Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 13:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe
-
Size
70KB
-
MD5
b9ad4481560f36da3fb203e1a0128940
-
SHA1
cfed8160c4e9f9fd94cfbd23f6044d79ba99d9a5
-
SHA256
2a370d3d80e1a11bb48fe5f7abe69387540931269ff9dd7bf151936f93f4370e
-
SHA512
d51aef5b2d769f7cd9396574bcf72d4701b75dc7838edd887707f644eb2a4bc7a5273365f0c760a5a80b0ec6a4245cf64c798ccffb3b030a936151b530f9d65b
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8sl0:Olg35GTslA5t3/w8H
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ubhutat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ubhutat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ubhutat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ubhutat.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\StubPath = "C:\\Windows\\system32\\oubmeafeas.exe" ubhutat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41} ubhutat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" ubhutat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\IsInstalled = "1" ubhutat.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\opcooteax-evex.exe" ubhutat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe ubhutat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" ubhutat.exe -
Executes dropped EXE 2 IoCs
pid Process 2440 ubhutat.exe 2644 ubhutat.exe -
Loads dropped DLL 3 IoCs
pid Process 2488 b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe 2488 b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe 2440 ubhutat.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" ubhutat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" ubhutat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" ubhutat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" ubhutat.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} ubhutat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ubhutat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" ubhutat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\avbootoog.dll" ubhutat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" ubhutat.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\ubhutat.exe b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe File created C:\Windows\SysWOW64\opcooteax-evex.exe ubhutat.exe File opened for modification C:\Windows\SysWOW64\oubmeafeas.exe ubhutat.exe File created C:\Windows\SysWOW64\oubmeafeas.exe ubhutat.exe File opened for modification C:\Windows\SysWOW64\avbootoog.dll ubhutat.exe File opened for modification C:\Windows\SysWOW64\ubhutat.exe ubhutat.exe File opened for modification C:\Windows\SysWOW64\ubhutat.exe b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe File created C:\Windows\SysWOW64\avbootoog.dll ubhutat.exe File opened for modification C:\Windows\SysWOW64\opcooteax-evex.exe ubhutat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2644 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe 2440 ubhutat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2488 b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe Token: SeDebugPrivilege 2440 ubhutat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2440 2488 b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe 28 PID 2488 wrote to memory of 2440 2488 b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe 28 PID 2488 wrote to memory of 2440 2488 b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe 28 PID 2488 wrote to memory of 2440 2488 b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe 28 PID 2440 wrote to memory of 432 2440 ubhutat.exe 5 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 2644 2440 ubhutat.exe 29 PID 2440 wrote to memory of 2644 2440 ubhutat.exe 29 PID 2440 wrote to memory of 2644 2440 ubhutat.exe 29 PID 2440 wrote to memory of 2644 2440 ubhutat.exe 29 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21 PID 2440 wrote to memory of 1212 2440 ubhutat.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\b9ad4481560f36da3fb203e1a0128940_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\ubhutat.exe"C:\Windows\system32\ubhutat.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\ubhutat.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2644
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
74KB
MD5388dd1b5e302ea5708ea4a293a10f1b9
SHA12fd12f1b01415da57ca463fe087b958fdfdabe3d
SHA256c6b4a1744f2066d65878d53d96644282b4e7bfd67980803c2fae3df16cd1eebc
SHA51244cb3de3ab14eb970e5b37889b3e5b35c60195486deb806aba8a6b504f119fa195acb096da34637fad3bb2b2d5675256d7d47551465b8a897e34fe69467a4aa3
-
Filesize
72KB
MD52e5e940ddf923a71ade0a4eeb1a64521
SHA173b695139b408a7fa1365612fac5fa1daa16e6d7
SHA256fad8e0598c3f0e25dd325b92b0a8f5efd7f7ebdf5d259d43ea67053fc15b4436
SHA5121b780d7a9557a7e6e06407f04d8dd8c4b02581fd9aa6d0687b2e0decb11c320786ac99f2e470d19be1083082e7f35c6440514858b8d61eee23d3b38398c521d0
-
Filesize
70KB
MD5b9ad4481560f36da3fb203e1a0128940
SHA1cfed8160c4e9f9fd94cfbd23f6044d79ba99d9a5
SHA2562a370d3d80e1a11bb48fe5f7abe69387540931269ff9dd7bf151936f93f4370e
SHA512d51aef5b2d769f7cd9396574bcf72d4701b75dc7838edd887707f644eb2a4bc7a5273365f0c760a5a80b0ec6a4245cf64c798ccffb3b030a936151b530f9d65b