Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 18:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe
-
Size
70KB
-
MD5
29cf7612c567c31341256b53c71a8830
-
SHA1
fe0dd686f6d3dff9aacd289f409045f99ca1a58b
-
SHA256
6b542e79f6a0223462c61a73d1e2c4ad7367967a64e329dde16d0630e1ad1863
-
SHA512
23359053fb958e9a5f99e6a4909c21c7bc66853d7180030becb6368d7f571ba03bb86c516f1ffb551eedb40f7ad9b21e2a51b902c26b9b47b018f63d8e64893a
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8Qy:Olg35GTslA5t3/w8Qy
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ihseasoos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ihseasoos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ihseasoos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ihseasoos.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ihseasoos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643}\IsInstalled = "1" ihseasoos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643}\StubPath = "C:\\Windows\\system32\\arxetun-oudoab.exe" ihseasoos.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4748505A-5247-4643-4748-505A52474643} ihseasoos.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ihseasoos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\oufboonub-ehooc.exe" ihseasoos.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ihseasoos.exe -
Executes dropped EXE 2 IoCs
pid Process 1800 ihseasoos.exe 1164 ihseasoos.exe -
Loads dropped DLL 3 IoCs
pid Process 1304 29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe 1304 29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe 1800 ihseasoos.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ihseasoos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ihseasoos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ihseasoos.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ihseasoos.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ihseasoos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ihseasoos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\isnomir-omoab.dll" ihseasoos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ihseasoos.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ihseasoos.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\isnomir-omoab.dll ihseasoos.exe File opened for modification C:\Windows\SysWOW64\ihseasoos.exe ihseasoos.exe File created C:\Windows\SysWOW64\ihseasoos.exe 29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\oufboonub-ehooc.exe ihseasoos.exe File created C:\Windows\SysWOW64\oufboonub-ehooc.exe ihseasoos.exe File created C:\Windows\SysWOW64\arxetun-oudoab.exe ihseasoos.exe File opened for modification C:\Windows\SysWOW64\ihseasoos.exe 29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\arxetun-oudoab.exe ihseasoos.exe File created C:\Windows\SysWOW64\isnomir-omoab.dll ihseasoos.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1164 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe 1800 ihseasoos.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1304 29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe Token: SeDebugPrivilege 1800 ihseasoos.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1304 wrote to memory of 1800 1304 29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe 28 PID 1304 wrote to memory of 1800 1304 29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe 28 PID 1304 wrote to memory of 1800 1304 29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe 28 PID 1304 wrote to memory of 1800 1304 29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe 28 PID 1800 wrote to memory of 436 1800 ihseasoos.exe 5 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1164 1800 ihseasoos.exe 29 PID 1800 wrote to memory of 1164 1800 ihseasoos.exe 29 PID 1800 wrote to memory of 1164 1800 ihseasoos.exe 29 PID 1800 wrote to memory of 1164 1800 ihseasoos.exe 29 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21 PID 1800 wrote to memory of 1208 1800 ihseasoos.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\29cf7612c567c31341256b53c71a8830_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\ihseasoos.exe"C:\Windows\system32\ihseasoos.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\ihseasoos.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1164
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5b5e76363c58dd43108d8aabfee13f37b
SHA1bfc12e8d445905247d8259db5cacb1c1fa713a03
SHA2562402db1249aaa4e0c2745edb7ce6667d16f4fc7774c4f684561a5e1ae5bb64e4
SHA512106d3983cd61aeec6f01f5f27d5a2eaa7a857a6c9b497f5d7480fc5e1a32c3b17f2c54fff43171e626c2e667dc7b264d8426a9d90962f0db39b53b55e910daaf
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
73KB
MD520daad5f595915cc58df14ed78ffaeba
SHA1997d35ada0be749dfd5096d74f4f2c2c7bfd049c
SHA25660f98b544b08d97e868b9b3419c6509753ff26732a2b86caf12db62a3ff43e6c
SHA512a1b85a53815232ed9ef8498132d3434f798f32d0ae553d4f421eec106274470ba93ae8f6251ef6b000f4ad8d3ea25f13492162e9765388d14c31841f4005d4d4
-
Filesize
70KB
MD529cf7612c567c31341256b53c71a8830
SHA1fe0dd686f6d3dff9aacd289f409045f99ca1a58b
SHA2566b542e79f6a0223462c61a73d1e2c4ad7367967a64e329dde16d0630e1ad1863
SHA51223359053fb958e9a5f99e6a4909c21c7bc66853d7180030becb6368d7f571ba03bb86c516f1ffb551eedb40f7ad9b21e2a51b902c26b9b47b018f63d8e64893a