Analysis
-
max time kernel
140s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 12:04
Behavioral task
behavioral1
Sample
b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe
-
Size
443KB
-
MD5
b6a0b3f7579ac82d6b37187153d400f0
-
SHA1
03cf5a8f14e8da1f989c9fcf47b226e4469cb523
-
SHA256
083ef4b502ce5e9cdd132aab71a695b05f6ecff80ec6e71ea5f03d80ee611d76
-
SHA512
f6f1fdcc81f4ef60158563ac207884ea811ecd00b7a5c360b1b3855784666c43e800c123c364013bcbfbf46834b5df2d8822af5f1790d854d23aec33b147aa2c
-
SSDEEP
12288:nsaY8rGHFalzNl0kz/faGwDrjmcF741hmohdTyeTq1:B/rGH8zbZ7DErjnFc9hFTc
Score
10/10
Malware Config
Signatures
-
Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
-
Chinese Botnet payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2532-25-0x0000000010000000-0x0000000010018000-memory.dmp unk_chinese_botnet behavioral1/memory/2532-32-0x0000000000400000-0x0000000000469000-memory.dmp unk_chinese_botnet -
Executes dropped EXE 3 IoCs
Processes:
ÕÒ»ØÃÜÂë.exeIntelCpHDCPSvc.exeWcdsekp.exepid Process 2576 ÕÒ»ØÃÜÂë.exe 2532 IntelCpHDCPSvc.exe 1888 Wcdsekp.exe -
Loads dropped DLL 4 IoCs
Processes:
b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exepid Process 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/1740-0-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1740-21-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
IntelCpHDCPSvc.exedescription ioc Process File opened (read-only) \??\S: IntelCpHDCPSvc.exe File opened (read-only) \??\V: IntelCpHDCPSvc.exe File opened (read-only) \??\I: IntelCpHDCPSvc.exe File opened (read-only) \??\J: IntelCpHDCPSvc.exe File opened (read-only) \??\K: IntelCpHDCPSvc.exe File opened (read-only) \??\P: IntelCpHDCPSvc.exe File opened (read-only) \??\E: IntelCpHDCPSvc.exe File opened (read-only) \??\M: IntelCpHDCPSvc.exe File opened (read-only) \??\N: IntelCpHDCPSvc.exe File opened (read-only) \??\R: IntelCpHDCPSvc.exe File opened (read-only) \??\U: IntelCpHDCPSvc.exe File opened (read-only) \??\Z: IntelCpHDCPSvc.exe File opened (read-only) \??\B: IntelCpHDCPSvc.exe File opened (read-only) \??\G: IntelCpHDCPSvc.exe File opened (read-only) \??\L: IntelCpHDCPSvc.exe File opened (read-only) \??\Q: IntelCpHDCPSvc.exe File opened (read-only) \??\X: IntelCpHDCPSvc.exe File opened (read-only) \??\Y: IntelCpHDCPSvc.exe File opened (read-only) \??\H: IntelCpHDCPSvc.exe File opened (read-only) \??\O: IntelCpHDCPSvc.exe File opened (read-only) \??\T: IntelCpHDCPSvc.exe File opened (read-only) \??\W: IntelCpHDCPSvc.exe -
Drops file in System32 directory 1 IoCs
Processes:
Wcdsekp.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Wcdsekp.exe -
Drops file in Program Files directory 2 IoCs
Processes:
IntelCpHDCPSvc.exedescription ioc Process File created C:\Program Files (x86)\Microsoft Riqtco\Wcdsekp.exe IntelCpHDCPSvc.exe File opened for modification C:\Program Files (x86)\Microsoft Riqtco\Wcdsekp.exe IntelCpHDCPSvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
IntelCpHDCPSvc.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 IntelCpHDCPSvc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz IntelCpHDCPSvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
Wcdsekp.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Wcdsekp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Wcdsekp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Wcdsekp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Wcdsekp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadDecision = "0" Wcdsekp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-d9-37-fd-29-2d Wcdsekp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-d9-37-fd-29-2d\WpadDecisionTime = 204486fc2da5da01 Wcdsekp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Wcdsekp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Wcdsekp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Wcdsekp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Wcdsekp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Wcdsekp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Wcdsekp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-d9-37-fd-29-2d\WpadDecisionReason = "1" Wcdsekp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Wcdsekp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Wcdsekp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadDecisionReason = "1" Wcdsekp.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadDecisionTime = 204486fc2da5da01 Wcdsekp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-d9-37-fd-29-2d\WpadDecision = "0" Wcdsekp.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Wcdsekp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9} Wcdsekp.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadNetworkName = "Network 3" Wcdsekp.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\9a-d9-37-fd-29-2d Wcdsekp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Wcdsekp.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
IntelCpHDCPSvc.exepid Process 2532 IntelCpHDCPSvc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ÕÒ»ØÃÜÂë.exepid Process 2576 ÕÒ»ØÃÜÂë.exe 2576 ÕÒ»ØÃÜÂë.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exeIntelCpHDCPSvc.exeWcdsekp.exedescription pid Process procid_target PID 1740 wrote to memory of 2576 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 2576 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 2576 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 2576 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 28 PID 1740 wrote to memory of 2532 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 29 PID 1740 wrote to memory of 2532 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 29 PID 1740 wrote to memory of 2532 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 29 PID 1740 wrote to memory of 2532 1740 b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe 29 PID 2532 wrote to memory of 2616 2532 IntelCpHDCPSvc.exe 30 PID 2532 wrote to memory of 2616 2532 IntelCpHDCPSvc.exe 30 PID 2532 wrote to memory of 2616 2532 IntelCpHDCPSvc.exe 30 PID 2532 wrote to memory of 2616 2532 IntelCpHDCPSvc.exe 30 PID 1888 wrote to memory of 812 1888 Wcdsekp.exe 36 PID 1888 wrote to memory of 812 1888 Wcdsekp.exe 36 PID 1888 wrote to memory of 812 1888 Wcdsekp.exe 36 PID 1888 wrote to memory of 812 1888 Wcdsekp.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b6a0b3f7579ac82d6b37187153d400f0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\Temp\ÕÒ»ØÃÜÂë.exe"C:\Users\Admin\AppData\Local\Temp\Temp\ÕÒ»ØÃÜÂë.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\Temp\IntelCpHDCPSvc.exe"C:\Users\Admin\AppData\Local\Temp\Temp\IntelCpHDCPSvc.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md C:\windowss643⤵PID:2616
-
-
-
C:\Program Files (x86)\Microsoft Riqtco\Wcdsekp.exe"C:\Program Files (x86)\Microsoft Riqtco\Wcdsekp.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md C:\windowss642⤵PID:812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
412KB
MD5669f0cd8a956fe16c90debc6950ff637
SHA1aebfc5daf7081d47ef11027864f85febe662e664
SHA2560a197cd65dd3a1cbe8becfcb6c2feb6fb23c0259866620602f641d9d110e4c5c
SHA512714fec3975174fe0881d8363007afe7e817317f7781e61d4a845591ad99208ed6c05ffd0d5b0a121173afc18329f01639ef9f3db2b9a7a692bf42feb91311f26
-
Filesize
832KB
MD56e3862cefb127a27193ec69ccde5a872
SHA1c71986aa98fcd77ba32e0504d435b64df031a842
SHA2566948e00ad36b02acb5cf8da906d65830f2484def2c1b53ee270fdae933fe67a9
SHA512b8074d6b0762111a38be9d3e32d0017a2bc4701ed82993829d7817563f6eb1e9e3e20b16447ba697f9a95340c05fac8f85b7ca81c5ed5cac6d18d4810b007f9e