metasploit | 822459aadd3fe611170cb20f2baab9bbd7257f9e91b2c05991838a2476f7b5a8

General

Target

a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe
Size

84KB
MD5

a5766a5e510380e8a7f57caa195c0370
SHA1

66335aedccef6eac0b41e9665a2f4ec11731ceed
SHA256

822459aadd3fe611170cb20f2baab9bbd7257f9e91b2c05991838a2476f7b5a8
SHA512

cacb925a3b120cacbebbe76e332b851615e44bc03c22d2930f3a729a36e6e9a6a930be6b52556a5c8772830d3c30700ee0006f82432eaa85ef4dd27dfae6d2d3
SSDEEP

768:EOmFWj5C2xhBtAeLoAodBXs2QSBV848F4ALyTNiR4yNA5lViUdyJWAE:3mFWjk2HAMuB82QSAbF4A1elVi8AE

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exeregedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	regedit.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

servicers.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\drivers\tcpip.sys servicers.exe
Deletes itself 1 IoCs

Processes:

servicers.exe

pid process

464 servicers.exe
Executes dropped EXE 1 IoCs

Processes:

servicers.exe

pid process

464 servicers.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\tcpip.sys	servicers.exe

pid	process
464	servicers.exe

pid	process
464	servicers.exe

Drops file in Windows directory 2 IoCs

Processes:

a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\system\servicers.exe	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\servicers.exe	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2000 regedit.exe
1512 regedit.exe
Runs net.exe

pid	process
2000	regedit.exe
1512	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.execmd.exenet.execmd.exeservicers.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exenet.exe

description	pid	process	target process
PID 4920 wrote to memory of 3000	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 4920 wrote to memory of 3000	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 4920 wrote to memory of 3000	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 3000 wrote to memory of 4596	3000	cmd.exe	net.exe
PID 3000 wrote to memory of 4596	3000	cmd.exe	net.exe
PID 3000 wrote to memory of 4596	3000	cmd.exe	net.exe
PID 4596 wrote to memory of 4476	4596	net.exe	net1.exe
PID 4596 wrote to memory of 4476	4596	net.exe	net1.exe
PID 4596 wrote to memory of 4476	4596	net.exe	net1.exe
PID 4920 wrote to memory of 228	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 4920 wrote to memory of 228	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 4920 wrote to memory of 228	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 228 wrote to memory of 2000	228	cmd.exe	regedit.exe
PID 228 wrote to memory of 2000	228	cmd.exe	regedit.exe
PID 228 wrote to memory of 2000	228	cmd.exe	regedit.exe
PID 4920 wrote to memory of 3704	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 4920 wrote to memory of 3704	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 4920 wrote to memory of 3704	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 4920 wrote to memory of 3240	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 4920 wrote to memory of 3240	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 4920 wrote to memory of 3240	4920	a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe	cmd.exe
PID 464 wrote to memory of 4628	464	servicers.exe	cmd.exe
PID 464 wrote to memory of 4628	464	servicers.exe	cmd.exe
PID 464 wrote to memory of 4628	464	servicers.exe	cmd.exe
PID 3704 wrote to memory of 3236	3704	cmd.exe	net.exe
PID 3704 wrote to memory of 3236	3704	cmd.exe	net.exe
PID 3704 wrote to memory of 3236	3704	cmd.exe	net.exe
PID 3236 wrote to memory of 5072	3236	net.exe	net1.exe
PID 3236 wrote to memory of 5072	3236	net.exe	net1.exe
PID 3236 wrote to memory of 5072	3236	net.exe	net1.exe
PID 3240 wrote to memory of 3308	3240	cmd.exe	net.exe
PID 3240 wrote to memory of 3308	3240	cmd.exe	net.exe
PID 3240 wrote to memory of 3308	3240	cmd.exe	net.exe
PID 3308 wrote to memory of 3952	3308	net.exe	net1.exe
PID 3308 wrote to memory of 3952	3308	net.exe	net1.exe
PID 3308 wrote to memory of 3952	3308	net.exe	net1.exe
PID 4628 wrote to memory of 2364	4628	cmd.exe	net.exe
PID 4628 wrote to memory of 2364	4628	cmd.exe	net.exe
PID 4628 wrote to memory of 2364	4628	cmd.exe	net.exe
PID 2364 wrote to memory of 4352	2364	net.exe	net1.exe
PID 2364 wrote to memory of 4352	2364	net.exe	net1.exe
PID 2364 wrote to memory of 4352	2364	net.exe	net1.exe
PID 464 wrote to memory of 1100	464	servicers.exe	cmd.exe
PID 464 wrote to memory of 1100	464	servicers.exe	cmd.exe
PID 464 wrote to memory of 1100	464	servicers.exe	cmd.exe
PID 1100 wrote to memory of 1512	1100	cmd.exe	regedit.exe
PID 1100 wrote to memory of 1512	1100	cmd.exe	regedit.exe
PID 1100 wrote to memory of 1512	1100	cmd.exe	regedit.exe
PID 464 wrote to memory of 4488	464	servicers.exe	cmd.exe
PID 464 wrote to memory of 4488	464	servicers.exe	cmd.exe
PID 464 wrote to memory of 4488	464	servicers.exe	cmd.exe
PID 464 wrote to memory of 2320	464	servicers.exe	cmd.exe
PID 464 wrote to memory of 2320	464	servicers.exe	cmd.exe
PID 464 wrote to memory of 2320	464	servicers.exe	cmd.exe
PID 4488 wrote to memory of 1648	4488	cmd.exe	net.exe
PID 4488 wrote to memory of 1648	4488	cmd.exe	net.exe
PID 4488 wrote to memory of 1648	4488	cmd.exe	net.exe
PID 2320 wrote to memory of 3576	2320	cmd.exe	net.exe
PID 2320 wrote to memory of 3576	2320	cmd.exe	net.exe
PID 2320 wrote to memory of 3576	2320	cmd.exe	net.exe
PID 1648 wrote to memory of 3172	1648	net.exe	net1.exe
PID 1648 wrote to memory of 3172	1648	net.exe	net1.exe
PID 1648 wrote to memory of 3172	1648	net.exe	net1.exe
PID 3576 wrote to memory of 2144	3576	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a5766a5e510380e8a7f57caa195c0370_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop SharedAccess
2⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
3⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
4⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
3⤵
- Modifies firewall policy service
- Modifies security service
- Runs .reg file with regedit
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Security Center"
2⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\net.exe
net stop "Security Center"
3⤵
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
4⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
cmd /c net start SharedAccess
2⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\SysWOW64\net.exe
net start SharedAccess
3⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SharedAccess
4⤵
PID:3952

