756ded3fd4a32d60b823bdc37c0743d4970c11af39b527e000975e709b39d863

Analysis

max time kernel
149s
max time network
117s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 08:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
Size

96KB
MD5

aba992f55ee03c2d0a37d6e5085a3b90
SHA1

a288f304f8ac1efce38b705784f660f9f9d8069f
SHA256

756ded3fd4a32d60b823bdc37c0743d4970c11af39b527e000975e709b39d863
SHA512

a2c350a240bcf31f0fd6ab0e9f300d2b8ebbaa71a490e89e56af04d9c04be37a56ed1402f5ee0ae64aad31dcdeb61f8b18d82ae073ed477327eab09ebd3e3665
SSDEEP

1536:rtxwjjK7lp27GjV3P1YIlToyzrmgJztJcECld+FNMmNxTDTTTTTTTTNhb2GIiuTp:Jqjm7lMyzr9zJcECl8F+sbI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3056	vitrwm.exe

Loads dropped DLL 1 IoCs

pid	Process
3056	vitrwm.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vitrwm.exe	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\vitrwm.exe	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\hra33.dll	vitrwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
3056	vitrwm.exe

Suspicious behavior: MapViewOfSection 43 IoCs

pid	Process
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe
3056	vitrwm.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
Token: SeDebugPrivilege	3056	vitrwm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
3056	vitrwm.exe
3056	vitrwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 384	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	3
PID 2984 wrote to memory of 384	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	3
PID 2984 wrote to memory of 384	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	3
PID 2984 wrote to memory of 384	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	3
PID 2984 wrote to memory of 384	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	3
PID 2984 wrote to memory of 384	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	3
PID 2984 wrote to memory of 384	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	3
PID 2984 wrote to memory of 392	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	4
PID 2984 wrote to memory of 392	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	4
PID 2984 wrote to memory of 392	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	4
PID 2984 wrote to memory of 392	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	4
PID 2984 wrote to memory of 392	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	4
PID 2984 wrote to memory of 392	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	4
PID 2984 wrote to memory of 392	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	4
PID 2984 wrote to memory of 432	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	5
PID 2984 wrote to memory of 432	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	5
PID 2984 wrote to memory of 432	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	5
PID 2984 wrote to memory of 432	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	5
PID 2984 wrote to memory of 432	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	5
PID 2984 wrote to memory of 432	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	5
PID 2984 wrote to memory of 432	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	5
PID 2984 wrote to memory of 476	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	6
PID 2984 wrote to memory of 476	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	6
PID 2984 wrote to memory of 476	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	6
PID 2984 wrote to memory of 476	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	6
PID 2984 wrote to memory of 476	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	6
PID 2984 wrote to memory of 476	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	6
PID 2984 wrote to memory of 476	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	6
PID 2984 wrote to memory of 492	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	7
PID 2984 wrote to memory of 492	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	7
PID 2984 wrote to memory of 492	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	7
PID 2984 wrote to memory of 492	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	7
PID 2984 wrote to memory of 492	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	7
PID 2984 wrote to memory of 492	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	7
PID 2984 wrote to memory of 492	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	7
PID 2984 wrote to memory of 500	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	8
PID 2984 wrote to memory of 500	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	8
PID 2984 wrote to memory of 500	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	8
PID 2984 wrote to memory of 500	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	8
PID 2984 wrote to memory of 500	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	8
PID 2984 wrote to memory of 500	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	8
PID 2984 wrote to memory of 500	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	8
PID 2984 wrote to memory of 596	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	9
PID 2984 wrote to memory of 596	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	9
PID 2984 wrote to memory of 596	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	9
PID 2984 wrote to memory of 596	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	9
PID 2984 wrote to memory of 596	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	9
PID 2984 wrote to memory of 596	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	9
PID 2984 wrote to memory of 596	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	9
PID 2984 wrote to memory of 676	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	10
PID 2984 wrote to memory of 676	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	10
PID 2984 wrote to memory of 676	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	10
PID 2984 wrote to memory of 676	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	10
PID 2984 wrote to memory of 676	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	10
PID 2984 wrote to memory of 676	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	10
PID 2984 wrote to memory of 676	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	10
PID 2984 wrote to memory of 752	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	11
PID 2984 wrote to memory of 752	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	11
PID 2984 wrote to memory of 752	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	11
PID 2984 wrote to memory of 752	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	11
PID 2984 wrote to memory of 752	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	11
PID 2984 wrote to memory of 752	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	11
PID 2984 wrote to memory of 752	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	11
PID 2984 wrote to memory of 816	2984	aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe	12

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:392
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:596
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:300
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:676
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:752
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:816
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1164
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:844
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:976
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:112
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:236
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1028
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1112
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2032
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\vitrwm.exe
    C:\Windows\SysWOW64\vitrwm.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3056
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\aba992f55ee03c2d0a37d6e5085a3b90_NeikiAnalytics.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vitrwm.exe

Filesize
96KB

MD5
aba992f55ee03c2d0a37d6e5085a3b90

SHA1
a288f304f8ac1efce38b705784f660f9f9d8069f

SHA256
756ded3fd4a32d60b823bdc37c0743d4970c11af39b527e000975e709b39d863

SHA512
a2c350a240bcf31f0fd6ab0e9f300d2b8ebbaa71a490e89e56af04d9c04be37a56ed1402f5ee0ae64aad31dcdeb61f8b18d82ae073ed477327eab09ebd3e3665

Download Submit
\Windows\SysWOW64\hra33.dll

Filesize
7KB

MD5
7147ff24579a477a1a34696926e573f1

SHA1
9127ea8d813ecd5788b3f97777931ec79b7760e9

SHA256
fd08dcb016611316c849d48312ba6dc7d4de75d1a81c1d475a13bb5a1ba07267

SHA512
077b68376679c30d2dbae460ed59f5131c177bdd7574af1c2660ed97ae242b1401816d012af321c278be065b49bc9eab395e008b1b9a2447aa27b694bbed1d5d

Download Submit
memory/2984-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2984-2-0x0000000077190000-0x0000000077191000-memory.dmp

Filesize
4KB

Download
memory/2984-1-0x000000007718F000-0x0000000077190000-memory.dmp

Filesize
4KB

Download
memory/2984-8-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2984-7-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3056-5-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3056-18-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download