14511d79d4bae991892e98102865bdd595a6c757f2fd7a22abcd3a8d7fa1fe03

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
Size

354KB
MD5

d2542ab3c43da827e13400c85e5582b0
SHA1

90cac0bda3a0a3113d6cdaf4e427767c71a4be80
SHA256

14511d79d4bae991892e98102865bdd595a6c757f2fd7a22abcd3a8d7fa1fe03
SHA512

0735a4acfd4d37146a6f063fe12079a1b2e59f71f4bb686f0de2dc2b4cec6d29b042475a524ba89041cd52e21bb307c69dd3ab6826d9b7959513f10a86c860e7
SSDEEP

6144:FgLCraBy/yW/B+RnkP+6bRWrqC1C/B+zheDy/B+G/B+G/B+Z8Quc64c:FgMaBy/yQZ+VqCmKRBBdH

Score

8^/10

persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\spool.exe	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\drivers\spool.exe	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spool.exe"	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000b000000023390-12.dat	acprotect
behavioral2/memory/4960-15-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect

Loads dropped DLL 1 IoCs

pid	Process
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023390-12.dat	upx
behavioral2/memory/4960-15-0x0000000010000000-0x000000001010B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spool.exe"	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spool.exe"	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msftp.dll	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4984	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4984	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4984	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4984	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4984	4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	89
PID 4960 wrote to memory of 4984	4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	89
PID 4960 wrote to memory of 4984	4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	89
PID 4984 wrote to memory of 2072	4984	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	95
PID 4984 wrote to memory of 2072	4984	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	95
PID 4984 wrote to memory of 2072	4984	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	95
PID 4960 wrote to memory of 3156	4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	97
PID 4960 wrote to memory of 3156	4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	97
PID 4960 wrote to memory of 3156	4960	d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe	97

C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe"
    3⤵
    PID:2072
- C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\d2542ab3c43da827e13400c85e5582b0_NeikiAnalytics.exe"
  2⤵
  PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cftmon.exe

Filesize
363KB

MD5
c5cf055e2d751787b47fc188c58dd3eb

SHA1
51bef6a30b2d037f266457a07b197bc71ed82cad

SHA256
599610cb4daaa4a780a7dc7489d0fd70d4eba788485b5fbcf6d76c9787707c2a

SHA512
eed8c018344ee2df06515d7f6c933a7d53e37275584f5b6505baeb72bc3af0a95c8840da4fa73efd3a10bff3116b37a66e373962ae1aaea0e385734a251fe876

Download Submit
C:\Windows\SysWOW64\msftp.dll

Filesize
5KB

MD5
11bf9bea80add82f873e4c31b9d28d2e

SHA1
1c2e0732fbbc97dcee9150380bfb63d2bf014e88

SHA256
1ff1089cd45af1f67601e86c77ae8c24cd632f44c7ef97b65676bbc5ed7212f5

SHA512
32ff380653d4b27cfc5baafa754b7edc22a59d412ab37635866c36f80bcad29404c9f8a395dcb7da900ecc72446dbe2491a54699afa711033afcbf087981be2d

Download Submit
memory/2072-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2072-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3156-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3156-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4960-15-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/4960-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-1-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4984-19-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download