C:\Windows\system\servicers.exe
"C:\Windows\system\servicers.exe"
1⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop SharedAccess
2⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\net.exe
net stop SharedAccess
3⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
4⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Windows\TEMP\1.reg
3⤵
- Modifies firewall policy service
- Modifies security service
- Runs .reg file with regedit
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c net stop "Security Center"
2⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\net.exe
net stop "Security Center"
3⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Security Center"
4⤵
PID:3172

C:\Windows\SysWOW64\cmd.exe
cmd /c net start SharedAccess
2⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\net.exe
net start SharedAccess
3⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start SharedAccess
4⤵
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
345B

MD5
964c0ef43033d06f2adcd8e7291dad93

SHA1
474836d3b1e9b95cf94930f3ed64abb8f4a15ade

SHA256
158785c267b590f3ca2b7e88dcfdfedad26f7cfc334d1d8cfec36145e687cea0

SHA512
c5fb0106605b30289e25a2cbbceb944997f4e378438f7c39abaab94fb1c2f388c59520274af99d9bdd459057e206944b407ea91ce38a7699819343d5b79776e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
640B

MD5
70237e6c7f12f17048117b2e1098aef9

SHA1
b9735214963e8e3b791bf7113bebbbbf65c4d36d

SHA256
6d93c70335964c039571168a9f805954a524287b1c628450a269ba14c10a096c

SHA512
bdfef5f2890afda7e9d786514d47cf2a25957c82d795ed7e71d614244fb67835fef03758e76ca1056751d7182ebad3442b412587ecc3d7dc1737d4743077bcee

Download Submit
C:\Windows\system\servicers.exe
Filesize
84KB

MD5
a5766a5e510380e8a7f57caa195c0370

SHA1
66335aedccef6eac0b41e9665a2f4ec11731ceed

SHA256
822459aadd3fe611170cb20f2baab9bbd7257f9e91b2c05991838a2476f7b5a8

SHA512
cacb925a3b120cacbebbe76e332b851615e44bc03c22d2930f3a729a36e6e9a6a930be6b52556a5c8772830d3c30700ee0006f82432eaa85ef4dd27dfae6d2d3

Download Submit
\??\c:\a.bat
Filesize
1KB

MD5
d807ec0161c542b23e37898db356c95b

SHA1
0aac2ef8e1d77868d932a10007efcbd0b69ecdfc

SHA256
56cdc18d3a8b4f2059f1e17e7017b10dcfe2eef840190843dc04fa737f5b6a37

SHA512
538082e228d8e61e09d368f674b581550791153b107abe189623666b81731b7f3470a079043d7ac96339217361d73b5fe62ae2b5b103499ddf750fb89d492cdf

Download Submit
memory/464-31-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/464-30-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/464-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/464-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/464-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/464-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/464-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4920-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4920-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4920-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads