185044ca731c50e49bb3426bf62a81aefdbc6c4b20cf40dae2753725ba021dc4

General

Target

d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
Size

116KB
MD5

d3c7fa2478979d3394778368daba38e0
SHA1

4793a20262c15d66b100370c67c916ebd9156fe3
SHA256

185044ca731c50e49bb3426bf62a81aefdbc6c4b20cf40dae2753725ba021dc4
SHA512

7f83d4c20f9741f04c31432897d199671c31a90a10b1e2ff8b0fe1031d3435570f9b0b6f70accc2337fdf5ca5f7562a1b02ff4f2ae8a69d58c1ac8b33bd11b00
SSDEEP

1536:JOH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5PxVw:JCKQJcinxphkG5Q6GdpIOkJHhKRfw

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Flaseher.exe

pid process

105764 Flaseher.exe

pid	process
105764	Flaseher.exe

Loads dropped DLL 5 IoCs

Processes:

d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe

pid	process
234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/234108-712761-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/234108-712766-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe

description	pid	process	target process
PID 2884 set thread context of 234108	2884	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exed3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exeFlaseher.exe

pid process

2884 d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
234108 d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
105764 Flaseher.exe

pid	process
2884	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
105764	Flaseher.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exed3c7fa2478979d3394778368daba38e0_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 2884 wrote to memory of 234108	2884	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
PID 2884 wrote to memory of 234108	2884	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
PID 2884 wrote to memory of 234108	2884	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
PID 2884 wrote to memory of 234108	2884	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
PID 2884 wrote to memory of 234108	2884	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
PID 2884 wrote to memory of 234108	2884	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
PID 2884 wrote to memory of 234108	2884	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
PID 2884 wrote to memory of 234108	2884	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
PID 234108 wrote to memory of 235856	234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	cmd.exe
PID 234108 wrote to memory of 235856	234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	cmd.exe
PID 234108 wrote to memory of 235856	234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	cmd.exe
PID 234108 wrote to memory of 235856	234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	cmd.exe
PID 235856 wrote to memory of 32928	235856	cmd.exe	reg.exe
PID 235856 wrote to memory of 32928	235856	cmd.exe	reg.exe
PID 235856 wrote to memory of 32928	235856	cmd.exe	reg.exe
PID 235856 wrote to memory of 32928	235856	cmd.exe	reg.exe
PID 234108 wrote to memory of 105764	234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	Flaseher.exe
PID 234108 wrote to memory of 105764	234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	Flaseher.exe
PID 234108 wrote to memory of 105764	234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	Flaseher.exe
PID 234108 wrote to memory of 105764	234108	d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe	Flaseher.exe

C:\Users\Admin\AppData\Local\Temp\d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d3c7fa2478979d3394778368daba38e0_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:234108

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GFTAJ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:235856

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f
4⤵
- Adds Run key to start application
PID:32928

C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:105764

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GFTAJ.bat
Filesize
145B

MD5
da0cbe87b720a79b294147ed6a4b98be

SHA1
ebf0dc9efd7a12cb192e355cda87546acb4ab360

SHA256
7ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed

SHA512
f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc

Download Submit
\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
Filesize
116KB

MD5
06bc238768bbd31f8120b2cbea26e784

SHA1
676f2851a62d9dd5d9157246661883758eb5e605

SHA256
425d1a23a99f1b8a3cd499fe5491f2c82ec9cdf754f28bad9056a0a49e9f6cdd

SHA512
190b7ab874ef35040a15b51039441dea19b4de6fe7ce727764340a994b5bed1a6485ebec85618953b18d7718c6431b7b7a564268b6789c1b4b0a8d03be8abe1b

Download Submit
memory/2884-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2884-10-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2884-8-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2884-20-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2884-40-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/2884-50-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/234108-712761-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/234108-712766-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads