Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 20:12
Static task
static1
Behavioral task
behavioral1
Sample
29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe
-
Size
8.7MB
-
MD5
29304276795770b0ef784e1070315fa0
-
SHA1
93e331a58aa21fc2fb36ae5a8df9ddd52f73456b
-
SHA256
14b2cabaaec65e4e788c19254ac4b053ad4986a7377aa935838b8cadd88a2222
-
SHA512
58711847e4cebe93412ed172eae015f958bb03bd92a2a0aa350235450ab43605b3b6844ce3a38c76431fe6be49e6d702e5648fb86e58a58d2e41b639b9dfb424
-
SSDEEP
196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbh:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmd
Malware Config
Extracted
njrat
0.7d
jjj
youri.mooo.com:1605
e936a10f968ac948cd351c9629dbd36d
-
reg_key
e936a10f968ac948cd351c9629dbd36d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4424 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1440 winmgr107.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" 29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" winmgr107.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023527-9.dat autoit_exe behavioral2/files/0x000700000002351f-11.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1440 set thread context of 228 1440 winmgr107.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 25 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2948 schtasks.exe 4588 schtasks.exe 2248 schtasks.exe 4704 schtasks.exe 1136 schtasks.exe 2924 schtasks.exe 2324 schtasks.exe 320 schtasks.exe 3576 schtasks.exe 3772 schtasks.exe 1256 schtasks.exe 1816 schtasks.exe 1296 schtasks.exe 3268 schtasks.exe 2424 schtasks.exe 2056 schtasks.exe 1664 schtasks.exe 4284 schtasks.exe 1656 schtasks.exe 380 schtasks.exe 3800 schtasks.exe 2072 schtasks.exe 2492 schtasks.exe 2224 schtasks.exe 1320 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings cmd.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA winmgr107.exe File created C:\Users\Admin\AppData\Local\Temp\29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe:Zone.Identifier:$DATA 29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2960 29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe 2960 29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe 1440 winmgr107.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe Token: 33 228 RegAsm.exe Token: SeIncBasePriorityPrivilege 228 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 1136 2960 29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe 100 PID 2960 wrote to memory of 1136 2960 29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe 100 PID 2960 wrote to memory of 1136 2960 29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe 100 PID 1136 wrote to memory of 4360 1136 cmd.exe 102 PID 1136 wrote to memory of 4360 1136 cmd.exe 102 PID 1136 wrote to memory of 4360 1136 cmd.exe 102 PID 2960 wrote to memory of 1440 2960 29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe 104 PID 2960 wrote to memory of 1440 2960 29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe 104 PID 2960 wrote to memory of 1440 2960 29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe 104 PID 1440 wrote to memory of 228 1440 winmgr107.exe 105 PID 1440 wrote to memory of 228 1440 winmgr107.exe 105 PID 1440 wrote to memory of 228 1440 winmgr107.exe 105 PID 1440 wrote to memory of 228 1440 winmgr107.exe 105 PID 1440 wrote to memory of 228 1440 winmgr107.exe 105 PID 1440 wrote to memory of 1664 1440 winmgr107.exe 106 PID 1440 wrote to memory of 1664 1440 winmgr107.exe 106 PID 1440 wrote to memory of 1664 1440 winmgr107.exe 106 PID 1440 wrote to memory of 3772 1440 winmgr107.exe 109 PID 1440 wrote to memory of 3772 1440 winmgr107.exe 109 PID 1440 wrote to memory of 3772 1440 winmgr107.exe 109 PID 228 wrote to memory of 4424 228 RegAsm.exe 111 PID 228 wrote to memory of 4424 228 RegAsm.exe 111 PID 228 wrote to memory of 4424 228 RegAsm.exe 111 PID 1440 wrote to memory of 380 1440 winmgr107.exe 114 PID 1440 wrote to memory of 380 1440 winmgr107.exe 114 PID 1440 wrote to memory of 380 1440 winmgr107.exe 114 PID 1440 wrote to memory of 1256 1440 winmgr107.exe 116 PID 1440 wrote to memory of 1256 1440 winmgr107.exe 116 PID 1440 wrote to memory of 1256 1440 winmgr107.exe 116 PID 1440 wrote to memory of 3800 1440 winmgr107.exe 118 PID 1440 wrote to memory of 3800 1440 winmgr107.exe 118 PID 1440 wrote to memory of 3800 1440 winmgr107.exe 118 PID 1440 wrote to memory of 2224 1440 winmgr107.exe 120 PID 1440 wrote to memory of 2224 1440 winmgr107.exe 120 PID 1440 wrote to memory of 2224 1440 winmgr107.exe 120 PID 1440 wrote to memory of 1320 1440 winmgr107.exe 122 PID 1440 wrote to memory of 1320 1440 winmgr107.exe 122 PID 1440 wrote to memory of 1320 1440 winmgr107.exe 122 PID 1440 wrote to memory of 1816 1440 winmgr107.exe 124 PID 1440 wrote to memory of 1816 1440 winmgr107.exe 124 PID 1440 wrote to memory of 1816 1440 winmgr107.exe 124 PID 1440 wrote to memory of 4704 1440 winmgr107.exe 126 PID 1440 wrote to memory of 4704 1440 winmgr107.exe 126 PID 1440 wrote to memory of 4704 1440 winmgr107.exe 126 PID 1440 wrote to memory of 1136 1440 winmgr107.exe 129 PID 1440 wrote to memory of 1136 1440 winmgr107.exe 129 PID 1440 wrote to memory of 1136 1440 winmgr107.exe 129 PID 1440 wrote to memory of 2424 1440 winmgr107.exe 131 PID 1440 wrote to memory of 2424 1440 winmgr107.exe 131 PID 1440 wrote to memory of 2424 1440 winmgr107.exe 131 PID 1440 wrote to memory of 2948 1440 winmgr107.exe 133 PID 1440 wrote to memory of 2948 1440 winmgr107.exe 133 PID 1440 wrote to memory of 2948 1440 winmgr107.exe 133 PID 1440 wrote to memory of 2924 1440 winmgr107.exe 135 PID 1440 wrote to memory of 2924 1440 winmgr107.exe 135 PID 1440 wrote to memory of 2924 1440 winmgr107.exe 135 PID 1440 wrote to memory of 2324 1440 winmgr107.exe 137 PID 1440 wrote to memory of 2324 1440 winmgr107.exe 137 PID 1440 wrote to memory of 2324 1440 winmgr107.exe 137 PID 1440 wrote to memory of 320 1440 winmgr107.exe 139 PID 1440 wrote to memory of 320 1440 winmgr107.exe 139 PID 1440 wrote to memory of 320 1440 winmgr107.exe 139 PID 1440 wrote to memory of 2072 1440 winmgr107.exe 148 PID 1440 wrote to memory of 2072 1440 winmgr107.exe 148
Processes
-
C:\Users\Admin\AppData\Local\Temp\29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start C:\PROGRA~3\293042~1.TXT2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\29304276795770b0ef784e1070315fa0_NeikiAnalytics.exe.txt3⤵PID:4360
-
-
-
C:\ProgramData\winmgr107.exeC:\ProgramData\winmgr107.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe03⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:4424
-
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1664
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:3772
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:380
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1256
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:3800
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:2224
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1320
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1816
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:4704
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1136
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:2424
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:2948
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:2924
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:2324
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:320
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:2072
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:3576
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:4588
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1296
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:3268
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:4284
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:2056
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:2248
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:2492
-
-
C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f3⤵
- Creates scheduled task(s)
PID:1656
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3404,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:81⤵PID:2440
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
992B
MD5c8cf7247d4cfc99a7582a42d13df4c08
SHA1317f5588af0b3b6374c436fb00084c522fd78a83
SHA25678bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0
SHA5125dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357
-
Filesize
8.7MB
MD54dbdc226b3ffdd7d51dc7bcbd5d0c0fd
SHA194bc8a7885825f86d6c86bd0c6d50e6f58450a03
SHA25635300a11d7817a9c9ad1b4e13914acd68ba16cf08bb4441a48f7eabfd85fd9f7
SHA512e1292cc149d19dc37c43c0b2c30ec37b061911848ecc42b80870cd6148419a623671293b41dbb7c04047a376993314dfe4e8b9cce9fafdc661a8b985f860699b
-
Filesize
8.7MB
MD529304276795770b0ef784e1070315fa0
SHA193e331a58aa21fc2fb36ae5a8df9ddd52f73456b
SHA25614b2cabaaec65e4e788c19254ac4b053ad4986a7377aa935838b8cadd88a2222
SHA51258711847e4cebe93412ed172eae015f958bb03bd92a2a0aa350235450ab43605b3b6844ce3a38c76431fe6be49e6d702e5648fb86e58a58d2e41b639b9dfb424