metasploit | 822459aadd3fe611170cb20f2baab9bbd7257f9e91b2c05991838a2476f7b5a8

General

Target

a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe
Size

84KB
MD5

a5766a5e510380e8a7f57caa195c0370
SHA1

66335aedccef6eac0b41e9665a2f4ec11731ceed
SHA256

822459aadd3fe611170cb20f2baab9bbd7257f9e91b2c05991838a2476f7b5a8
SHA512

cacb925a3b120cacbebbe76e332b851615e44bc03c22d2930f3a729a36e6e9a6a930be6b52556a5c8772830d3c30700ee0006f82432eaa85ef4dd27dfae6d2d3
SSDEEP

768:EOmFWj5C2xhBtAeLoAodBXs2QSBV848F4ALyTNiR4yNA5lViUdyJWAE:3mFWjk2HAMuB82QSAbF4A1elVi8AE

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

servicers.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\drivers\tcpip.sys servicers.exe
Deletes itself 1 IoCs

Processes:

servicers.exe

pid process

2520 servicers.exe
Executes dropped EXE 1 IoCs

Processes:

servicers.exe

pid process

2520 servicers.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\tcpip.sys	servicers.exe

pid	process
2520	servicers.exe

pid	process
2520	servicers.exe

Drops file in System32 directory 1 IoCs

Processes:

servicers.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	servicers.exe

Drops file in Windows directory 2 IoCs

Processes:

a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\system\servicers.exe	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\servicers.exe	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

servicers.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	servicers.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	servicers.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	servicers.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	servicers.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	servicers.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	servicers.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2060 regedit.exe
2532 regedit.exe
Runs net.exe

pid	process
2060	regedit.exe
2532	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.execmd.exenet.execmd.execmd.exenet.execmd.exenet.exeservicers.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1740 wrote to memory of 288	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 288	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 288	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 288	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 288 wrote to memory of 1732	288	cmd.exe	net.exe
PID 288 wrote to memory of 1732	288	cmd.exe	net.exe
PID 288 wrote to memory of 1732	288	cmd.exe	net.exe
PID 288 wrote to memory of 1732	288	cmd.exe	net.exe
PID 1732 wrote to memory of 2872	1732	net.exe	net1.exe
PID 1732 wrote to memory of 2872	1732	net.exe	net1.exe
PID 1732 wrote to memory of 2872	1732	net.exe	net1.exe
PID 1732 wrote to memory of 2872	1732	net.exe	net1.exe
PID 1740 wrote to memory of 2796	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 2796	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 2796	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 2796	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 2796 wrote to memory of 2532	2796	cmd.exe	regedit.exe
PID 2796 wrote to memory of 2532	2796	cmd.exe	regedit.exe
PID 2796 wrote to memory of 2532	2796	cmd.exe	regedit.exe
PID 2796 wrote to memory of 2532	2796	cmd.exe	regedit.exe
PID 1740 wrote to memory of 2560	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 2560	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 2560	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 2560	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 2552	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 2552	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 2552	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 1740 wrote to memory of 2552	1740	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 2560 wrote to memory of 2696	2560	cmd.exe	net.exe
PID 2560 wrote to memory of 2696	2560	cmd.exe	net.exe
PID 2560 wrote to memory of 2696	2560	cmd.exe	net.exe
PID 2560 wrote to memory of 2696	2560	cmd.exe	net.exe
PID 2696 wrote to memory of 2580	2696	net.exe	net1.exe
PID 2696 wrote to memory of 2580	2696	net.exe	net1.exe
PID 2696 wrote to memory of 2580	2696	net.exe	net1.exe
PID 2696 wrote to memory of 2580	2696	net.exe	net1.exe
PID 2552 wrote to memory of 2524	2552	cmd.exe	net.exe
PID 2552 wrote to memory of 2524	2552	cmd.exe	net.exe
PID 2552 wrote to memory of 2524	2552	cmd.exe	net.exe
PID 2552 wrote to memory of 2524	2552	cmd.exe	net.exe
PID 2524 wrote to memory of 2540	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2540	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2540	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2540	2524	net.exe	net1.exe
PID 2520 wrote to memory of 2648	2520	servicers.exe	cmd.exe
PID 2520 wrote to memory of 2648	2520	servicers.exe	cmd.exe
PID 2520 wrote to memory of 2648	2520	servicers.exe	cmd.exe
PID 2520 wrote to memory of 2648	2520	servicers.exe	cmd.exe
PID 2648 wrote to memory of 2588	2648	cmd.exe	net.exe
PID 2648 wrote to memory of 2588	2648	cmd.exe	net.exe
PID 2648 wrote to memory of 2588	2648	cmd.exe	net.exe
PID 2648 wrote to memory of 2588	2648	cmd.exe	net.exe
PID 2588 wrote to memory of 2992	2588	net.exe	net1.exe
PID 2588 wrote to memory of 2992	2588	net.exe	net1.exe
PID 2588 wrote to memory of 2992	2588	net.exe	net1.exe
PID 2588 wrote to memory of 2992	2588	net.exe	net1.exe
PID 2520 wrote to memory of 552	2520	servicers.exe	cmd.exe
PID 2520 wrote to memory of 552	2520	servicers.exe	cmd.exe
PID 2520 wrote to memory of 552	2520	servicers.exe	cmd.exe
PID 2520 wrote to memory of 552	2520	servicers.exe	cmd.exe
PID 552 wrote to memory of 2060	552	cmd.exe	regedit.exe
PID 552 wrote to memory of 2060	552	cmd.exe	regedit.exe
PID 552 wrote to memory of 2060	552	cmd.exe	regedit.exe
PID 552 wrote to memory of 2060	552	cmd.exe	regedit.exe

