Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/05/2024, 02:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe
-
Size
53KB
-
MD5
848970c9540af8b3c793df4aaee60810
-
SHA1
8ae956b9cb57750f4f0cbdfe3d75da630b1365d7
-
SHA256
ace545f3dcaed239679c711b3755a588260c55a89b8971790841ef53b7138bf2
-
SHA512
dbe4068faf52f60b7ead838c088a1b60a5b0f37f3d55d2c3d0c82abf87de532df5701048e5337b6770e746b1e2cf417ec917bb18cf2690134b01010c330abf03
-
SSDEEP
1536:vNeg8r8QmFY7Nb7Kp3StjEMjmLM3ztDJWZsXy4JzxPMU:LFY7NbJJjmLM3zRJWZsXy4Jd
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" xiobi.exe -
Executes dropped EXE 1 IoCs
pid Process 3064 xiobi.exe -
Loads dropped DLL 2 IoCs
pid Process 1936 848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe 1936 848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xiobi = "C:\\Users\\Admin\\xiobi.exe" xiobi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe 3064 xiobi.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1936 848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe 3064 xiobi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 3064 1936 848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe 28 PID 1936 wrote to memory of 3064 1936 848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe 28 PID 1936 wrote to memory of 3064 1936 848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe 28 PID 1936 wrote to memory of 3064 1936 848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe 28 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27 PID 3064 wrote to memory of 1936 3064 xiobi.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\848970c9540af8b3c793df4aaee60810_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\xiobi.exe"C:\Users\Admin\xiobi.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5b101182103a03899a4d6a908745e5864
SHA10e7fc6664a122f50bf7ff7ea88015fca26dd81dc
SHA2569fa91e829546ae151b7291e4622a72225330d72b9a50f8d58bd45b683c85aa5a
SHA512142bcfbbaa7bb61a72d4520e1396481352587b15007771790fa1d606a1bd58462b98e2961f2f9dc9f0ae49caedf509d4911f347e8763315653d3e5c3c39bf275