1b2e1929601cdf45d0f2ee5875758c74bd5723ca8be1d3400bbe27db231f2785

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe
Size

96KB
MD5

cbbf1380aa0b20b6dc71dde6ae9311e0
SHA1

8979f0d70fc98c05a7ea40d93f08e014924963f1
SHA256

1b2e1929601cdf45d0f2ee5875758c74bd5723ca8be1d3400bbe27db231f2785
SHA512

d7af1756b22918128e28ae0d3d319c7db67fd30c26af77872894e6054b5bacf9a006ffc183ce0d6df5f0d70fda0c75f58cfe452a66056389957025135d9b8015
SSDEEP

768:ef4JA5kWTdnURLQ/JD60XDeVtA5YwmHwWW2icNe78ljNZQcytSq:eZkSdIQ/JDHKa5EJWceYljNZQTSq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	biruc.exe

Executes dropped EXE 1 IoCs

pid	Process
2000	biruc.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe
3016	cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /t"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /r"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /c"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /k"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /n"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /h"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /y"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /a"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /f"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /w"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /g"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /l"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /u"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /j"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /z"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /p"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /b"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /m"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /r"	cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /x"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /i"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /v"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /e"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /s"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /q"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /o"	biruc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\biruc = "C:\\Users\\Admin\\biruc.exe /d"	biruc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe
2000	biruc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3016	cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe
2000	biruc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2000	3016	cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 2000	3016	cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 2000	3016	cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe	28
PID 3016 wrote to memory of 2000	3016	cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cbbf1380aa0b20b6dc71dde6ae9311e0_NeikiAnalytics.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\biruc.exe
  "C:\Users\Admin\biruc.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\biruc.exe

Filesize
96KB

MD5
b93111cd06ffad3dc8184f02bd2b0027

SHA1
9d051f04d6e0c013f3151d6d71fe8d17fd58e1d4

SHA256
c06172862f1b0718520279d209913d7c2391be122ab9af6a782cad6498cf44f8

SHA512
bdcdb750cbde92d25e01c60a844456a98653b82228934897ff3e03e686db1d040f27f4ef2736aecb400be099190711acce6d87d3a1cbf57ff07eee02897b855e

Download Submit
memory/2000-15-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2000-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3016-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3016-13-0x0000000002660000-0x0000000002678000-memory.dmp

Filesize
96KB

Download
memory/3016-19-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3016-20-0x0000000002660000-0x0000000002678000-memory.dmp

Filesize
96KB

Download