Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe
-
Size
319KB
-
MD5
b2c1b7deb8895437ea28a79ae38fa2b0
-
SHA1
159905247750942dc080c86155b7bb28c07e0c15
-
SHA256
0c120bba8d75c0b1994f6273766316a5f537a7ab5a8c4649aa52c38f7fc8e346
-
SHA512
ec81f0fce3b198ba33ed100609ce24fe0d734f39b5541559f087f7722644c0ddc60d706ea2483466c127db53041e5cfb54f3bcded5a779d66d9f2e22600edef1
-
SSDEEP
6144:oAecbuBQy7Sb0riExpMMF9yyjeEUxmLSOBMvNOzc3m/JSrSrrwZsPHItIPA:becyG+F9yynUazcW/JCM8Uoj
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1688 svhost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\l: svhost.exe -
AutoIT Executable 17 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1688-6-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1716-794-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-1324-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-2386-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-2655-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-3448-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-4766-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-5830-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-6889-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-7946-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-9271-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-10330-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-11387-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-12441-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-13771-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-14828-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral1/memory/1688-15884-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1688 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe 1688 svhost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1716 wrote to memory of 1688 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 28 PID 1716 wrote to memory of 1688 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 28 PID 1716 wrote to memory of 1688 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 28 PID 1716 wrote to memory of 1688 1716 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1688
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319KB
MD5c9d8208a53429eec993d20032a67a432
SHA151cc2db997c87a7eb2cb8a682957968ce040d2b0
SHA256c9e565c38cd754a55f25e4dfad6e7e8336e7f2972ae3e01fdeabaaf74d545aec
SHA512d7d0dbbbf5a9e3c19741caa605d0d7682672132d58e2830167079fe6c4b52ae9b74b3f351cca256f787e226828ff54fc3fb3b43138b60c088cfa02f75dc998d8
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
319KB
MD55c6ae73a4bc604c3f0428e3bda220f9f
SHA142b191cabd8936454c616e7e1721a147368bffef
SHA256f396e3b3221258eaf16a0fe0dee88f16216329c77836723818db51938ae2e1f0
SHA512268575fcf0dfafa8b492b1b6d4d98db82134170ea8060198f3cf302a77e126e79bc1e9b208e7e21fd01495ca5afb0533b902a86538370dd8896b8922372194c0