88f88afe49b7f2bcab43710b5b2979d7515c1e780a79f8bbe8dfbe11f5f5e3d5

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 17:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e69207d7291a763419f128afbf0130c0_NeikiAnalytics.exe
Size

1.1MB
MD5

e69207d7291a763419f128afbf0130c0
SHA1

1ca9f8fed86f349ca714feb461520989fad03383
SHA256

88f88afe49b7f2bcab43710b5b2979d7515c1e780a79f8bbe8dfbe11f5f5e3d5
SHA512

af01ebf537f259f73c662f69d6a4913ddbcce0fe5ba0490571518b209d839fe3ab56721f5f123b1f44543dc8e3da503555507b00c8b9792e49153747a6144fca
SSDEEP

12288:H51TfuZQuDV5U21ZJiRh9Te6s9G8R65x/IEpIbGkde4tezs3qKpeyDyDkPwEJjm3:H/uuSVG21ZJij/8RMx7juPDy4YhJnF

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\W4Service\ImagePath = "\"C:\\Program Files (x86)\\W4Service\\W4Service.exe\""	e69207d7291a763419f128afbf0130c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\W4Service\ImagePath = "\"C:\\Program Files (x86)\\W4Service\\W4Service.exe\""	W4Service.exe

Executes dropped EXE 1 IoCs

pid	Process
888	W4Service.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\W4Service\W4Service_InstallerUpdater.Log	e69207d7291a763419f128afbf0130c0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\W4Service\W4Service.exe	e69207d7291a763419f128afbf0130c0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\W4Service\Renci.SshNet.dll	e69207d7291a763419f128afbf0130c0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\W4Service\W4Service_InstallerUpdater.exe	e69207d7291a763419f128afbf0130c0_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\W4Service\W4Service.Log	W4Service.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	W4Service.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	lodctr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	e69207d7291a763419f128afbf0130c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	888	W4Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 888 wrote to memory of 2708	888	W4Service.exe	32
PID 888 wrote to memory of 2708	888	W4Service.exe	32
PID 888 wrote to memory of 2708	888	W4Service.exe	32
PID 888 wrote to memory of 1688	888	W4Service.exe	34
PID 888 wrote to memory of 1688	888	W4Service.exe	34
PID 888 wrote to memory of 1688	888	W4Service.exe	34

C:\Users\Admin\AppData\Local\Temp\e69207d7291a763419f128afbf0130c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e69207d7291a763419f128afbf0130c0_NeikiAnalytics.exe"
1⤵
- Sets service image path in registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Program Files (x86)\W4Service\W4Service.exe
"C:\Program Files (x86)\W4Service\W4Service.exe"
1⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\system32\lodctr.exe
  "lodctr" /R
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 888 -s 608
  2⤵
  PID:1688

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\W4Service\W4Service.Log

Filesize
370B

MD5
6c9ada76213f4e5d843402bd0cda5097

SHA1
8946b39567cacc01d7069e3822583c045ec54dcf

SHA256
71dfcdf8577f1d145cf66cf7979391d94303e957fbd47173462899098b056e75

SHA512
4c2f6828b955acd1e3530b0bd36b649371b91a3638219b7d0a3b017ab8482d7389010dd155c0e614aa5dc81437d08767a5d2ef57319b7f3c791f3ceac8bf3a6a

Download Submit
C:\Program Files (x86)\W4Service\W4Service.Log

Filesize
1KB

MD5
f05ee5b670ce6c9c84c8dca7e7bda40e

SHA1
6ff7e101f0300df8b559e4ee1ecd0bbcb8ac27b4

SHA256
5aa0be49d80d26d44e6d923b218d9ab76add0b8007fbbf21b5357cd267e567dc

SHA512
93f296f6b752b813f9badf889be92c94ed77653f42690e894eebca62b2f0a87e4c8539e1cd645d3e3c91ebe103061be87300c437dfd9e8441cb287c510a84da1

Download Submit
C:\Program Files (x86)\W4Service\W4Service.exe

Filesize
1.9MB

MD5
9e403117334fc705b47aef46e896a270

SHA1
495353edb19569d9a22095b21e982d89a14954e1

SHA256
247859757c4807ebe1faf9de54984b9ead64a610cf1fd5f3ff28525a064e2083

SHA512
54262164f19b6c23292f1a1dc5973eacb8b3dc627b05da5e1fce1909352aaba521b76c834e82b607d3059f1d4b6319af78d0d2a2dd2850db7bc835779ba463d4

Download Submit
C:\W4Service_InstallerUpdater.log

Filesize
766B

MD5
015d624f7215ec675225757e3aaee716

SHA1
a3fc014191b22bb1278a94dcf1cc7ad0704e3ab9

SHA256
ff137148be5632c361ff42141c533396fbc43efc755f49dd5052dbb070a250be

SHA512
4e786521f761e71bb0592a02ae42b3b9d0a0a17dd21c3c392799c179e9425c6df89fe2772344af0a0f411d5044498c5ac5ea89862514d4c7fc8128fc2283b85c

Download Submit
C:\W4Service_InstallerUpdater.log

Filesize
1KB

MD5
8df4cc9d3664ed8fcbfeaccbd15c655b

SHA1
193d7a4d90d38760d1a1a9ce7b128ffd57734864

SHA256
8d4f178b87441e677d9d096c3041af2b3a655f939e60fdfe80f677982c492a21

SHA512
5d2d8b6f891b2cbef7972e163863b276ccdd055556e050d0f9b4027d01b8cc28632811c765486195e4dc2972b3ea6e41f62bdf518cb09e8c747837bde2e83a85

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
42KB

MD5
8cfa7073b5c98c2acddcd29081b1181b

SHA1
3c3ff75e2cd5f10c9e18824e5ed75d2e8691772b

SHA256
46bddbd027c705128d53409d92b3bcb6af6bfdfb911b75e6d695a43f45939c75

SHA512
469058ca428f5940dbba045be0939e821a46d8e7d759982a1b5288a0e0fe6d237ba878abad017b5dcd225ddb047e2f9b4f41ad5910d803d594edbecdf2904e83

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
48KB

MD5
9c197b611d2a6ce4076f069406993094

SHA1
c2e51473b7393a03bc6cf2c8fe6abe9109f28190

SHA256
3bbe454494edc08873c81f47093dae398147b11da887949907854e361768713b

SHA512
28af24474a6847aec60e4682757a00d3d5c87866d14cbca73f787c3e8387c19c132783df88317ec5d67a254df4dec3080b696bcfda01acb9984b9b49ce23b27b

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
45KB

MD5
f9ddf8a0783304042660be0276f299cf

SHA1
27d8cb398453892bb43c068558aadc1d5236c150

SHA256
5c004b1e755da0e328f6f7e44a606c0ec786c42de91f483461362032d284e17a

SHA512
48a238301e5c046658a23c82b7d407e7be8f8d572d3ce28254e45c5067d2c3a08b0b7aab9198d922a40e5ab57d35834efc795fbe62e032c38b3f4c68158fd0b9

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
44KB

MD5
aab5c63fba5de54f469cd517fac30d90

SHA1
adb4b5c95b8dd79ff2b7dbdf568d3da5b13a4a2b

SHA256
a9aa2f71f62ac9a2dd0a1335738664a4c51146c0d94a33b0d436b5f87cbb56ae

SHA512
76cbf666edb3a21c3fb15c26d289a52be7ed74b5ab4494124d1dd6101d5bd8c03a0d78c161c0296650dcd0f433e5348b6dfe4db866994ff1847b5f278caff329

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
30KB

MD5
7aaa3e23ce4c7845b112f7a79b110e60

SHA1
5269028c98ffa222f0cde48034d5f74c74dee4ad

SHA256
8c850029e558eb1a22429b21a637516cf5d90ca08ff872b19cf7fb03b33af2f5

SHA512
e8ea6087b5bf3d54469d9e09bb10d47c06ce4ab0dbda9a7fba8ed348b69c8aa717b9389f82f16768141a417a5abd78e41afd7a5c63e4ada0c458724b37a197eb

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
309KB

MD5
b1bd571128b1d9f120fec572599f65b7

SHA1
46a633f5cb59cfeecbc65b77d76701393a60547d

SHA256
7521bad65a5393f75fc25b84bd8e3875bedfaea4e26f29cbdb9228725d799218

SHA512
f19d5d098d4123ec8a781e0623ae6084957ba4087c11dfadadec4a063ad6e0882d3434234f54b60486dc8e8e7879494c23940cf764b4edbaa75f99fe636c3034

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
303KB

MD5
fa517bc7ff262ee424dee660fa816715

SHA1
ddf59dc2aa97afd71a14f4fa1c6c3f13d8793e0e

SHA256
ad437512fdd010d20ba8912b6915845da2000adafa62b2817fbc2d1a372b1aef

SHA512
61b6a91d254b5431535a50a656d53f16f12a44997bd49252853c7b05c527873440d36635f6dfb55118aa525210cb5f4ed6dc570cbfea49b8cf10323d034616b3

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
354KB

MD5
a4149c36b9d5e65068e6cdd01b542d89

SHA1
64462fb9fd5e66bac11d818df5a91ebb16f2477f

SHA256
c8fceb584f4c3ba93a16a681051b706ac7588bde9ec2adcffb63b2047b33907e

SHA512
47ec8e4051117f79845d493e8a9b574c2f1461c0625379ca6a21c417564cfda6b509333d6fed424ad606180ce28d74e07900f30184aeae27d421e60da950bc02

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
355KB

MD5
1a51a7146c639ae88da89b43018d15d7

SHA1
fbcfeee46f1a60ff5726372ecf93667704f3605a

SHA256
10b789f6c7a45c700c019c862553f51b7b3ca20eabd1688d0744c93c0656bdb2

SHA512
e1c2f23a9f4702f6367bb60b83b6d85fa88b9ca94de8d3dacf0aa3ff584c9feeeb826ba5447bd2a2bff9ba2ce58b8f3643b8430aa617b92377a1c7d8836adb50

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
347KB

MD5
ee8fa5cfc3a2a88de2a43ab06b4f9ca5

SHA1
1399534037e8198fd30dd111a0dbb813e13534b5

SHA256
021fe9b24c6f64fa90d3793959429012673ce2a4b6b3f5bdc5c48ff55c9a5930

SHA512
9139e269260be7f9d871ae9514ef6a36756d94d74b14ad22bc9f2d471a626c1b572fb0147f85d286ddb2b103d3fe5872335e583492f0aae10a786bf69a04ab78

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
154KB

MD5
782187cd914885ed571b3dca1c60c53f

SHA1
a608aada89c4ef3bace57805965e80855bdedce5

SHA256
a74bd71d1c4ce22b988a8ecfbd20fc7f12eda88f1a3a562fbb990f0c31a92ade

SHA512
fa0b4fe4de5daac87e44f5605e4c600c6b884aae060c89bba6c6b237fee9c22b811df7174bf5efa45d50e9f1ae221b70ff771008589c7e1ed9f58d68eee91fb5

Download Submit
memory/888-70-0x0000000000260000-0x0000000000454000-memory.dmp

Filesize
2.0MB

Download
memory/888-72-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/888-73-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/888-75-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/888-256-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-53-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/2980-5-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-59-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-54-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-71-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-39-0x000000001C680000-0x000000001C754000-memory.dmp

Filesize
848KB

Download
memory/2980-29-0x000000001C4E0000-0x000000001C684000-memory.dmp

Filesize
1.6MB

Download
memory/2980-60-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-4-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-3-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-1-0x0000000000020000-0x0000000000134000-memory.dmp

Filesize
1.1MB

Download
memory/2980-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/2980-742-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads