Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 03:36
Static task
static1
Behavioral task
behavioral1
Sample
723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe
-
Size
225KB
-
MD5
723f9d82071030d1cc7600a56204d5b0
-
SHA1
ed32be51f7e7b51cd7b8ca9f12d87978fbab797e
-
SHA256
a22793648b9ed4c848165ed3ac478919ec6453a9fb8937b368b488b6f0140d95
-
SHA512
6589813807a11b44d0c1d1ce2b7550a8b9fe23160d4a5705a3aa6052cb11b0ee21820eae644e66e49c87df79024c9b0135a8ffd2592014a08b4cf9d784ced1e7
-
SSDEEP
6144:fA2P27yTAnKGw0hjFhSR/W11yAJ9v0pMtRCpYM:fATuTAnKGwUAW3ycQqgf
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\EB76DB4E = "C:\\Users\\Admin\\AppData\\Roaming\\EB76DB4E\\bin.exe" winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 61 IoCs
Processes:
winver.exepid process 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 2744 winver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exewinver.exedescription pid process target process PID 2880 wrote to memory of 2744 2880 723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe winver.exe PID 2880 wrote to memory of 2744 2880 723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe winver.exe PID 2880 wrote to memory of 2744 2880 723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe winver.exe PID 2880 wrote to memory of 2744 2880 723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe winver.exe PID 2880 wrote to memory of 2744 2880 723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe winver.exe PID 2744 wrote to memory of 1212 2744 winver.exe Explorer.EXE PID 2744 wrote to memory of 1108 2744 winver.exe taskhost.exe PID 2744 wrote to memory of 1164 2744 winver.exe Dwm.exe PID 2744 wrote to memory of 1212 2744 winver.exe Explorer.EXE PID 2744 wrote to memory of 2880 2744 winver.exe 723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\723f9d82071030d1cc7600a56204d5b0_NeikiAnalytics.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-23-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1108-9-0x0000000001F90000-0x0000000001F96000-memory.dmpFilesize
24KB
-
memory/1164-12-0x00000000001B0000-0x00000000001B6000-memory.dmpFilesize
24KB
-
memory/1164-25-0x00000000001B0000-0x00000000001B6000-memory.dmpFilesize
24KB
-
memory/1212-1-0x0000000002560000-0x0000000002566000-memory.dmpFilesize
24KB
-
memory/1212-15-0x00000000025A0000-0x00000000025A6000-memory.dmpFilesize
24KB
-
memory/1212-6-0x0000000002560000-0x0000000002566000-memory.dmpFilesize
24KB
-
memory/1212-3-0x0000000002560000-0x0000000002566000-memory.dmpFilesize
24KB
-
memory/1212-24-0x00000000025A0000-0x00000000025A6000-memory.dmpFilesize
24KB
-
memory/2744-20-0x0000000000410000-0x0000000000416000-memory.dmpFilesize
24KB
-
memory/2744-4-0x0000000000320000-0x0000000000326000-memory.dmpFilesize
24KB
-
memory/2744-27-0x0000000000410000-0x0000000000416000-memory.dmpFilesize
24KB
-
memory/2880-22-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB