afca54256d528d462830a9d90c2f3532625f0b7f7a9e9e0f95c0e439c6081d1b

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe
Size

510KB
MD5

cac19898a5729ab707ba743724b3f8d0
SHA1

481c18f83669307242f049decfe22e0bf00ef5ce
SHA256

afca54256d528d462830a9d90c2f3532625f0b7f7a9e9e0f95c0e439c6081d1b
SHA512

026f8de68599288cda0fd810714f41517aea15727ca9c8e2dd7c2ddcf499f58ec49b399a655311043d9989389d879c0276153c96bcfaaeb4dfcd1c6f54ac04ec
SSDEEP

12288:KkheH6hZYOYrInJ0JvQNy0+wcXP46sBmbvsTlgGrLfhtjQci:KkheahZnnJsvQNy0+wcXPkB9TbfhtS

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2636	jrun32.exe
2316	jrun32.exe
2504	jrun32.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe
2860	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2140-1-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2140-3-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2140-4-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2140-25-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/files/0x0009000000015018-28.dat	upx
behavioral1/memory/2636-35-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2636-40-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2636-42-0x0000000000400000-0x0000000000496000-memory.dmp	upx
behavioral1/memory/2636-91-0x0000000000400000-0x0000000000496000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\jrun32 = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\jrun32.exe -notray"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2860	2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	28
PID 2636 set thread context of 2316	2636	jrun32.exe	30
PID 2636 set thread context of 2504	2636	jrun32.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2184	ipconfig.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1200	reg.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe
2860	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe
2636	jrun32.exe
2316	jrun32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2860	2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 2860	2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 2860	2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 2860	2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 2860	2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 2860	2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 2860	2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 2860	2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 2860	2140	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	28
PID 2860 wrote to memory of 2636	2860	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	29
PID 2860 wrote to memory of 2636	2860	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	29
PID 2860 wrote to memory of 2636	2860	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	29
PID 2860 wrote to memory of 2636	2860	cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe	29
PID 2636 wrote to memory of 2316	2636	jrun32.exe	30
PID 2636 wrote to memory of 2316	2636	jrun32.exe	30
PID 2636 wrote to memory of 2316	2636	jrun32.exe	30
PID 2636 wrote to memory of 2316	2636	jrun32.exe	30
PID 2636 wrote to memory of 2316	2636	jrun32.exe	30
PID 2636 wrote to memory of 2316	2636	jrun32.exe	30
PID 2636 wrote to memory of 2316	2636	jrun32.exe	30
PID 2636 wrote to memory of 2316	2636	jrun32.exe	30
PID 2636 wrote to memory of 2316	2636	jrun32.exe	30
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2636 wrote to memory of 2504	2636	jrun32.exe	31
PID 2316 wrote to memory of 2184	2316	jrun32.exe	32
PID 2316 wrote to memory of 2184	2316	jrun32.exe	32
PID 2316 wrote to memory of 2184	2316	jrun32.exe	32
PID 2316 wrote to memory of 2184	2316	jrun32.exe	32
PID 2316 wrote to memory of 2184	2316	jrun32.exe	32
PID 2316 wrote to memory of 2184	2316	jrun32.exe	32
PID 2184 wrote to memory of 2208	2184	ipconfig.exe	34
PID 2184 wrote to memory of 2208	2184	ipconfig.exe	34
PID 2184 wrote to memory of 2208	2184	ipconfig.exe	34
PID 2184 wrote to memory of 2208	2184	ipconfig.exe	34
PID 2208 wrote to memory of 1200	2208	cmd.exe	36
PID 2208 wrote to memory of 1200	2208	cmd.exe	36
PID 2208 wrote to memory of 1200	2208	cmd.exe	36
PID 2208 wrote to memory of 1200	2208	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\cac19898a5729ab707ba743724b3f8d0_NeikiAnalytics.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Roaming\AppData\jrun32.exe
    C:\Users\Admin\AppData\Roaming\AppData\jrun32.exe -notray
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Roaming\AppData\jrun32.exe
      "C:\Users\Admin\AppData\Roaming\AppData\jrun32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\system32\ipconfig.exe"
        5⤵
        Gathers network information
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\EOXFCQUG.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jrun32 /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppData\jrun32.exe -notray" /f
        7⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1200
  - - C:\Users\Admin\AppData\Roaming\AppData\jrun32.exe
      "C:\Users\Admin\AppData\Roaming\AppData\jrun32.exe"
      4⤵
      Executes dropped EXE
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EOXFCQUG.bat

Filesize
146B

MD5
f43ed9d2c73208eded7959a9b78c7814

SHA1
d8f0db46acffd54bd87051ad8e46f73b8dd47961

SHA256
707c5b61af860c851e76c8173f36a852089f68985a25356b1e47711265cea7f6

SHA512
b06f43d4029e372a53b36df2fc3091b7b546c65074770da3adb88be3c96c4288cc0247fb7408804f96ddbb6df305f230f288aa30355bf7b22865216130671d0d

Download Submit
\Users\Admin\AppData\Roaming\AppData\jrun32.exe

Filesize
510KB

MD5
232b13feb0ce0508291921a35e615404

SHA1
cb314d5d2d0d21978affafaebf848b131169b064

SHA256
5faafb46e2b35fb7857b7965054a6bdf0b0b5d2ccfc1369f8ef7054d0cae6ffb

SHA512
117600df10f6c9601d6f3e84837491b08202e91ad7cba67edb830a2c6970c6c1cc7e7aea359eff749f8471b05c5e5be6f69ad28a24129a617389e85cdf88a1a7

Download Submit
memory/2140-17-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2140-3-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2140-6-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2140-4-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2140-5-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2140-1-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2140-25-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2140-18-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2184-92-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2316-98-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2504-85-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-82-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-103-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-58-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-60-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-76-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-64-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-68-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-62-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-77-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-90-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-70-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-86-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-74-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-80-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-78-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-81-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-79-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2504-83-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2636-91-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2636-42-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2636-40-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2636-35-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2860-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2860-7-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2860-19-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2860-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2860-11-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2860-39-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads