59db1b6aed44263cb2ba288364cd8605cc1e60793eefe8308ee124937485758a

Analysis

max time kernel
134s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f28c246b095a46b35f9b9a9855e8ca0_NeikiAnalytics.exe
Size

117KB
MD5

7f28c246b095a46b35f9b9a9855e8ca0
SHA1

144253f125607228052f8592caa5808a9535f89a
SHA256

59db1b6aed44263cb2ba288364cd8605cc1e60793eefe8308ee124937485758a
SHA512

e94b4ab1ef9096ccb69b434fea2fa4a1d67fc749ee67ee920b09c79254f5bbeec9eea23879cda1bb1752ed7fe3e774ee3435bfa4fb80bef1e6bcce6b09b27712
SSDEEP

3072:qJO248B0EMlI/xbHPwYV/wlmNie0ROfOlA:qTLSzI/xMYV/9i1M

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3456	winlgon.exe
4784	rgsvr32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	7f28c246b095a46b35f9b9a9855e8ca0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	7f28c246b095a46b35f9b9a9855e8ca0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4224	7f28c246b095a46b35f9b9a9855e8ca0_NeikiAnalytics.exe
3456	winlgon.exe
3456	winlgon.exe
3456	winlgon.exe
3456	winlgon.exe
3456	winlgon.exe
3456	winlgon.exe
4784	rgsvr32.exe
4784	rgsvr32.exe
4784	rgsvr32.exe
4784	rgsvr32.exe
3456	winlgon.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 3456	4224	7f28c246b095a46b35f9b9a9855e8ca0_NeikiAnalytics.exe	83
PID 4224 wrote to memory of 3456	4224	7f28c246b095a46b35f9b9a9855e8ca0_NeikiAnalytics.exe	83
PID 4224 wrote to memory of 3456	4224	7f28c246b095a46b35f9b9a9855e8ca0_NeikiAnalytics.exe	83
PID 3456 wrote to memory of 4784	3456	winlgon.exe	84
PID 3456 wrote to memory of 4784	3456	winlgon.exe	84
PID 3456 wrote to memory of 4784	3456	winlgon.exe	84

C:\Users\Admin\AppData\Local\Temp\7f28c246b095a46b35f9b9a9855e8ca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7f28c246b095a46b35f9b9a9855e8ca0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224
- \??\c:\users\admin\appdata\local\temp\winlgon.exe
  c:\users\admin\appdata\local\temp\winlgon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RCX449A.tmp

Filesize
116KB

MD5
9b2d2825cf4506c7ee8a71d6ee7ba837

SHA1
fde5ba9e11569dd14b1e2145bae5b9fe49385762

SHA256
a1c02f1f42508a8ff4b6a91b3d89437b858e41e40fc236c755de0c9ebbb3abc9

SHA512
e6e3fd9aa84610dd57ed118e2a313f5c22102b05c56f169a130c37d3d849dbd5883614aeba3eac74164082b331b5a5c09df3d89b997568c8e406a17409579b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe

Filesize
32KB

MD5
a22518e8a73ec19da806817d825d8a9c

SHA1
6f99e1591e1ce68ac44cd760729b2aeb2cba3559

SHA256
1ab5d2ea45fbff4444eabb45a3a31538730ce56f2b9c041bcab958e3c69db97b

SHA512
8f56ea79eab4b2e1d6b81981a9cd4f9652821b1cf17337ff3abf5796654fef08859fe4fa186015507b00ac606eefade1541235fcc6202ebf5257a1311638511e

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlgon.exe

Filesize
117KB

MD5
c2ea2231864c6ab0e80558ba6b11740a

SHA1
66258ae4732a1ddebd6b8eb51f73a9dc61e84d0d

SHA256
b0fa219d3b9f187655a026e1b7b99f2743a62cd6035fb261bd6035cc575b39fc

SHA512
e2a2415044d3cfc1bc4b1870316425f7d01b527fae12f0d2672aad8b17859eee71d2551c1de13d27e3663c13b0c64f743eb6c36ef02c79b913e9f4885c89eea8

Download Submit
memory/3456-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3456-26-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4224-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4224-19-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads