Analysis
-
max time kernel
146s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 14:59
Behavioral task
behavioral1
Sample
cb59b7223e3c72ace8880b9af8504a10_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
cb59b7223e3c72ace8880b9af8504a10_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
cb59b7223e3c72ace8880b9af8504a10_NeikiAnalytics.exe
-
Size
45KB
-
MD5
cb59b7223e3c72ace8880b9af8504a10
-
SHA1
9323da246829cbc88768ceb6ab1f736561cc460f
-
SHA256
f88af3709e605abd1db9513ddcf0c92ebb97497cbd5d3006679352fcd7651eb9
-
SHA512
8b29b68d835cc4e50ab39379ce2e17d19eacf789080892d0770e4fdc068f33c615f566d6175265971a05798277974fe71fbc1e569d6072ccff37aaced903b030
-
SSDEEP
768:5hP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:jsWE9N5dFu53dsniQaB/xZ14n7zIF+qr
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3680-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2F787E48 = "C:\\Users\\Admin\\AppData\\Roaming\\2F787E48\\bin.exe" winver.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2540 1384 WerFault.exe winver.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winver.exepid process 1384 winver.exe 1384 winver.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3432 Explorer.EXE Token: SeCreatePagefilePrivilege 3432 Explorer.EXE Token: SeShutdownPrivilege 3432 Explorer.EXE Token: SeCreatePagefilePrivilege 3432 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 1384 winver.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3432 Explorer.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cb59b7223e3c72ace8880b9af8504a10_NeikiAnalytics.exewinver.exedescription pid process target process PID 3680 wrote to memory of 1384 3680 cb59b7223e3c72ace8880b9af8504a10_NeikiAnalytics.exe winver.exe PID 3680 wrote to memory of 1384 3680 cb59b7223e3c72ace8880b9af8504a10_NeikiAnalytics.exe winver.exe PID 3680 wrote to memory of 1384 3680 cb59b7223e3c72ace8880b9af8504a10_NeikiAnalytics.exe winver.exe PID 3680 wrote to memory of 1384 3680 cb59b7223e3c72ace8880b9af8504a10_NeikiAnalytics.exe winver.exe PID 1384 wrote to memory of 3432 1384 winver.exe Explorer.EXE PID 1384 wrote to memory of 2828 1384 winver.exe sihost.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\cb59b7223e3c72ace8880b9af8504a10_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cb59b7223e3c72ace8880b9af8504a10_NeikiAnalytics.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 3524⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4084,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1384 -ip 13841⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1384-5-0x0000000000A90000-0x0000000000A96000-memory.dmpFilesize
24KB
-
memory/1384-14-0x0000000000A90000-0x0000000000A96000-memory.dmpFilesize
24KB
-
memory/1384-8-0x00007FFC24F70000-0x00007FFC25165000-memory.dmpFilesize
2.0MB
-
memory/1384-6-0x0000000077D22000-0x0000000077D23000-memory.dmpFilesize
4KB
-
memory/2828-13-0x00000000008A0000-0x00000000008A6000-memory.dmpFilesize
24KB
-
memory/3432-2-0x0000000000B30000-0x0000000000B36000-memory.dmpFilesize
24KB
-
memory/3432-7-0x00007FFC2500D000-0x00007FFC2500E000-memory.dmpFilesize
4KB
-
memory/3432-3-0x0000000000B30000-0x0000000000B36000-memory.dmpFilesize
24KB
-
memory/3432-16-0x00007FFC251A0000-0x00007FFC251A1000-memory.dmpFilesize
4KB
-
memory/3680-4-0x0000000002210000-0x0000000002C10000-memory.dmpFilesize
10.0MB
-
memory/3680-0-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3680-9-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3680-1-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB