Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 09:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe
Resource
win7-20240220-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe
-
Size
72KB
-
MD5
cfc18f737e79e5585c76e1fd8e527060
-
SHA1
6187a128e3cde9c4d8e1d939ec8fb429f0b9fe74
-
SHA256
95b3d51e4dab6499c46b16831e6fa6eccb24962065cd4f713aaf28d3ce3c3d0f
-
SHA512
9d9dabfce37a7c53afcb4aaa283adac6a50462b601c3b5f485f1dc7e21020a7ac791bdf61690fda684c4e99bd8ba3756b30bd81e46e3c07ab31c011d1372f3fc
-
SSDEEP
1536:xGrOhMC7Nb20g6HKF02z5HKgeBGmW9arzj:wrOhRvN2sGmtnj
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" elceasir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" elceasir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" elceasir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" elceasir.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\IsInstalled = "1" elceasir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\StubPath = "C:\\Windows\\system32\\uhcuneam-ougat.exe" elceasir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858} elceasir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4249534D-495a-4858-4249-534D495A4858}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" elceasir.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe elceasir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" elceasir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\aldamop.exe" elceasir.exe -
Executes dropped EXE 2 IoCs
pid Process 1884 elceasir.exe 888 elceasir.exe -
Loads dropped DLL 3 IoCs
pid Process 1728 cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe 1728 cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe 1884 elceasir.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" elceasir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" elceasir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" elceasir.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" elceasir.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify elceasir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" elceasir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\kdoasif.dll" elceasir.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" elceasir.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} elceasir.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\elceasir.exe cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe File created C:\Windows\SysWOW64\aldamop.exe elceasir.exe File opened for modification C:\Windows\SysWOW64\kdoasif.dll elceasir.exe File created C:\Windows\SysWOW64\kdoasif.dll elceasir.exe File opened for modification C:\Windows\SysWOW64\elceasir.exe cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\aldamop.exe elceasir.exe File opened for modification C:\Windows\SysWOW64\uhcuneam-ougat.exe elceasir.exe File created C:\Windows\SysWOW64\uhcuneam-ougat.exe elceasir.exe File opened for modification C:\Windows\SysWOW64\elceasir.exe elceasir.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 888 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe 1884 elceasir.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1884 elceasir.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 1884 1728 cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe 29 PID 1728 wrote to memory of 1884 1728 cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe 29 PID 1728 wrote to memory of 1884 1728 cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe 29 PID 1728 wrote to memory of 1884 1728 cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe 29 PID 1884 wrote to memory of 432 1884 elceasir.exe 5 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 888 1884 elceasir.exe 30 PID 1884 wrote to memory of 888 1884 elceasir.exe 30 PID 1884 wrote to memory of 888 1884 elceasir.exe 30 PID 1884 wrote to memory of 888 1884 elceasir.exe 30 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18 PID 1884 wrote to memory of 1072 1884 elceasir.exe 18
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cfc18f737e79e5585c76e1fd8e527060_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\elceasir.exe"C:\Windows\SysWOW64\elceasir.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\elceasir.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:888
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5bac4aa65513675078cd529a5a9997d99
SHA1540cf6d2581f7013450cef95ab9d79216eb4e017
SHA256442980339bb53eaa1f41132b92e00e5fadd2feb194d3b3a11d283ad43d3d7e6b
SHA512bc04194271fa0493a78bd731501658348064c477bf2e941b91c9f357a20204c0b3d4911abb7f12db6bce630aebe4075e7bfc3538a07d7dd5c10e520cef74966e
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
72KB
MD51db6829f2a7d02d63df3d379ed8865c1
SHA12cd1d0959471400cac5407c6eabbd57c8d22e75e
SHA25639c7493a0a9d0929d712772be8864113768dfd74a9f4288482e8b48b266c4aca
SHA51226db2bd557dbe50136f368d9081e964e7002ec411862de980002a195ecd280b5f3eead91c205b62a83f0cdd50b196ecebe6cca17462feb70c0be1e08d837b2a2
-
Filesize
70KB
MD51090555cf271acdf2264c16a065b369e
SHA1cef114b0e56388144184bfbe3edd7a855b1c3a0e
SHA256178ef0208acb6e4c8a8df1d618120c85659482a17c10a9259251e30ce2c8fdd1
SHA512d6df98908a0ecc6651c0395b7539aff57878bca042e09bee1ff421c99fbba30e34f9b6b1c5b7615674898e0900d67e9e223d29062da550e0fc5fcde2ff43464e