1d45e730660c6762765b63fa5fd83ae9e0bf9dbfda451cc66217b4677e659954

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
Size

29KB
MD5

e7562ac25264d3aa1a2c9fce91578660
SHA1

6a73d29ac694393a0c867bb8747ff91828707eed
SHA256

1d45e730660c6762765b63fa5fd83ae9e0bf9dbfda451cc66217b4677e659954
SHA512

4204781434f8bd671762597f91499ed9e68ab9900e473a66ee1d23d8d9a6369d0d59713e4aeab343721b7bee12c9fbcff548d8fcf98dde021cd53ae9fe9002c1
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/6:AEwVs+0jNDY1qi/qy

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1932	services.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2796-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/2796-4-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x000c00000001444f-8.dat	upx
behavioral1/memory/1932-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2796-10-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2796-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1932-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1932-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1932-28-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1932-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1932-35-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1932-40-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2796-41-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1932-42-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-50.dat	upx
behavioral1/memory/2796-63-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1932-64-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2796-67-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1932-68-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2796-69-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1932-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2796-74-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1932-75-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2796-79-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1932-80-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/2796-81-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1932-82-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1932-87-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
File created	C:\Windows\java.exe	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1932	2796	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe	28
PID 2796 wrote to memory of 1932	2796	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe	28
PID 2796 wrote to memory of 1932	2796	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe	28
PID 2796 wrote to memory of 1932	2796	e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e7562ac25264d3aa1a2c9fce91578660_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7b9f9d8f3e70615116a0f730786fc13a

SHA1
f715ae1aea0c08b9d4465880b6c77b89133a542e

SHA256
30bf6feb1b6144e2a1b969a0505a524506ec99b1d9ae1ee1eed6597a63d0fe04

SHA512
8c2c731f7d50cf06885e899558ee035669c082068c4e682f85c8186a4290848ce84f1ff62bb9510ab6fcacf4db40e7dd375249bee471ea73c3ecc26c6968773c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
94afb625bbcb7befe71d2438ad90f539

SHA1
c26db6b6acb2b6d477d1c83394383590b0874910

SHA256
cca1c8769133b92920901aae33eeb7b18976dc24368ef1725b4c5da57144833b

SHA512
f48b8fff9d97decfbbcffb5c561dd2668962b18e820d7cca1f82b18f77313a6de72c26e0a91c82106a9e2a4ed298de8c843ff041a4fdfacb4008a1a2556e5ffe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a9f8edde8f98f7834eb7ea4996747c71

SHA1
f303a1ed204e9b62e763b5f58b2f70f0d7d7d63c

SHA256
8e6d19dcbdbb5013a1288f565606117926eb13a941184e1ef3c5776c31a7dc17

SHA512
908d61d58a68812b78623cdeaf114de64713d0cb93939031de3781112c2c8d170ac6b08eb084add960d5fec229d2f4d8da77ba0ddb936ca3554f6a97ffcafdc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TVbqjvjs3p.log

Filesize
288B

MD5
0729a09a916fd8f56caf831fd1bc219d

SHA1
34f908b94769fb331d14bba91102999968676a1e

SHA256
087792a8c65bb46529c00108258f2170206a905709e843dbadfe05b663dce35f

SHA512
ed67e98da015a52f190c3c5ce2728c08af4373a8a2eb81490b6d93c79d687fc305bf2ee154f1387aed3fa44ff6dcd375b4e5d184ceb278c160caae5a30c12ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4B24.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4FB6.tmp

Filesize
29KB

MD5
6fc8eab64370754d259786c34462fc4e

SHA1
dfa87600087f420866ec1f0a48b18994dff1059d

SHA256
a006514c66d4b4e67b685d8cd54131d58a273c52295ef577c6bfcab4dafc8108

SHA512
8f24e36e805d278a95e60c74ca2c80bc124c98282ed2083aae9a9c18ff3c8d3069c308a04f654d18451cb194d18d1af5d5fb125e0bffb3abb7868819f83e6664

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
3eaa66ac4d890bc5b1e86bcc28140622

SHA1
4b5076bf63c50902c5d7326fda6a2c54f489c215

SHA256
f89f6fe791e1cd5eb4c5d69107fc53bcb094b5bf385699100c7674314c220f36

SHA512
69ed8e3695a75241d108225b3d3357b92448b454074729c4d0be641c8e2527b5c8bfd15df46b4ac1ec9ab6897f9cf5931c8d317352c8753a84e702a05adc9de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
320B

MD5
2dccfa5e40685b9acf7c7bd2146f1d33

SHA1
952201fe81bf18f5bd0fca5eb2a51a8ac093b9a0

SHA256
d9f900ca5dc5a9bf67343288e7655da365770a8395f5649b1d90ab91d9085f19

SHA512
ff2055b2323d505caf2d69883e6d8c91b01a0001695f99990c5ce38f862e022fbc2a129eaa0f86603eeebdcdf43da32e35429ed05989175e30a09491b6f6b2ee

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1932-80-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-40-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-42-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-35-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-28-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-82-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-87-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1932-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2796-63-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2796-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2796-81-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2796-79-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2796-74-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2796-69-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2796-67-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2796-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2796-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2796-41-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/2796-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads