Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 14:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe
-
Size
236KB
-
MD5
c9b75457a8e8ca57aef5ee32ded79680
-
SHA1
c0d7aedb10929c739694c344af9047d0cad9a9f8
-
SHA256
01f97e40030a8f36e20abcff9d58fe222297e4211a942918777452af4806c27a
-
SHA512
6e3d699236118f52a877c6d315a7262b4b8abf965e8f7c79f6b1e83b220f58fcb755511464622d9066632d6a551d4c9801de1c5ac490b83f8735c9ba5196496c
-
SSDEEP
3072:K6VlhsJ0VsvyMZeIT51B8u0gWCyiHCUPqga:wSVuyMwItf8u0gWCyiHC
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gueejoq.exe -
Executes dropped EXE 1 IoCs
pid Process 2376 gueejoq.exe -
Loads dropped DLL 2 IoCs
pid Process 2232 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 2232 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /g" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /z" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /v" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /w" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /s" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /t" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /q" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /j" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /l" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /d" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /c" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /f" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /r" c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /o" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /n" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /m" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /e" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /x" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /a" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /k" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /b" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /i" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /u" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /y" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /p" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /r" gueejoq.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\gueejoq = "C:\\Users\\Admin\\gueejoq.exe /h" gueejoq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2232 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe 2376 gueejoq.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2232 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 2376 gueejoq.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2376 2232 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 28 PID 2232 wrote to memory of 2376 2232 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 28 PID 2232 wrote to memory of 2376 2232 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 28 PID 2232 wrote to memory of 2376 2232 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\gueejoq.exe"C:\Users\Admin\gueejoq.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5c645c808f5aaf6403db0363d89249992
SHA1d607d8cc1c60a49eadfdec56ee9bcfacc13c59bc
SHA256a9c3fb5f8f701b84086f064d2eee520ef88f7c6f3a22558c90209ffb4910fa41
SHA51286afe15899d7cfbccbab1786ff8c25372eeb490b0e67996c274c031957adf23f4edeb3991400e014fce06d2a237c54ba8c75338e72cb108042745d855f66108f