Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 01:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe
Resource
win7-20240419-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe
-
Size
72KB
-
MD5
555e5b661e94fd437cd7846113dad9a0
-
SHA1
02e1c284633dbc1f655b0acf2b8ad252f845dc25
-
SHA256
e2a3943ca78a49be5048f8368276c5276602c1d77197e97a6ab66ded509789ef
-
SHA512
9ff0e47e9a570cd00a0e164f42f66da4b0efe26ab4455b93efe08a5bfd18b17572b5d9430e052cdf8e16b3bdf790c65dd55d8da73c63f88e7d41e746780380b9
-
SSDEEP
768:x/neHUjXYmP4hoZJPYzWmOeBFiO2zs03x48cttDZvxMWxRU0TsMkNVMbmo+tove:xWHoXfP4+jCvOeCpWtON0TeQe
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" orloseap.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" orloseap.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" orloseap.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" orloseap.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41} orloseap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" orloseap.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\IsInstalled = "1" orloseap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\StubPath = "C:\\Windows\\system32\\oulbehoas.exe" orloseap.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe orloseap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" orloseap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\uhmufeb.exe" orloseap.exe -
Executes dropped EXE 2 IoCs
pid Process 2036 orloseap.exe 1720 orloseap.exe -
Loads dropped DLL 3 IoCs
pid Process 2176 555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe 2176 555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe 2036 orloseap.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" orloseap.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" orloseap.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" orloseap.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" orloseap.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\ilmemup-oudid.dll" orloseap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" orloseap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} orloseap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify orloseap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" orloseap.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\orloseap.exe 555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\uhmufeb.exe orloseap.exe File opened for modification C:\Windows\SysWOW64\oulbehoas.exe orloseap.exe File created C:\Windows\SysWOW64\oulbehoas.exe orloseap.exe File created C:\Windows\SysWOW64\ilmemup-oudid.dll orloseap.exe File opened for modification C:\Windows\SysWOW64\orloseap.exe 555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ilmemup-oudid.dll orloseap.exe File opened for modification C:\Windows\SysWOW64\orloseap.exe orloseap.exe File opened for modification C:\Windows\SysWOW64\uhmufeb.exe orloseap.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 1720 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe 2036 orloseap.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2036 orloseap.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 2036 2176 555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2036 2176 555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2036 2176 555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe 28 PID 2176 wrote to memory of 2036 2176 555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe 28 PID 2036 wrote to memory of 432 2036 orloseap.exe 5 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1720 2036 orloseap.exe 29 PID 2036 wrote to memory of 1720 2036 orloseap.exe 29 PID 2036 wrote to memory of 1720 2036 orloseap.exe 29 PID 2036 wrote to memory of 1720 2036 orloseap.exe 29 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21 PID 2036 wrote to memory of 1192 2036 orloseap.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\555e5b661e94fd437cd7846113dad9a0_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\orloseap.exe"C:\Windows\SysWOW64\orloseap.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\orloseap.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1720
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
72KB
MD5d0cda8060745827e4f1aa638424adfbf
SHA15a5475cb1be21b121829feb3bd4f3860830b552e
SHA25611ac2bdb2871520a5dbd69af584dc529ea0de95f472547ef4b88cfeafe876a3a
SHA5127b156870ebb640e54831a38d30b14a7b025845083bb4462788f9c4b27a5bdc28a33f4b749103a31e58778bda38503bb8ec9f2d83d196e2fc6b77c7071fe5ed93
-
Filesize
74KB
MD50dc3771aa4cb55c35fbdd31d3edbae5a
SHA184123789aed83f0b0e226852bcb6cca09d80182f
SHA2560ea68d0cb3657cba763f1bcb5b6a56d26ef4bdbaa7fc239be457d168538c20f1
SHA5127f5f01960fdd26c123469429ee2b28c78fae9cefa52ba88b38a9fca87b3906a575e8aff03fb4f1cb9b47af46d0ae6788599cca9807a5477c22670e90baf27d16
-
Filesize
70KB
MD537090d5d1e3ee99e7ca989adae10296e
SHA1145a3a5c4ff9bbecbb6cf631a18ddb6d276b66d8
SHA256d6d8ec331ac83a26769012164a50113bd0231085c638bf51d452a9e2f8d88e06
SHA5120b837a609b206f451fc2fc5c8ae3d2b20357018d85b7c8871cbb02f37ca39172119c45684f9b2ed167785ac4c5b55abda4e67f808f59d515c2c08ec20bca065f