Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14/05/2024, 21:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe
-
Size
72KB
-
MD5
29a7c6a853a84d82207188dea7ee42a0
-
SHA1
5e6db2d1eb483a6413ca16ce5f4a040fe4616714
-
SHA256
65e11553ee26ee7f964212f5b7a7b7f40b49c677c31bd3d748833ac11cfe8fed
-
SHA512
8c0c5641d11c5432c034c23738743216d63e99c66adf678f726911ee3e963f5adccf89914bbb80cc8fe83c9d81e33cbf8f85a47e970e527de1f435a97d4d298e
-
SSDEEP
1536:xFA56h4XCr4FQ1qOFufvaxsYK281DHK2Fs6UDhDZFSLHXVGIyne/:Di6aQR0XLF1Dqb6UDhDZFSLHXVEe/
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" npitar-uhed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" npitar-uhed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" npitar-uhed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" npitar-uhed.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254}\StubPath = "C:\\Windows\\system32\\ouckecax.exe" npitar-uhed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254} npitar-uhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" npitar-uhed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53434647-4252-4254-5343-464742524254}\IsInstalled = "1" npitar-uhed.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe npitar-uhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" npitar-uhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\easdutas.exe" npitar-uhed.exe -
Executes dropped EXE 2 IoCs
pid Process 2208 npitar-uhed.exe 2544 npitar-uhed.exe -
Loads dropped DLL 3 IoCs
pid Process 2364 29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe 2364 29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe 2208 npitar-uhed.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" npitar-uhed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" npitar-uhed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" npitar-uhed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" npitar-uhed.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} npitar-uhed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify npitar-uhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" npitar-uhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ifrigac-udoot.dll" npitar-uhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" npitar-uhed.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\npitar-uhed.exe 29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\easdutas.exe npitar-uhed.exe File opened for modification C:\Windows\SysWOW64\ifrigac-udoot.dll npitar-uhed.exe File created C:\Windows\SysWOW64\ifrigac-udoot.dll npitar-uhed.exe File opened for modification C:\Windows\SysWOW64\npitar-uhed.exe 29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ouckecax.exe npitar-uhed.exe File created C:\Windows\SysWOW64\ouckecax.exe npitar-uhed.exe File opened for modification C:\Windows\SysWOW64\npitar-uhed.exe npitar-uhed.exe File opened for modification C:\Windows\SysWOW64\easdutas.exe npitar-uhed.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2544 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe 2208 npitar-uhed.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2208 npitar-uhed.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2208 2364 29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe 28 PID 2364 wrote to memory of 2208 2364 29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe 28 PID 2364 wrote to memory of 2208 2364 29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe 28 PID 2364 wrote to memory of 2208 2364 29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 436 2208 npitar-uhed.exe 5 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 2544 2208 npitar-uhed.exe 29 PID 2208 wrote to memory of 2544 2208 npitar-uhed.exe 29 PID 2208 wrote to memory of 2544 2208 npitar-uhed.exe 29 PID 2208 wrote to memory of 2544 2208 npitar-uhed.exe 29 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21 PID 2208 wrote to memory of 1372 2208 npitar-uhed.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:436
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1372
-
C:\Users\Admin\AppData\Local\Temp\29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\29a7c6a853a84d82207188dea7ee42a0_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\npitar-uhed.exe"C:\Windows\SysWOW64\npitar-uhed.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\npitar-uhed.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5e9ea0cdee7d8a5c173dadab3b8f0f520
SHA15572e4f6410086ac2fed6fcb006967938161b3fc
SHA25691c920d4ff08c86ed06e71def3ea15c73fea8bae079c51d1e5ae0dae26f4fe37
SHA512d7af2c58a01dfa541e1b33d84a28b7f4b9b9126c4e4746767c39aff6a6c5d2192d9c64cbaa1ee3b15a2e0703ad8fb9ff1cd037f77411ac125a3e9f704a3ef7cc
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
72KB
MD593fae062cb68a2052544c6042318e723
SHA1b1973dc185e05246788a28018f06cbf61a0a1d2d
SHA25605b5562870adc3c422533461eba4798efc162c1639cd709eb24b6cd0237e5c7d
SHA5121137141ed2165a17b2a82e3d6c16475ef43a5012f3c21b67ebc5a317c9d6ffa87e794bea7f734cc3cff1cbd32fd3adb41c7ddfcdc1d4406af4802b72b345ce7a
-
Filesize
69KB
MD5d8fce236ef1efdf0104732801533c5c7
SHA19582e10469b677b3d17bfc56553de2e452aa8b39
SHA2566db19ed3899f4454d940ebca28b04a7998baf06cdf07e9fe0ea647dae276b4b8
SHA51216de34b31d74c29ec33530aea26a6fdf1b5607621c1fc7802c5ef398be513406e916df2f449ae17fa785d391493b9f1b56ed117ab8f5b720b1bd0e0e04e53389