Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 03:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe
-
Size
66KB
-
MD5
693a82914b49b191643ad0f43eb9a900
-
SHA1
f6e7985eedd72da51862f9811f267c0d352e0e98
-
SHA256
74e293b7083f9c80faed2e1e53d5ed53e9b2c61a838d20a9375012990a6010d7
-
SHA512
62d0e9d4be417b95ac0eca9563e1e9725559127683522ea6103405e4c332ab2e7067330d4589c71efb5ebb615504aec2a7710afa7f8489dde3a5f0bd8e4febc1
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1swM:ulg35GTslA5t3UwM
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" utkoodim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" utkoodim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" utkoodim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" utkoodim.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" utkoodim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\IsInstalled = "1" utkoodim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\StubPath = "C:\\Windows\\system32\\olkinoon-atid.exe" utkoodim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46} utkoodim.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe utkoodim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" utkoodim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\oucxooxen-eagur.exe" utkoodim.exe -
Executes dropped EXE 2 IoCs
pid Process 2248 utkoodim.exe 1324 utkoodim.exe -
Loads dropped DLL 3 IoCs
pid Process 2820 693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe 2820 693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe 2248 utkoodim.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" utkoodim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" utkoodim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" utkoodim.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" utkoodim.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} utkoodim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify utkoodim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" utkoodim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\expeasov-tom.dll" utkoodim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" utkoodim.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\utkoodim.exe 693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe File created C:\Windows\SysWOW64\olkinoon-atid.exe utkoodim.exe File created C:\Windows\SysWOW64\expeasov-tom.dll utkoodim.exe File created C:\Windows\SysWOW64\utkoodim.exe 693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\oucxooxen-eagur.exe utkoodim.exe File created C:\Windows\SysWOW64\oucxooxen-eagur.exe utkoodim.exe File opened for modification C:\Windows\SysWOW64\olkinoon-atid.exe utkoodim.exe File opened for modification C:\Windows\SysWOW64\expeasov-tom.dll utkoodim.exe File opened for modification C:\Windows\SysWOW64\utkoodim.exe utkoodim.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 1324 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe 2248 utkoodim.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2820 693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe Token: SeDebugPrivilege 2248 utkoodim.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2248 2820 693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe 28 PID 2820 wrote to memory of 2248 2820 693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe 28 PID 2820 wrote to memory of 2248 2820 693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe 28 PID 2820 wrote to memory of 2248 2820 693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe 28 PID 2248 wrote to memory of 1324 2248 utkoodim.exe 29 PID 2248 wrote to memory of 1324 2248 utkoodim.exe 29 PID 2248 wrote to memory of 1324 2248 utkoodim.exe 29 PID 2248 wrote to memory of 1324 2248 utkoodim.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\693a82914b49b191643ad0f43eb9a900_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\utkoodim.exe"C:\Windows\system32\utkoodim.exe"2⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\utkoodim.exeùù¿çç¤3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1324
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
69KB
MD5a7f2c5baccbc55e5078a1df90da2adaf
SHA1c966818caf87c73e2774cbe3ff6f0dfcd197e170
SHA256b5061e82fef9cf73cb6ca63c4333ee5b960b8d8e48a6240d0c464dbf68d1e931
SHA512c9806bff74d02a2ab493ee68d85d006d47c41e7890901ba6dc971b4d8f28a020012dffdfc35edc37e0bb634a7163a2c5d5b6f88d8a4dfcb85f9cd97f2f9019e6
-
Filesize
70KB
MD5f0c66cc05bca972a58f0d330fbc6475a
SHA16510de93b3d633ac230220aead622e056bab2d00
SHA2563e58788a259c20436336168a1fe99177b8f046a76fadbe4c3203ae01fb4014f2
SHA512539d76342987b0a7befba7a6ddf8533c0a2f48b4793e959a2541b31362e5fb6152afeeefdf70dd89ed06523df53edccdf19f6c269a33d709fdacfa831edd96ec
-
Filesize
66KB
MD5693a82914b49b191643ad0f43eb9a900
SHA1f6e7985eedd72da51862f9811f267c0d352e0e98
SHA25674e293b7083f9c80faed2e1e53d5ed53e9b2c61a838d20a9375012990a6010d7
SHA51262d0e9d4be417b95ac0eca9563e1e9725559127683522ea6103405e4c332ab2e7067330d4589c71efb5ebb615504aec2a7710afa7f8489dde3a5f0bd8e4febc1