C:\Users\Admin\AppData\Local\Temp\a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop SharedAccess
2⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
3⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
4⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
3⤵
- Modifies firewall policy service
- Modifies security service
- Runs .reg file with regedit
PID:2532

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Security Center"
2⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\net.exe
net stop "Security Center"
3⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
4⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd /c net start SharedAccess
2⤵
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\net.exe
net start SharedAccess
3⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SharedAccess
4⤵
PID:2540

C:\Windows\system\servicers.exe
"C:\Windows\system\servicers.exe"
1⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop SharedAccess
2⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
3⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
4⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Windows\TEMP\1.reg
3⤵
- Modifies firewall policy service
- Modifies security service
- Runs .reg file with regedit
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Security Center"
2⤵
PID:1236

C:\Windows\SysWOW64\net.exe
net stop "Security Center"
3⤵
PID:1408

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
4⤵
PID:348

C:\Windows\SysWOW64\cmd.exe
cmd /c net start SharedAccess
2⤵
PID:1148

C:\Windows\SysWOW64\net.exe
net start SharedAccess
3⤵
PID:2156

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SharedAccess
4⤵
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
640B

MD5
70237e6c7f12f17048117b2e1098aef9

SHA1
b9735214963e8e3b791bf7113bebbbbf65c4d36d

SHA256
6d93c70335964c039571168a9f805954a524287b1c628450a269ba14c10a096c

SHA512
bdfef5f2890afda7e9d786514d47cf2a25957c82d795ed7e71d614244fb67835fef03758e76ca1056751d7182ebad3442b412587ecc3d7dc1737d4743077bcee

Download Submit
C:\Windows\system\servicers.exe
Filesize
84KB

MD5
a5766a5e510380e8a7f57caa195c0370

SHA1
66335aedccef6eac0b41e9665a2f4ec11731ceed

SHA256
822459aadd3fe611170cb20f2baab9bbd7257f9e91b2c05991838a2476f7b5a8

SHA512
cacb925a3b120cacbebbe76e332b851615e44bc03c22d2930f3a729a36e6e9a6a930be6b52556a5c8772830d3c30700ee0006f82432eaa85ef4dd27dfae6d2d3

Download Submit
C:\a.bat
Filesize
1KB

MD5
d807ec0161c542b23e37898db356c95b

SHA1
0aac2ef8e1d77868d932a10007efcbd0b69ecdfc

SHA256
56cdc18d3a8b4f2059f1e17e7017b10dcfe2eef840190843dc04fa737f5b6a37

SHA512
538082e228d8e61e09d368f674b581550791153b107abe189623666b81731b7f3470a079043d7ac96339217361d73b5fe62ae2b5b103499ddf750fb89d492cdf

Download Submit
memory/1740-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1740-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1740-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2520-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2520-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2520-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2520-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2520-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2520-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads