14511d79d4bae991892e98102865bdd595a6c757f2fd7a22abcd3a8d7fa1fe03

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
Size

354KB
MD5

d2542ab3c43da827e13400c85e5582b0
SHA1

90cac0bda3a0a3113d6cdaf4e427767c71a4be80
SHA256

14511d79d4bae991892e98102865bdd595a6c757f2fd7a22abcd3a8d7fa1fe03
SHA512

0735a4acfd4d37146a6f063fe12079a1b2e59f71f4bb686f0de2dc2b4cec6d29b042475a524ba89041cd52e21bb307c69dd3ab6826d9b7959513f10a86c860e7
SSDEEP

6144:FgLCraBy/yW/B+RnkP+6bRWrqC1C/B+zheDy/B+G/B+G/B+Z8Quc64c:FgMaBy/yQZ+VqCmKRBBdH

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\spool.exe	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spool.exe	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spool.exe"	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000015a2d-11.dat	acprotect
behavioral1/memory/1340-13-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect
behavioral1/memory/1340-14-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000015a2d-11.dat	upx
behavioral1/memory/1340-13-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/1340-14-0x0000000010000000-0x000000001010B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spool.exe"	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spool.exe"	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msftp.dll	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2032	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2032	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2980	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2032	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2980	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2032	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2980	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2032	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2980	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2980	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
2032	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2032	1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	28
PID 1340 wrote to memory of 2032	1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	28
PID 1340 wrote to memory of 2032	1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	28
PID 1340 wrote to memory of 2032	1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	28
PID 1340 wrote to memory of 2980	1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	29
PID 1340 wrote to memory of 2980	1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	29
PID 1340 wrote to memory of 2980	1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	29
PID 1340 wrote to memory of 2980	1340	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cftmon.exe

Filesize
374KB

MD5
330066dcf80cc34a267e4f9f5406ed95

SHA1
7b394bf55d8c7c17c4484e038b4fdac972432459

SHA256
6d34d48dbeb3d22b402cfb85804a027afa8cacf6af0786f87e3ddae0e9aab155

SHA512
6774c33cbca5c9a8b250def7c71f434daac12a9afc4d9c0ab92e660bc2903db15f28443e4b42f8a90774802f988527b66c303b38f6358079ae91d9166f8ec0ba

Download Submit
\Windows\SysWOW64\msftp.dll

Filesize
5KB

MD5
11bf9bea80add82f873e4c31b9d28d2e

SHA1
1c2e0732fbbc97dcee9150380bfb63d2bf014e88

SHA256
1ff1089cd45af1f67601e86c77ae8c24cd632f44c7ef97b65676bbc5ed7212f5

SHA512
32ff380653d4b27cfc5baafa754b7edc22a59d412ab37635866c36f80bcad29404c9f8a395dcb7da900ecc72446dbe2491a54699afa711033afcbf087981be2d

Download Submit
memory/1340-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-2-0x0000000002330000-0x0000000002374000-memory.dmp

Filesize
272KB

Download
memory/1340-13-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/1340-14-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/1340-15-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-16-0x0000000002060000-0x00000000020A4000-memory.dmp

Filesize
272KB

Download
memory/1340-19-0x0000000002330000-0x0000000002374000-memory.dmp

Filesize
272KB

Download
memory/2032-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2032-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2980-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download