Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe
-
Size
3.8MB
-
MD5
d8fbc9d04599038ec366e5c80b187060
-
SHA1
ddb65f6db48826a8f6a3c656049497124ff085fb
-
SHA256
4581dedab46a4dea9c85a4239750157f50d4cc6de0aaaedd8654b8bcb0902306
-
SHA512
cb8e008a99a7d1825f7f0973eb136d25c1f850b2cf8203bcea1e290d83c042495a4f3811aad22794727f008565fb656697f7c630a66724e51c519dac88a87a6e
-
SSDEEP
98304:oJwakG4fYrq1HJvpliCQHawbzBbGSlaUEI96kdQDanpqHrO3ndI3/lL/v7zVwwX7:oJwakG4fYrq1HJvpliCQHawbzBbGSlaB
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mcsft.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe -
Executes dropped EXE 2 IoCs
Processes:
mcsft.exemcsft.exepid process 4740 mcsft.exe 5060 mcsft.exe -
Processes:
resource yara_rule behavioral2/memory/5060-31-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-34-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-35-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-36-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-37-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-40-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-41-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-38-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-42-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-44-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-46-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-48-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-50-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-52-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral2/memory/5060-54-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mcrosoft = "C:\\Users\\Admin\\AppData\\Roaming\\mcsft.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mcsft.exedescription pid process target process PID 4740 set thread context of 5060 4740 mcsft.exe mcsft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mcsft.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mcsft.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier mcsft.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
mcsft.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier mcsft.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
mcsft.exedescription pid process Token: SeIncreaseQuotaPrivilege 5060 mcsft.exe Token: SeSecurityPrivilege 5060 mcsft.exe Token: SeTakeOwnershipPrivilege 5060 mcsft.exe Token: SeLoadDriverPrivilege 5060 mcsft.exe Token: SeSystemProfilePrivilege 5060 mcsft.exe Token: SeSystemtimePrivilege 5060 mcsft.exe Token: SeProfSingleProcessPrivilege 5060 mcsft.exe Token: SeIncBasePriorityPrivilege 5060 mcsft.exe Token: SeCreatePagefilePrivilege 5060 mcsft.exe Token: SeBackupPrivilege 5060 mcsft.exe Token: SeRestorePrivilege 5060 mcsft.exe Token: SeShutdownPrivilege 5060 mcsft.exe Token: SeDebugPrivilege 5060 mcsft.exe Token: SeSystemEnvironmentPrivilege 5060 mcsft.exe Token: SeChangeNotifyPrivilege 5060 mcsft.exe Token: SeRemoteShutdownPrivilege 5060 mcsft.exe Token: SeUndockPrivilege 5060 mcsft.exe Token: SeManageVolumePrivilege 5060 mcsft.exe Token: SeImpersonatePrivilege 5060 mcsft.exe Token: SeCreateGlobalPrivilege 5060 mcsft.exe Token: 33 5060 mcsft.exe Token: 34 5060 mcsft.exe Token: 35 5060 mcsft.exe Token: 36 5060 mcsft.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exemcsft.exemcsft.exepid process 2740 d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe 4740 mcsft.exe 5060 mcsft.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.execmd.exemcsft.exedescription pid process target process PID 2740 wrote to memory of 4340 2740 d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe cmd.exe PID 2740 wrote to memory of 4340 2740 d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe cmd.exe PID 2740 wrote to memory of 4340 2740 d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe cmd.exe PID 4340 wrote to memory of 3232 4340 cmd.exe reg.exe PID 4340 wrote to memory of 3232 4340 cmd.exe reg.exe PID 4340 wrote to memory of 3232 4340 cmd.exe reg.exe PID 2740 wrote to memory of 4740 2740 d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe mcsft.exe PID 2740 wrote to memory of 4740 2740 d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe mcsft.exe PID 2740 wrote to memory of 4740 2740 d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe mcsft.exe PID 4740 wrote to memory of 5060 4740 mcsft.exe mcsft.exe PID 4740 wrote to memory of 5060 4740 mcsft.exe mcsft.exe PID 4740 wrote to memory of 5060 4740 mcsft.exe mcsft.exe PID 4740 wrote to memory of 5060 4740 mcsft.exe mcsft.exe PID 4740 wrote to memory of 5060 4740 mcsft.exe mcsft.exe PID 4740 wrote to memory of 5060 4740 mcsft.exe mcsft.exe PID 4740 wrote to memory of 5060 4740 mcsft.exe mcsft.exe PID 4740 wrote to memory of 5060 4740 mcsft.exe mcsft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\d8fbc9d04599038ec366e5c80b187060_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xhgTS.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Mcrosoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\mcsft.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\mcsft.exe"C:\Users\Admin\AppData\Roaming\mcsft.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mcsft.exeC:\Users\Admin\AppData\Roaming\mcsft.exe3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xhgTS.txtFilesize
135B
MD5a5feca573884d76f559b996d45e8ad9a
SHA10e81a993f3af4e31d60653dc2513186f0495f1c8
SHA256c98e20d46d6465febb5d29cfab51241521ea5d6cd621f5e18b9b7d6fbfac3f0f
SHA512a9239648b5f15eac4d4151b6e1bdc81065eeaeb101404c2a0126f03bc87f1e6a57206bfa07a44379e9d3bba889e4497a9991ff41fb109099b01512df3dc3cbda
-
C:\Users\Admin\AppData\Roaming\mcsft.txtFilesize
3.8MB
MD51a904c6988b6f9e5a80747b5a080b398
SHA13a4725e09045b87952995cb21e761fde3f60f872
SHA256c61d0f92f9dc6958990fd1493e90414cf990f9214d11072a52085c4ad6391110
SHA5121d45a44f2830939cfb45b4c664fcac83dca00a26c909ab4ba082d97267070d70029c0db295885febd592a8e85481bb00e17d20407939f9daf12eff1e45e0267b
-
memory/2740-0-0x0000000000400000-0x00000000007C4000-memory.dmpFilesize
3.8MB
-
memory/5060-40-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-38-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-35-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-36-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-37-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-31-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-41-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-34-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-42-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-44-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-46-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-48-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-50-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-52-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/5060-54-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB