F1000-memory.dmp	upx
behavioral1/memory/2852-38-0x0000000000400000-0x00000000004F1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bM28262BiOpN28262 = "C:\\ProgramData\\bM28262BiOpN28262\\bM28262BiOpN28262.exe"	bM28262BiOpN28262.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	bM28262BiOpN28262.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2852	bM28262BiOpN28262.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2852	bM28262BiOpN28262.exe
2852	bM28262BiOpN28262.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2852	2884	d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2852	2884	d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2852	2884	d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2852	2884	d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\ProgramData\bM28262BiOpN28262\bM28262BiOpN28262.exe
  "C:\ProgramData\bM28262BiOpN28262\bM28262BiOpN28262.exe" "C:\Users\Admin\AppData\Local\Temp\d02b17c702bd5a504a23cdea7821f3b0_NeikiAnalytics.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bM28262BiOpN28262\bM28262BiOpN28262

Filesize
192B

MD5
5320350f57994fe01f21832ec916c986

SHA1
0d724311c5d20059f4c9f3bc723893d20490f275

SHA256
39cf049102b8b6f4563c77b22c563d1997860a5b0642438036d0e510a040e130

SHA512
aa4d7ab9b579456e0967ab996a77fa25df23aeb22218eb4d340a54e53bc3f3d806d6ddaa01c2d32888535dbc2279950acf43d92e7bb90cc024d4abfbaed8a158

Download Submit
\ProgramData\bM28262BiOpN28262\bM28262BiOpN28262.exe

Filesize
402KB

MD5
3e145a30805bd562ebf989120b951b4a

SHA1
63b6981113954eb841d44dfd8f9cf6968a796689

SHA256
f9a308fbaa60da17d92693b51dd7ed0970fdfe43000aad12766549ddcb898601

SHA512
a61faa153396781b83e2a7df6bcda232e96df6e16d581ae748a136dcf21ed9a7672d81e4d48672c42e23ca4ce6c5b53c32e8c2130870a5316003d19a11c4bce7

Download Submit
memory/2852-19-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2852-25-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2852-29-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2852-38-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2884-0-0x00000000002B0000-0x00000000002B3000-memory.dmp

Filesize
12KB

Download
memory/2884-3-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2884-18-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download