9705d27cb7d852597f89403e61f91623604c7cee7de05c99932b73ed7e1c5770

General

Target

6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe
Size

47KB
MD5

6b82836e7f5c9435cc56e7b336ba8fb0
SHA1

eb9f325591bc4189aa0ba7b72a25357257def57b
SHA256

9705d27cb7d852597f89403e61f91623604c7cee7de05c99932b73ed7e1c5770
SHA512

b9d503c09de969a9b77e05f04455d7e634cde069a8d51272448d9f5eb830527f073bd98d31f35def6ee16b7def0c04a8f25ced8befcad71ecf1d4dfd631f7313
SSDEEP

768:KLE/E18f6sHdtc577Bsn7P9dr56l6PNSY955O1s23:6EmItchBu7PvCYH5EP

Score

8^/10

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 2 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\77B09B7CF0FB1CDE58F9FB218930240421E1B844\Blob = 03000000010000001400000077b09b7cf0fb1cde58f9fb218930240421e1b8442000000001000000500500003082054c30820434a0030201020211008d2bb72248d9487a29226fcec3f0be3f300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3131303330383030303030305a170d3134303330373233353935395a3081b8310b3009060355040613025553310e300c06035504110c053237363039310b300906035504080c024e433110300e06035504070c0752616c656967683112301006035504090c09537569746520333230311a301806035504090c11343730302053697820466f726b7320526431243022060355040a0c1b456c73696e6f726520546563686e6f6c6f676965732c20496e632e3124302206035504030c1b456c73696e6f726520546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100abf9ad4e15d008c4358cfcb32156ddf0b5376d341e8ba851a24b26d8df01f578030c7e5c72ee24a309ae8aa511fcd0c07a250d00f84c973e3e3483f1712676df773a2b76c5edb774e43445ffb2636c5ca7ea415a975d1b5a4b522c0081bc7b6918c3d1dfc382b132b7495bd3db0ec6947f3bd4ab736d026f861d836823058f682ddde875500310037b49ce64b3d58e8ee0c2081c3449ce5d8c7eb0ec2107b95d65c7074deb2229d60d9763aa2c24f1b8fe0f5cd9c108ca5a13834234ff17d2111d5fafdd8ef0d29264da87fa162e339fa2bca7f94d9c0015a825397017b84e27e5301f89eca002ccace180e1973721047c97bd0dbc3f35a8a0ae76dcb03a15450203010001a38201703082016c301f0603551d23041830168014daed6474149c143cabdd99a9bd5b284d8b3cc9d8301d0603551d0e0416041477515e5191e47b75259e7de6316fbd1be3296a09300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30220603551d11041b3019811773616c65734073637265656e636f6e6e6563742e636f6d300d06092a864886f70d0101050500038201010091d0dcffbe9ad859422e36d844bff0ba9c1861bd71eba770e2331dfccdc2c09e3d5785549be78c7384ba7cff34fc85f118b094a7a448c3c779b3c9b47275dc57d74df667ee74387d999c806f53da7b9bb40ded0899cd61eedda5528d74bdd57b38227d2e0132ae83f217debac63c37c1f5cbf0ec15c190992cc2b05e00c8903a412e255107b3813cd81dc06a129bf3d769a61ce725848853b2a61e5cec5d04a832acffbfbde0e75d8e242c4c574ac3c9bb15f57cd0d55e8585f619b6f8d6ac6af7e3705d8143aa8b09176b5792f7185195ad5c99894566841e735432349d1db1e3b654bea513e7515f4b036b1024a6db1f8d15c33ff18d6dfeb317b8eef1154c	6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\77B09B7CF0FB1CDE58F9FB218930240421E1B844	6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "KO9LPN82D1AL13P2LRLBC92C"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "68ZJDYJ0CATBZHEMARB839PE"	dfsvc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "25EA722E6Q7ZRE0E89Z1E1NJ"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\77B09B7CF0FB1CDE58F9FB218930240421E1B844	6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\77B09B7CF0FB1CDE58F9FB218930240421E1B844\Blob = 03000000010000001400000077b09b7cf0fb1cde58f9fb218930240421e1b8442000000001000000500500003082054c30820434a0030201020211008d2bb72248d9487a29226fcec3f0be3f300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3131303330383030303030305a170d3134303330373233353935395a3081b8310b3009060355040613025553310e300c06035504110c053237363039310b300906035504080c024e433110300e06035504070c0752616c656967683112301006035504090c09537569746520333230311a301806035504090c11343730302053697820466f726b7320526431243022060355040a0c1b456c73696e6f726520546563686e6f6c6f676965732c20496e632e3124302206035504030c1b456c73696e6f726520546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100abf9ad4e15d008c4358cfcb32156ddf0b5376d341e8ba851a24b26d8df01f578030c7e5c72ee24a309ae8aa511fcd0c07a250d00f84c973e3e3483f1712676df773a2b76c5edb774e43445ffb2636c5ca7ea415a975d1b5a4b522c0081bc7b6918c3d1dfc382b132b7495bd3db0ec6947f3bd4ab736d026f861d836823058f682ddde875500310037b49ce64b3d58e8ee0c2081c3449ce5d8c7eb0ec2107b95d65c7074deb2229d60d9763aa2c24f1b8fe0f5cd9c108ca5a13834234ff17d2111d5fafdd8ef0d29264da87fa162e339fa2bca7f94d9c0015a825397017b84e27e5301f89eca002ccace180e1973721047c97bd0dbc3f35a8a0ae76dcb03a15450203010001a38201703082016c301f0603551d23041830168014daed6474149c143cabdd99a9bd5b284d8b3cc9d8301d0603551d0e0416041477515e5191e47b75259e7de6316fbd1be3296a09300e0603551d0f0101ff040403020780300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070303301106096086480186f842010104040302041030460603551d20043f303d303b060c2b06010401b2310102010302302b302906082b06010505070201161d68747470733a2f2f7365637572652e636f6d6f646f2e6e65742f43505330420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d30220603551d11041b3019811773616c65734073637265656e636f6e6e6563742e636f6d300d06092a864886f70d0101050500038201010091d0dcffbe9ad859422e36d844bff0ba9c1861bd71eba770e2331dfccdc2c09e3d5785549be78c7384ba7cff34fc85f118b094a7a448c3c779b3c9b47275dc57d74df667ee74387d999c806f53da7b9bb40ded0899cd61eedda5528d74bdd57b38227d2e0132ae83f217debac63c37c1f5cbf0ec15c190992cc2b05e00c8903a412e255107b3813cd81dc06a129bf3d769a61ce725848853b2a61e5cec5d04a832acffbfbde0e75d8e242c4c574ac3c9bb15f57cd0d55e8585f619b6f8d6ac6af7e3705d8143aa8b09176b5792f7185195ad5c99894566841e735432349d1db1e3b654bea513e7515f4b036b1024a6db1f8d15c33ff18d6dfeb317b8eef1154c	6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\77B09B7CF0FB1CDE58F9FB218930240421E1B844	6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	dfsvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2420	2244	6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2420	2244	6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2420	2244	6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2420	2244	6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6b82836e7f5c9435cc56e7b336ba8fb0_NeikiAnalytics.exe"
1⤵
- Manipulates Digital Signatures
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

2

T1553

Install Root Certificate

1

T1553.004

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-0-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp

Filesize
4KB

Download
memory/2420-1-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2420-2-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download
memory/2420-3-0x000007FEF4E43000-0x000007FEF4E44000-memory.dmp

Filesize
4KB

Download
memory/2420-5-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing