8a78df15f0c83a823f8717809151e97b27c56928b7ee36d34d616ca80be76aea

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
Size

82KB
MD5

1c38cd24ba7037872b4af4a6f9a56ee0
SHA1

7ddaf91cdba9d05beaf63f0a67b619510b1e8c6a
SHA256

8a78df15f0c83a823f8717809151e97b27c56928b7ee36d34d616ca80be76aea
SHA512

46be882ac600cbbe52c325f4bb44ae2be078e1ebf15650550361fe8727d65c45ab293901f9f7841829083d0d9369c67799ecc84de273a8d1ea9b499735dde118
SSDEEP

1536:4aiqH1s+kCtrA2UMT0mTFibDKa1XkHnsvxLDZZf+J:51B31bdBob2QXacxvX+J

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXA9D3.tmp	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\createdump.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1c38cd24ba7037872b4af4a6f9a56ee0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
683KB

MD5
b13c76b1a606d7d0919533b26f545a1e

SHA1
ee3ce558655238ed4feb94f08847d2b51fa78f5d

SHA256
c8d7894722c7dfab8d9a159589c6b678c1f435bc0489029a7333129c7388495a

SHA512
03ee9eeb213a9fbb12abfc10211289510f761d0a15bfcf3178d96cbf9cf40ca36d4dd7a81545e69be10b21778ddc75362ad0eb0906a2dbee8a9295b5a17acb1b

Download Submit
memory/3440-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-18-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-28-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3440-51-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads