Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 14:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe
-
Size
236KB
-
MD5
c9b75457a8e8ca57aef5ee32ded79680
-
SHA1
c0d7aedb10929c739694c344af9047d0cad9a9f8
-
SHA256
01f97e40030a8f36e20abcff9d58fe222297e4211a942918777452af4806c27a
-
SHA512
6e3d699236118f52a877c6d315a7262b4b8abf965e8f7c79f6b1e83b220f58fcb755511464622d9066632d6a551d4c9801de1c5ac490b83f8735c9ba5196496c
-
SSDEEP
3072:K6VlhsJ0VsvyMZeIT51B8u0gWCyiHCUPqga:wSVuyMwItf8u0gWCyiHC
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bjfiub.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 3400 bjfiub.exe -
Adds Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /t" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /g" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /m" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /n" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /b" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /a" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /u" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /c" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /r" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /q" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /o" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /f" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /v" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /h" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /z" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /j" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /l" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /e" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /d" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /w" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /x" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /k" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /s" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /y" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /p" bjfiub.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /q" c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bjfiub = "C:\\Users\\Admin\\bjfiub.exe /i" bjfiub.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5080 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 5080 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe 3400 bjfiub.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5080 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 3400 bjfiub.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5080 wrote to memory of 3400 5080 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 87 PID 5080 wrote to memory of 3400 5080 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 87 PID 5080 wrote to memory of 3400 5080 c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c9b75457a8e8ca57aef5ee32ded79680_NeikiAnalytics.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Users\Admin\bjfiub.exe"C:\Users\Admin\bjfiub.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5d754399e4451235cfd88e1d1ae974bd2
SHA1b7c8c9d554271f106a994b10b117a6cb41b79a4d
SHA256879fe1d669e78a0df3c22d486484df90f0521970e60a4b83b40b1e6b12e6dcef
SHA512256f754945da76ec49703fa7834f59f1db407cb8ba90a140226a118d4d0c8ab1d8fd3d64108fdd2d5610edc8d8ba2a956b7bfce715b9ee4c6cc68e9a102e2f11