5f2f087aff6eaa0b98dfad731accaaa7ed9d303cd9e888af9e81f93557bf12a0

General

Target

36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe
Size

376KB
MD5

36c6df3adcc499f5636450ee9f5ac8a0
SHA1

7518f981378c0aa4be6989e355a44726b3a04d23
SHA256

5f2f087aff6eaa0b98dfad731accaaa7ed9d303cd9e888af9e81f93557bf12a0
SHA512

a35c26ba50bae2341ffa93d10f623950671893c96a0530f74f0c16637043defa28f5e387267a4ac78e0db7987059d5c30f1bd726502870aa2e104af9f30283f7
SSDEEP

6144:HPhftdcNdPePhftdcNdP66dporo4rM6Ld9f71NYt5gfzDVlVXgOd:HPQdPePQdPdZILd9fQt5GpX

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2984	tmp259394266.exe
2900	tmp259394250.exe
2536	tmp259394297.exe
2640	tmp259394375.exe

Loads dropped DLL 6 IoCs

pid	Process
2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe
2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe
2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe
2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe
2984	tmp259394266.exe
2984	tmp259394266.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x003900000001340c-9.dat	upx
behavioral1/memory/2984-20-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2220-23-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2984-50-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp259394250.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp259394250.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp259394250.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp259394250.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp259394250.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2900	2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 2900	2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 2900	2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 2900	2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe	28
PID 2220 wrote to memory of 2984	2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe	29
PID 2220 wrote to memory of 2984	2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe	29
PID 2220 wrote to memory of 2984	2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe	29
PID 2220 wrote to memory of 2984	2220	36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe	29
PID 2984 wrote to memory of 2536	2984	tmp259394266.exe	30
PID 2984 wrote to memory of 2536	2984	tmp259394266.exe	30
PID 2984 wrote to memory of 2536	2984	tmp259394266.exe	30
PID 2984 wrote to memory of 2536	2984	tmp259394266.exe	30

C:\Users\Admin\AppData\Local\Temp\36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\36c6df3adcc499f5636450ee9f5ac8a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\tmp259394250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259394250.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\tmp259394266.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259394266.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\tmp259394297.exe
    C:\Users\Admin\AppData\Local\Temp\tmp259394297.exe
    3⤵
    - Executes dropped EXE
    PID:2536
- - C:\Users\Admin\AppData\Local\Temp\tmp259394375.exe
    C:\Users\Admin\AppData\Local\Temp\tmp259394375.exe
    3⤵
    - Executes dropped EXE
    PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp259394375.exe

Filesize
230KB

MD5
fa9f7bb1f8a598722aecd2a2d9df20ef

SHA1
ca7589c55e31869108c744e1002f8a402a2bbaa6

SHA256
a1e2dffdbd83c5086753a81437b03439d213661fc7818b9ceb5327110a794023

SHA512
a86a3b98b5b73a68440a134d617d6d313dcf7cd4fb59a7724deabc7222c1a72c7f974ee3d5b8127310fa5b35f9a0615b89e6f3d61d6bb79713d5c84cc9063ea7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp259394250.exe

Filesize
61KB

MD5
87c5e5809bfee1ddf3b2b22ea7b15d00

SHA1
db1d86767699f211492499e4ea12abc83c154427

SHA256
5edbef56f2dde8e13b9d14edd76727c78ce036f6aed9c806193e30d4edd4fc7c

SHA512
41d1497eaf0bb6b4f0d2a5720438cdb82884ad1cc6bfd0d642206417d295c635199fd8ef71f186945db0b2251c1dfcf488026a327d1564df3fdcf2b6d5acc21d

Download Submit
\Users\Admin\AppData\Local\Temp\tmp259394266.exe

Filesize
303KB

MD5
164a5db193e13ca473da6ca4014de3c4

SHA1
2a6f9ee593e7db33e2ea7240a7a441db6895c615

SHA256
700111166a6c21d2abdc475bed65a84b4f8bf32e9eb5c20e002f8cb9d573850b

SHA512
3163d5fbf7a3d5e6546a828a7d2d883dd871329ff6b6ac9d49d24290f85d67db00d703b5d2e06c5c60cec6b6f567fef064b62748200fc4cd6216e83177ea1c02

Download Submit
memory/2220-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-19-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/2220-18-0x00000000001B0000-0x00000000001CF000-memory.dmp

Filesize
124KB

Download
memory/2536-48-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2900-51-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2984-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2984-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing