Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 07:40
Behavioral task
behavioral1
Sample
befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe
-
Size
35KB
-
MD5
befae85cc0f064c1f2127cadc1cacf20
-
SHA1
0dba1d6eb976cc6669133cee81aed0bb0269b6e6
-
SHA256
597abfd64e5cec3bf8650a632332bdd345027c4666f41a89290e62987d4df3b1
-
SHA512
5ee93408592d0cf766b02e0ebbd95a19ec96f5a13ab6a496f4aa823edcbcf4a20b573458c0d3de1b9bbe5309b2ccae85ed4b16ef6ebe24aca3a7a8681796e927
-
SSDEEP
768:Q8JqCbJQmkDx2Q8EyAC8DpqcjnxHJ+Vy3BYlZY:cC1kDpq+nH+g36Y
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1888-10-0x0000000020000000-0x0000000020010000-memory.dmp modiloader_stage2 -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\ befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\ACTIVE SETUP\INSTALLED COMPONENTS\swLÙ‡òuMƒ—?+ÔrGÕæO3@|zÒ[>F&?„vo‘ÀxÆæ‹kXFV$4<ÍÁÆP‚nÉ ú)žßeÞ/I2õ‘5´Z”>´’ù’á ËŠàÂê0˜_+=È… Ñ° befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\ACTIVE SETUP\INSTALLED COMPONENTS\swLÙ‡òuMƒ—?+ÔrGÕæO3@|zÒ[>F&?„vo‘ÀxÆæ‹kXFV$4<ÍÁÆP‚nÉ ú)žßeÞ/I2õ‘5´Z”>´’ù’á ËŠàÂê0˜_+=È… Ñ°\StubPath = "C:\\Windows\\\x17‘5\x03´Z”>\x16´’\x1bù’á\tËŠàÂê0˜_+=È… \x06\x03Ñ° 2" befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\ befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ËŠàÂê0˜_+=È… Ñ° = "C:\\Windows\\\x17‘5\x03´Z”>\x16´’\x1bù’á\tËŠàÂê0˜_+=È… \x06\x03Ñ°" befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUNONCE\*ËŠàÂê0˜_+=È… Ñ° = "C:\\Windows\\\x17‘5\x03´Z”>\x16´’\x1bù’á\tËŠàÂê0˜_+=È… \x06\x03Ñ°" befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\RUNONCE\*ËŠàÂê0˜_+=È… Ñ° = "C:\\Windows\\\x17‘5\x03´Z”>\x16´’\x1bù’á\tËŠàÂê0˜_+=È… \x06\x03Ñ°" befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\ËŠàÂê0˜_+=È… Ñ° = "C:\\Windows\\\x17‘5\x03´Z”>\x16´’\x1bù’á\tËŠàÂê0˜_+=È… \x06\x03Ñ°" befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exedescription pid process target process PID 1888 set thread context of 2988 1888 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe -
Drops file in Windows directory 1 IoCs
Processes:
befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exedescription ioc process File created C:\Windows\‘5´Z”>´’ù’á ËŠàÂê0˜_+=È… Ñ° befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exepid process 2988 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exedescription pid process Token: SeDebugPrivilege 2988 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exebefae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exedescription pid process target process PID 1888 wrote to memory of 2988 1888 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe PID 1888 wrote to memory of 2988 1888 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe PID 1888 wrote to memory of 2988 1888 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe PID 1888 wrote to memory of 2988 1888 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe PID 1888 wrote to memory of 2988 1888 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe PID 1888 wrote to memory of 2988 1888 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe PID 2988 wrote to memory of 1184 2988 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe Explorer.EXE PID 2988 wrote to memory of 1184 2988 befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exeC:\Users\Admin\AppData\Local\Temp\befae85cc0f064c1f2127cadc1cacf20_NeikiAnalytics.exe3⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1888-0-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1888-10-0x0000000020000000-0x0000000020010000-memory.dmpFilesize
64KB
-
memory/2988-15-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2988-12-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2988-9-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2988-6-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2988-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB