5c496f0bd43404bcd3c00e563c89abba1bfd2c5c5331bb7ac2f5c147d4270e97

General

Target

08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
Size

72KB
MD5

08bcc9f80d735add17eb5b32c60a3c10
SHA1

c9ee77c99135caa3c27008574d7ee1164225805d
SHA256

5c496f0bd43404bcd3c00e563c89abba1bfd2c5c5331bb7ac2f5c147d4270e97
SHA512

3569a65d3b6f851d61000e18f91447aeea18736c1760201b60d01f7683f569ccb30319baae270ffb92e2272bff25b2f49c76b4bbbfb291806e17106a49058440
SSDEEP

1536:DOa2kZ+qcAGVRIcUjmTeyovQe1RLP0sLJtoz9ZDu7GOXTm:DOYZTBORVUjtvR1L96BSXK

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Flaseher.exe

pid process

49052 Flaseher.exe

pid	process
49052	Flaseher.exe

Loads dropped DLL 5 IoCs

Processes:

08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe

pid	process
162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1980-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1980-315-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/1980-445519-0x0000000002750000-0x0000000002772000-memory.dmp	upx
behavioral1/memory/162088-445528-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1980-445531-0x0000000000400000-0x0000000000422000-memory.dmp	upx
\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe	upx
behavioral1/memory/162088-445562-0x0000000002670000-0x0000000002692000-memory.dmp	upx
behavioral1/memory/162088-463708-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/49052-513396-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe

description	pid	process	target process
PID 1980 set thread context of 162088	1980	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exeFlaseher.exe

pid process

1980 08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
162088 08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
49052 Flaseher.exe

pid	process
1980	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
49052	Flaseher.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 1980 wrote to memory of 162088	1980	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
PID 1980 wrote to memory of 162088	1980	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
PID 1980 wrote to memory of 162088	1980	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
PID 1980 wrote to memory of 162088	1980	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
PID 1980 wrote to memory of 162088	1980	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
PID 1980 wrote to memory of 162088	1980	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
PID 1980 wrote to memory of 162088	1980	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
PID 1980 wrote to memory of 162088	1980	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
PID 162088 wrote to memory of 162704	162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	cmd.exe
PID 162088 wrote to memory of 162704	162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	cmd.exe
PID 162088 wrote to memory of 162704	162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	cmd.exe
PID 162088 wrote to memory of 162704	162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	cmd.exe
PID 162704 wrote to memory of 48972	162704	cmd.exe	reg.exe
PID 162704 wrote to memory of 48972	162704	cmd.exe	reg.exe
PID 162704 wrote to memory of 48972	162704	cmd.exe	reg.exe
PID 162704 wrote to memory of 48972	162704	cmd.exe	reg.exe
PID 162088 wrote to memory of 49052	162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	Flaseher.exe
PID 162088 wrote to memory of 49052	162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	Flaseher.exe
PID 162088 wrote to memory of 49052	162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	Flaseher.exe
PID 162088 wrote to memory of 49052	162088	08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe	Flaseher.exe

C:\Users\Admin\AppData\Local\Temp\08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\08bcc9f80d735add17eb5b32c60a3c10_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:162088

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\LTLAU.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:162704

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f
4⤵
- Adds Run key to start application
PID:48972

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:49052

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LTLAU.bat
Filesize
145B

MD5
da0cbe87b720a79b294147ed6a4b98be

SHA1
ebf0dc9efd7a12cb192e355cda87546acb4ab360

SHA256
7ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed

SHA512
f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc

Download Submit
\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
Filesize
72KB

MD5
f5d8744a8efbf5fa8cabc5932a20b4a9

SHA1
5e31d0a934bc08ca6cdcc9aeb79f93d1568197ec

SHA256
4013dd075c31e09f8d9ebaeee14aede5c9f0c3bcd9a2f579c0da46d49f1e600a

SHA512
8a60a5ce500ae11466b77fdafc51f0ab3a7dea3d390b12c4e1907057853f53611468e1523a56a43ea29c10e7c70b0f4c3db55ef03e45a1effdcce9afee8d5ff2

Download Submit
memory/1980-445531-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-3-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1980-13-0x0000000000416000-0x0000000000417000-memory.dmp

Filesize
4KB

Download
memory/1980-22-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1980-52-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download
memory/1980-42-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1980-315-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-117425-0x0000000000416000-0x0000000000417000-memory.dmp

Filesize
4KB

Download
memory/1980-9-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1980-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1980-445519-0x0000000002750000-0x0000000002772000-memory.dmp

Filesize
136KB

Download
memory/1980-11-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/49052-513396-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/162088-445559-0x0000000002670000-0x0000000002692000-memory.dmp

Filesize
136KB

Download
memory/162088-445562-0x0000000002670000-0x0000000002692000-memory.dmp

Filesize
136KB

Download
memory/162088-445575-0x0000000002670000-0x0000000002692000-memory.dmp

Filesize
136KB

Download
memory/162088-445573-0x0000000002670000-0x0000000002692000-memory.dmp

Filesize
136KB

Download
memory/162088-463708-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/162088-488609-0x0000000002670000-0x0000000002692000-memory.dmp

Filesize
136KB

Download
memory/162088-496944-0x0000000002670000-0x0000000002692000-memory.dmp

Filesize
136KB

Download
memory/162088-496929-0x0000000002670000-0x0000000002692000-memory.dmp

Filesize
136KB

Download
memory/162088-445528-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads