Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16/05/2024, 21:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe
-
Size
72KB
-
MD5
3a8284b1e0cd05dec8d18566b995d3b0
-
SHA1
2e0d564348860ee111e6d5488756b2c5d61c78db
-
SHA256
81eeee84e42e95031a1db2f7e4550426fcb631ba336d5c92914deeee2316dabd
-
SHA512
18b0d059cbc3fbcfdf0b33b4f8c7b26d7b09def603666cee82ab16dd0616dd530bbaf9ecfc2ab3744733763c8fe0f76353948f73085d69123cf6127c78d81b6c
-
SSDEEP
1536:xU1Po/bQ+2Ovwd7o7mUj2JB1I32MZ1Rb/NW/Cxjtme1Mef0c:61PoTQ+2Ovwd7o7m02z1I32MnRzqIf1h
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" klofin-anat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" klofin-anat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" klofin-anat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" klofin-anat.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851} klofin-anat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" klofin-anat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\IsInstalled = "1" klofin-anat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{554F5448-4350-4851-554F-544843504851}\StubPath = "C:\\Windows\\system32\\expeasoc-oudom.exe" klofin-anat.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" klofin-anat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\icloohub.exe" klofin-anat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe klofin-anat.exe -
Executes dropped EXE 2 IoCs
pid Process 1968 klofin-anat.exe 3020 klofin-anat.exe -
Loads dropped DLL 3 IoCs
pid Process 2208 3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe 2208 3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe 1968 klofin-anat.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" klofin-anat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" klofin-anat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" klofin-anat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" klofin-anat.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} klofin-anat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify klofin-anat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" klofin-anat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\oubbopoap-omom.dll" klofin-anat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" klofin-anat.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\klofin-anat.exe 3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\icloohub.exe klofin-anat.exe File created C:\Windows\SysWOW64\oubbopoap-omom.dll klofin-anat.exe File opened for modification C:\Windows\SysWOW64\klofin-anat.exe klofin-anat.exe File opened for modification C:\Windows\SysWOW64\oubbopoap-omom.dll klofin-anat.exe File opened for modification C:\Windows\SysWOW64\klofin-anat.exe 3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe File created C:\Windows\SysWOW64\icloohub.exe klofin-anat.exe File opened for modification C:\Windows\SysWOW64\expeasoc-oudom.exe klofin-anat.exe File created C:\Windows\SysWOW64\expeasoc-oudom.exe klofin-anat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 3020 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe 1968 klofin-anat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1968 klofin-anat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1968 2208 3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 1968 2208 3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 1968 2208 3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe 28 PID 2208 wrote to memory of 1968 2208 3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe 28 PID 1968 wrote to memory of 432 1968 klofin-anat.exe 5 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 3020 1968 klofin-anat.exe 29 PID 1968 wrote to memory of 3020 1968 klofin-anat.exe 29 PID 1968 wrote to memory of 3020 1968 klofin-anat.exe 29 PID 1968 wrote to memory of 3020 1968 klofin-anat.exe 29 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21 PID 1968 wrote to memory of 1192 1968 klofin-anat.exe 21
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3a8284b1e0cd05dec8d18566b995d3b0_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\klofin-anat.exe"C:\Windows\SysWOW64\klofin-anat.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\klofin-anat.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD598efe7e54d2f8e7b91d26b21fe7a4e24
SHA1211c8f311d46603016c0516bb6c16c5941a137bf
SHA256baef2a378c09f31ee20636bae55b0d5a83a79c1a57fba9e8ac4aff1498eb53d6
SHA51231417e96a37b7b6062f3da4e9b5a3582455536aa708c171fe168714c7ed2a23deaff72862cbd2c29bad1010b0f4361767d446481994b9ce37e62e66b69a44976
-
Filesize
73KB
MD59b856ecd7c5fb651d0e3fd172ed3611d
SHA151bfaeffd72bb4976c00fdd519a3fb5cc360fa05
SHA2568dc8ba152b5c15b305a3fa65ea090f2b44a7c3fcdc6dec7621f9083f2d0ec62c
SHA5121b126fbdaea6bebdd20936ed762665c071479382b32fbe087f61d6166292c624f44ed3455193b4addd5aef4d9c3a4973aaaa0f6864c8735b6e19089628bbebb2
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
70KB
MD5a29108faaca0558f3d9eee37681bd77e
SHA1becf81f97ce3fe33d3b82575bc34edd3d4ee80e1
SHA2569bb182fb8360c8a5b13aac95d9b4daaae82df5714475694650cd827c5f82b542
SHA51218bc222ca34490825033895e7d65b02550e6144dd9947f213709b88dc0dd0bd23cc4a5bb5306ac0656444092f60a6a8376837fcfdd0f27c2373fa8e766cbf3b9