3b341eea8340078ee9eb0c11e876c24142f448174126b7c1c7d060ad65dbe607

General

Target

aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
Size

6.1MB
MD5

aaa5ac8b8ab68ad695e72be9ca9571a0
SHA1

68dc4eba558e5a76880fcf4d0e997a1b7cc7a00e
SHA256

3b341eea8340078ee9eb0c11e876c24142f448174126b7c1c7d060ad65dbe607
SHA512

49214cc8ab2f74256f3cbc5e7cb0359007be2d4aad3019379f164bb878e23d88d05b869ca59c5a8d40f5c430843a0fc6982740e691a6d42bce67ff1f17de20a4
SSDEEP

196608:A6q0HkQgN1DmfJLO03/Vnaiq2L8dET6WBse0aUCeVMRmLnPKy:A6jCKLO03ZFn846WBsnaiVMRYnr

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe

Drops file in System32 directory 28 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXE62.tmp	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	1720	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1720	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2468	1720	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2468	1720	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2468	1720	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2468	1720	aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aaa5ac8b8ab68ad695e72be9ca9571a0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 156
  2⤵
  - Program crash
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
6.1MB

MD5
bddd5f5b8a21fbcf534a09954305b87b

SHA1
5b6fb3a72e88af3d587681bd3fa29902767bf2a6

SHA256
763155b2488fcba5ba881c932920768b1211633bd997268d6db52280566b98ad

SHA512
11e6ad6ec23ef31740404d9cbfae4db3832be5da60aa67a25226d06c1dcb026b297d4f187da5b5debe75b6df1374b84cb26305ba2763a67a06544de8bdb49efd

Download Submit
memory/1720-36-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/1720-35-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1720-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1720-6-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1720-8-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1720-10-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1720-0-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/1720-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1720-48-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/1720-49-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/1720-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1720-45-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download
memory/1720-25-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1720-33-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1720-30-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1720-28-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1720-37-0x0000000000418000-0x0000000000767000-memory.dmp

Filesize
3.3MB

Download
memory/1720-23-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1720-20-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1720-18-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1720-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1720-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1720-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1720-71-0x0000000000400000-0x0000000000D43000-memory.dmp

Filesize
9.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads