d01f04bbca0f2e0683fcab5da5a9face7f386ef901bce65e1b0ea2753da20562

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
Size

75KB
MD5

45f4e9b11a8de9abfd50adb1abff1170
SHA1

a5b5fe9c91323bdee8012a0590aabd8cdd8a8566
SHA256

d01f04bbca0f2e0683fcab5da5a9face7f386ef901bce65e1b0ea2753da20562
SHA512

f2869e1e5b967ffb7198153bd232aa182fcaeefc4e14da46001f19cc7473f2fc7af2919feb14aaf504b8a54e4fe28c9e62dc4beab7dea647b8cae6cd602d2434
SSDEEP

1536:IaiqH1s+kCtrA2UMT0mTFibDKa1XohEBRKWXNMfBOI:p1B31bdBob2QXoCgKN+Bf

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\createdump.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\45f4e9b11a8de9abfd50adb1abff1170_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
683KB

MD5
33824cb4928edd03bf18674974b88753

SHA1
f01cbe09c82b219405d9c633e464a1bba2839cf9

SHA256
6197f74abba47726cc1cf7fac71643c4c932d0254f2bb5c7004c98b2c56e50a7

SHA512
9d3af710172a5854c92a6f5135d3f031f02718efad0a0ddda4e32bfa8814cf00c03437d17bd76557170e5a8d5218009be3fcfcbac2c491a7b818a0bff60e80e5

Download Submit
memory/3900-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3900-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads