Analysis
-
max time kernel
142s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 23:13
Behavioral task
behavioral1
Sample
5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe
-
Size
471KB
-
MD5
5078d5bbaefb4a14841bcafc523e6330
-
SHA1
e4b4f9a2f765a3bf30cc31eb12128ed2b8876cf7
-
SHA256
9d766ccec38da285984a93cde16590b6b569a511b4202ffdf3632d4369520de0
-
SHA512
e4e149bb8abba7a84f995c3540cc841b149fc53e2561b66e9bf23ce03697dbf9ac5293a155bf8ca6b6eddccd27560c1fa48de0e540352ad9932a3ab8a0215975
-
SSDEEP
6144:qb9iXkv6DOSCyJFDVhtc9HZlXqBLLXP1MxHib9iXkv6DOSCyJFDVhtc9HZlXqBLQ:qb9EkKFFXtIHCjeCb9EkKFFXtIHCje
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0007000000023432-9.dat aspack_v212_v242 behavioral2/files/0x0007000000023434-20.dat aspack_v212_v242 behavioral2/files/0x000800000002342a-23.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3468 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 2068 Regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CUJUSKX.EXE = "C:\\Windows\\svchost.exe" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\Q: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\V: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\M: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\N: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\S: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\T: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\H: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\I: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\J: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\L: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\R: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\E: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\G: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\K: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\P: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened (read-only) \??\U: 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ms7002.dll 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File created C:\Windows\SysWOW64\VIGK.EXE 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\VIGK.EXE 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened for modification C:\Program Files\VIGK.EXE 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\svchost.exe 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File created C:\Windows\NVDAAKD.EXE 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened for modification C:\Windows\NVDAAKD.EXE 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe File opened for modification C:\Windows\svchost.exe 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe -
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\Program Files\\VIGK.EXE %1" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\NVDAAKD.EXE %1" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\Program Files\\VIGK.EXE \"%1\"" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ = "C:\\Windows\\SysWow64\\Ms7002.dll" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\Clsid\ = "{7CD4138D-4147-420B-9749-00A13B526785}" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785} Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32\ThreadingModel = "Apartment" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ = "MaiHook7002" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ms7002.ShellExecuteHook\ = "MaiHook7002" Regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Program Files\\VIGK.EXE \"%1\"" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\QPWorkFile\qp7002 = "C:\\Windows\\SysWow64\\VIGK.EXE" 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\ProgID\ = "Ms7002.ShellExecuteHook" Regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CD4138D-4147-420B-9749-00A13B526785}\InprocServer32 Regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 800 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 800 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 800 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 800 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3468 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 800 wrote to memory of 2068 800 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 89 PID 800 wrote to memory of 2068 800 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 89 PID 800 wrote to memory of 2068 800 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 89 PID 800 wrote to memory of 3468 800 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 90 PID 800 wrote to memory of 3468 800 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 90 PID 800 wrote to memory of 3468 800 5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5078d5bbaefb4a14841bcafc523e6330_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Regsvr32.exeRegsvr32.exe C:\Windows\system32\Ms7002.dll /s2⤵
- Loads dropped DLL
- Modifies registry class
PID:2068
-
-
C:\Windows\svchost.exeC:\Windows\svchost.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
472KB
MD5f530f86bd2d5e4e8fec8cd4e6de6acee
SHA1c557e79811d10ef78f36f36b2003795b4bc69dd0
SHA256c4500b46eda4ed5f2b8ce88a2a8d013a0cbe3c4b6af5c966cadbc121a6468b53
SHA5129ebd91e76f2f0194d069d96a1131ab575c1924a342c78a2e0fd4ee152e0c71c9676a9f3ec2e91f2a414ec33acb9b9ddfece484a1569f87c6e5b77d332d77d957
-
Filesize
52KB
MD5876a2a99b81968f5b26e3cbe12063d2b
SHA17afa8f33b691b2651b65eb07220cc2fda4b7537c
SHA256f0a7ec2edff7699e546221808f45ca8816a75eb519618283d7c4514dfb9134e0
SHA512ca0574dbb5ff4b146679ffc38aa794e64470949cd228518d04d3680d63a1ce2f076e38494fa5b6cd0722c2dc3e35c5b5c3b63483c1fa7dc62bca42c4cf8e0ce1
-
Filesize
472KB
MD505a999288ff024d264c7d083aa199c8d
SHA1d5df40510c01ca8b4adb97bb556b200b27da8a58
SHA2565252342d8c3f4f1578215b00ff46bf1236fc6ddddb32052dacfc25002fb1785e
SHA512deabd66450fc5033b0135ca346d7535b0cc94205a6f484655689fa8f560fd6e9c5838d0a7e6942643f6539c2c2eb8e6293f1d764087f4dfe39ec21090241d556