Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 21:39
Behavioral task
behavioral1
Sample
086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe
-
Size
60KB
-
MD5
086bc92d33eef1a2b85429e327c6c280
-
SHA1
3c35b99d55fa3aa88c3b1b09eb0911e7ba098063
-
SHA256
52a523a08d5f402c3ee7f143b85531d0b936ed04d8a137b43872e34ccb3ae087
-
SHA512
c33a4fa63bfc8f1de5d8fef8462ae28929c735add70006fc4357bbccfb25981080bc5ba42d5ef4169ed771f0b97a07791fbf44cbbbae84dc72b5a1fc51a7f20e
-
SSDEEP
768:R8kXsqXMRKbsc+nJUlez5eYEqT5yXsqJRU7ihG1gfFNsHWP4jBS:207bszJUyeYEocJiu4gfFi2+A
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2968-0-0x0000000000400000-0x0000000000410000-memory.dmp upx behavioral1/memory/2968-3-0x0000000000340000-0x0000000000350000-memory.dmp upx behavioral1/memory/2968-5-0x0000000000400000-0x0000000000410000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\CC1BDA72 = "C:\\Users\\Admin\\AppData\\Roaming\\CC1BDA72\\bin.exe" winver.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exedescription pid process target process PID 2968 set thread context of 2908 2968 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe 1560 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 1560 winver.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exepid process 2968 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exewinver.exedescription pid process target process PID 2968 wrote to memory of 2908 2968 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe PID 2968 wrote to memory of 2908 2968 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe PID 2968 wrote to memory of 2908 2968 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe PID 2968 wrote to memory of 2908 2968 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe PID 2968 wrote to memory of 2908 2968 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe PID 2968 wrote to memory of 2908 2968 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe PID 2968 wrote to memory of 2908 2968 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe PID 2908 wrote to memory of 1560 2908 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe winver.exe PID 2908 wrote to memory of 1560 2908 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe winver.exe PID 2908 wrote to memory of 1560 2908 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe winver.exe PID 2908 wrote to memory of 1560 2908 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe winver.exe PID 2908 wrote to memory of 1560 2908 086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe winver.exe PID 1560 wrote to memory of 1124 1560 winver.exe Explorer.EXE PID 1560 wrote to memory of 1060 1560 winver.exe Dwm.exe PID 1560 wrote to memory of 1096 1560 winver.exe taskhost.exe PID 1560 wrote to memory of 1124 1560 winver.exe Explorer.EXE PID 1560 wrote to memory of 1888 1560 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\086bc92d33eef1a2b85429e327c6c280_NeikiAnalytics.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1060-19-0x0000000000130000-0x0000000000136000-memory.dmpFilesize
24KB
-
memory/1060-32-0x0000000000130000-0x0000000000136000-memory.dmpFilesize
24KB
-
memory/1060-33-0x0000000077791000-0x0000000077792000-memory.dmpFilesize
4KB
-
memory/1096-22-0x00000000020F0000-0x00000000020F6000-memory.dmpFilesize
24KB
-
memory/1096-35-0x00000000020F0000-0x00000000020F6000-memory.dmpFilesize
24KB
-
memory/1124-25-0x0000000002550000-0x0000000002556000-memory.dmpFilesize
24KB
-
memory/1124-38-0x0000000002550000-0x0000000002556000-memory.dmpFilesize
24KB
-
memory/1124-10-0x0000000002540000-0x0000000002546000-memory.dmpFilesize
24KB
-
memory/1124-14-0x0000000077791000-0x0000000077792000-memory.dmpFilesize
4KB
-
memory/1124-6-0x0000000002540000-0x0000000002546000-memory.dmpFilesize
24KB
-
memory/1124-7-0x0000000002540000-0x0000000002546000-memory.dmpFilesize
24KB
-
memory/1560-40-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1560-8-0x00000000000B0000-0x00000000000B6000-memory.dmpFilesize
24KB
-
memory/1560-12-0x0000000000310000-0x0000000000326000-memory.dmpFilesize
88KB
-
memory/1560-11-0x0000000000311000-0x0000000000312000-memory.dmpFilesize
4KB
-
memory/1560-13-0x000000007793F000-0x0000000077940000-memory.dmpFilesize
4KB
-
memory/1560-34-0x0000000077740000-0x00000000778E9000-memory.dmpFilesize
1.7MB
-
memory/1560-39-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/1560-31-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/1888-37-0x0000000077791000-0x0000000077792000-memory.dmpFilesize
4KB
-
memory/1888-36-0x0000000000200000-0x0000000000206000-memory.dmpFilesize
24KB
-
memory/1888-28-0x0000000000200000-0x0000000000206000-memory.dmpFilesize
24KB
-
memory/2908-4-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/2968-3-0x0000000000340000-0x0000000000350000-memory.dmpFilesize
64KB
-
memory/2968-5-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2968-0-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB