Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17/05/2024, 04:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe
-
Size
71KB
-
MD5
a6a14f5176482c701789eede974e0990
-
SHA1
93edaff702bd0e90f6dd8ca0955bbc1e13ffd77e
-
SHA256
27762376d4d38040dfeade3b2d86927a8bc2451ee4586aa40a59fcfd2cf4e593
-
SHA512
69520251a7aafe7ae65c12c5128baeb32974e1eca396c2487ab96bdf8f2f8d16b6ee242710ccf9dbba892aca15023426c45f38418aa7833f2cf7ddd1a4dc91b8
-
SSDEEP
1536:1teqKDlXvCDB04f5Gn/L8FlADNt3d1Hw8slXsX:Olg35GTslA5t3/w8B
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" oukcitis-omat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" oukcitis-omat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" oukcitis-omat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" oukcitis-omat.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" oukcitis-omat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\IsInstalled = "1" oukcitis-omat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945}\StubPath = "C:\\Windows\\system32\\tseaban-uteas.exe" oukcitis-omat.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F424A49-5955-4945-4F42-4A4959554945} oukcitis-omat.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe oukcitis-omat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" oukcitis-omat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\afmotad-dooc.exe" oukcitis-omat.exe -
Executes dropped EXE 2 IoCs
pid Process 912 oukcitis-omat.exe 3628 oukcitis-omat.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" oukcitis-omat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" oukcitis-omat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" oukcitis-omat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" oukcitis-omat.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} oukcitis-omat.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify oukcitis-omat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" oukcitis-omat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\endeanoav.dll" oukcitis-omat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" oukcitis-omat.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\afmotad-dooc.exe oukcitis-omat.exe File created C:\Windows\SysWOW64\tseaban-uteas.exe oukcitis-omat.exe File created C:\Windows\SysWOW64\oukcitis-omat.exe a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\afmotad-dooc.exe oukcitis-omat.exe File opened for modification C:\Windows\SysWOW64\endeanoav.dll oukcitis-omat.exe File created C:\Windows\SysWOW64\endeanoav.dll oukcitis-omat.exe File opened for modification C:\Windows\SysWOW64\oukcitis-omat.exe oukcitis-omat.exe File opened for modification C:\Windows\SysWOW64\oukcitis-omat.exe a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\tseaban-uteas.exe oukcitis-omat.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 3628 oukcitis-omat.exe 3628 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe 912 oukcitis-omat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 964 a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe Token: SeDebugPrivilege 912 oukcitis-omat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 964 wrote to memory of 912 964 a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe 83 PID 964 wrote to memory of 912 964 a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe 83 PID 964 wrote to memory of 912 964 a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe 83 PID 912 wrote to memory of 612 912 oukcitis-omat.exe 5 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3628 912 oukcitis-omat.exe 84 PID 912 wrote to memory of 3628 912 oukcitis-omat.exe 84 PID 912 wrote to memory of 3628 912 oukcitis-omat.exe 84 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56 PID 912 wrote to memory of 3500 912 oukcitis-omat.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a6a14f5176482c701789eede974e0990_NeikiAnalytics.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\oukcitis-omat.exe"C:\Windows\system32\oukcitis-omat.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\oukcitis-omat.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3628
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5fc2b549121ccc55953b22f58bfa586a9
SHA1adfeda07482e588b1f35f028171be1361f83acbc
SHA256225672aebd1d369a1a59d8385681b2eb17b1f9671f49cbf00f39ad5fdb20008c
SHA51276d08fb907514ccaf6403811e18018fce932f5b65fd39b6c8ba74db1009c39307a572999e853b19f76a4d38e3859b10b0653d487fc9c70d23a1a1f4e61e8bf9f
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
71KB
MD5a6a14f5176482c701789eede974e0990
SHA193edaff702bd0e90f6dd8ca0955bbc1e13ffd77e
SHA25627762376d4d38040dfeade3b2d86927a8bc2451ee4586aa40a59fcfd2cf4e593
SHA51269520251a7aafe7ae65c12c5128baeb32974e1eca396c2487ab96bdf8f2f8d16b6ee242710ccf9dbba892aca15023426c45f38418aa7833f2cf7ddd1a4dc91b8
-
Filesize
73KB
MD5782ec439419c637d107c6fc0320cd611
SHA18b3b93554753130127581ccd3fb96f718fc8b930
SHA256bc851acffd609ee1bc2ffc88bb3cbf86b685eeadaf0e7a2fd6655c600c173acf
SHA51284e740064f8dd439c7b275d18a302e40a258bc0b382a3f64aa3e4288c625dbc8f109b138b1fc94700c2d402d035ad41a7f23ce24b4479d1a4e0e2cbbf0deae60