Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 10:32
Static task
static1
Behavioral task
behavioral1
Sample
b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe
-
Size
319KB
-
MD5
b2c1b7deb8895437ea28a79ae38fa2b0
-
SHA1
159905247750942dc080c86155b7bb28c07e0c15
-
SHA256
0c120bba8d75c0b1994f6273766316a5f537a7ab5a8c4649aa52c38f7fc8e346
-
SHA512
ec81f0fce3b198ba33ed100609ce24fe0d734f39b5541559f087f7722644c0ddc60d706ea2483466c127db53041e5cfb54f3bcded5a779d66d9f2e22600edef1
-
SSDEEP
6144:oAecbuBQy7Sb0riExpMMF9yyjeEUxmLSOBMvNOzc3m/JSrSrrwZsPHItIPA:becyG+F9yynUazcW/JCM8Uoj
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" svhost.exe -
Executes dropped EXE 1 IoCs
pid Process 904 svhost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\n: svhost.exe File opened (read-only) \??\p: svhost.exe File opened (read-only) \??\s: svhost.exe File opened (read-only) \??\t: svhost.exe File opened (read-only) \??\b: svhost.exe File opened (read-only) \??\h: svhost.exe File opened (read-only) \??\k: svhost.exe File opened (read-only) \??\q: svhost.exe File opened (read-only) \??\u: svhost.exe File opened (read-only) \??\v: svhost.exe File opened (read-only) \??\w: svhost.exe File opened (read-only) \??\x: svhost.exe File opened (read-only) \??\i: svhost.exe File opened (read-only) \??\j: svhost.exe File opened (read-only) \??\o: svhost.exe File opened (read-only) \??\a: svhost.exe File opened (read-only) \??\y: svhost.exe File opened (read-only) \??\m: svhost.exe File opened (read-only) \??\r: svhost.exe File opened (read-only) \??\z: svhost.exe File opened (read-only) \??\e: svhost.exe File opened (read-only) \??\g: svhost.exe File opened (read-only) \??\l: svhost.exe -
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2840-776-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-1313-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-2372-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-2639-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-3431-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-4752-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-5809-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-6871-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-7927-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-9247-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-10304-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-11361-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-12418-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-13740-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-14799-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe behavioral2/memory/904-15857-0x0000000000400000-0x00000000004C0000-memory.dmp autoit_exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svhost.exe b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe File opened for modification C:\Windows\Driver.db svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 904 svhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe 904 svhost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2840 wrote to memory of 904 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 84 PID 2840 wrote to memory of 904 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 84 PID 2840 wrote to memory of 904 2840 b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b2c1b7deb8895437ea28a79ae38fa2b0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\svhost.exeC:\Windows\svhost.exe2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:904
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319KB
MD5e980d9fbcd6f7bf04f2094850a5895b2
SHA17e79d67864b6e75a84e82f30796daebc0a9d3711
SHA2563272e160e8191ba50944b6ff118a98630984d36150261b48db85c437e9afbb3b
SHA5122d71b5edc753be8a2944abbccb9cefd24dee7da2e8f2af1d9a11e901e5fe6500881ffbee439298fc2cfc5fa0f637be813e3af3006a2b514255a3f3ef78791962
-
Filesize
82B
MD5c2d2dc50dca8a2bfdc8e2d59dfa5796d
SHA17a6150fc53244e28d1bcea437c0c9d276c41ccad
SHA256b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960
SHA5126cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4
-
Filesize
319KB
MD5a5d3e0cb224c423c620ab45971816e81
SHA16edd788f20338632fdbf4fbab6f70e4a09e67c15
SHA256b9bc665344bc9d421cad844dd969dfb93e03a6ad17a177b4f0dc2014e426bc37
SHA512f3a861e1f05ddee21f28c28f51dac30800eb4e226066cb05edb9dfd881259da563151643d2ef5d697e7b0c09a447d3005bc2cfcc5846e6f8b6ac654f422fb893