Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 23:13
Behavioral task
behavioral1
Sample
5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe
-
Size
471KB
-
MD5
5078d5bbaefb4a14841bcafc523e6330
-
SHA1
e4b4f9a2f765a3bf30cc31eb12128ed2b8876cf7
-
SHA256
9d766ccec38da285984a93cde16590b6b569a511b4202ffdf3632d4369520de0
-
SHA512
e4e149bb8abba7a84f995c3540cc841b149fc53e2561b66e9bf23ce03697dbf9ac5293a155bf8ca6b6eddccd27560c1fa48de0e540352ad9932a3ab8a0215975
-
SSDEEP
6144:qb9iXkv6DOSCyJFDVhtc9HZlXqBLLXP1MxHib9iXkv6DOSCyJFDVhtc9HZlXqBLQ:qb9EkKFFXtIHCjeCb9EkKFFXtIHCje
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0007000000015d42-9.dat aspack_v212_v242 behavioral1/files/0x0006000000016616-21.dat aspack_v212_v242 behavioral1/files/0x000c00000001565d-22.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2520 wininit.exe -
Loads dropped DLL 4 IoCs
pid Process 2964 Regsvr32.exe 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 2556 Regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LHCMD.EXE = "C:\\Program Files (x86)\\svchost.exe" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 34 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\H: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\O: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\S: wininit.exe File opened (read-only) \??\T: wininit.exe File opened (read-only) \??\E: wininit.exe File opened (read-only) \??\I: wininit.exe File opened (read-only) \??\N: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\R: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\V: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\M: wininit.exe File opened (read-only) \??\Q: wininit.exe File opened (read-only) \??\R: wininit.exe File opened (read-only) \??\K: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\P: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\S: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\T: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\H: wininit.exe File opened (read-only) \??\N: wininit.exe File opened (read-only) \??\J: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\Q: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\J: wininit.exe File opened (read-only) \??\E: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\L: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\G: wininit.exe File opened (read-only) \??\K: wininit.exe File opened (read-only) \??\I: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\U: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\O: wininit.exe File opened (read-only) \??\U: wininit.exe File opened (read-only) \??\M: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\L: wininit.exe File opened (read-only) \??\P: wininit.exe File opened (read-only) \??\V: wininit.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\LHCMD.EXE 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Ms7002.dll 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File created C:\Windows\SysWOW64\EXKA.EXE wininit.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\XJWTL.EXE 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened for modification C:\Program Files (x86)\XJWTL.EXE 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File created C:\Program Files (x86)\LHCMD.EXE 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File created C:\Program Files (x86)\svchost.exe 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\EVZDUOF.EXE 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe -
Modifies registry class 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files (x86)\\XJWTL.EXE \"%1\"" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files (x86)\\XJWTL.EXE %1" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files (x86)\\LHCMD.EXE %1" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\LHCMD.EXE" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Windows\\EVZDUOF.EXE \"%1\"" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command wininit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open wininit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command wininit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 2520 wininit.exe 2520 wininit.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2964 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 28 PID 1964 wrote to memory of 2964 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 28 PID 1964 wrote to memory of 2964 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 28 PID 1964 wrote to memory of 2964 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 28 PID 1964 wrote to memory of 2964 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 28 PID 1964 wrote to memory of 2964 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 28 PID 1964 wrote to memory of 2964 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 28 PID 1964 wrote to memory of 2520 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 29 PID 1964 wrote to memory of 2520 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 29 PID 1964 wrote to memory of 2520 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 29 PID 1964 wrote to memory of 2520 1964 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 29 PID 2520 wrote to memory of 2556 2520 wininit.exe 30 PID 2520 wrote to memory of 2556 2520 wininit.exe 30 PID 2520 wrote to memory of 2556 2520 wininit.exe 30 PID 2520 wrote to memory of 2556 2520 wininit.exe 30 PID 2520 wrote to memory of 2556 2520 wininit.exe 30 PID 2520 wrote to memory of 2556 2520 wininit.exe 30 PID 2520 wrote to memory of 2556 2520 wininit.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Regsvr32.exeRegsvr32.exe C:\Windows\system32\Ms7002.dll /s2⤵
- Loads dropped DLL
- Modifies registry class
PID:2964
-
-
C:\$Recycle.Bin\wininit.exeC:\$Recycle.Bin\wininit.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Regsvr32.exeRegsvr32.exe C:\Windows\system32\Ms7002.dll /s3⤵
- Loads dropped DLL
PID:2556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
472KB
MD56fc6e442c0113c73a30f4b5738a70b2d
SHA1e5faf5167ba3ddb5982290415e89b5570f82566c
SHA256138aa8ec4dfbadb1bcc266bcc269071ec609cc0cc1702841d541d3d589e78d41
SHA51240eb541ca571fd9ec115894fd8e6d3c2889605cf1e70477f0ee131f6b7606d39106ab0d56b5df4f656e9a4251bb82c898066aae35cfefb0d4cc1022b280b7354
-
Filesize
471KB
MD5a1deba26dcb784eb56b32828a8b87370
SHA132713bacf4fae07c16258fb64230902dbbe054e8
SHA256a07c1653785a450dbbe6511bb3326d40594f4427756045f1cd995a467427be1c
SHA5124eecd43410ff46afe2a60aaf5eae8cee1e607de6158de6cc463ec6b9ae259c4f0204a8c02afb6722ce4352cb95de687ab91120ecc2cda251171252e45e3b1578
-
Filesize
52KB
MD5876a2a99b81968f5b26e3cbe12063d2b
SHA17afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1