Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe
-
Size
160KB
-
MD5
6cdc7b35e19481c2cdd4b0dedc6c1ef0
-
SHA1
d6dafbb35d3ebe03544a50b9491b6d3e342c1e95
-
SHA256
71ff992303a0f8cc61ba1cce1d28c14c2297cc7a1d1a8ca9ac23c8d25d7ad075
-
SHA512
b7f9316b6b114b5cb5dd7e31a509cbf0cb1a80785061a9136b072c9499bd8a3ed3a80030dd57e4638ae36d26f3acf21c0afd988ee5cf46aeb6195647fe103722
-
SSDEEP
1536:nH1k7kZccmK9OM1q6wY/6nBRiOW+bUciXDyeAvX0J7M6QG9wIa42U6q:HYM3ERQoem9G9wltu
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\B6800FF7 = "C:\\Users\\Admin\\AppData\\Roaming\\B6800FF7\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe 1992 winver.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winver.exepid process 1992 winver.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exepid process 1852 6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exewinver.exedescription pid process target process PID 1852 wrote to memory of 1992 1852 6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe winver.exe PID 1852 wrote to memory of 1992 1852 6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe winver.exe PID 1852 wrote to memory of 1992 1852 6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe winver.exe PID 1852 wrote to memory of 1992 1852 6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe winver.exe PID 1852 wrote to memory of 1992 1852 6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe winver.exe PID 1992 wrote to memory of 1260 1992 winver.exe Explorer.EXE PID 1992 wrote to memory of 1112 1992 winver.exe taskhost.exe PID 1992 wrote to memory of 1172 1992 winver.exe Dwm.exe PID 1992 wrote to memory of 1260 1992 winver.exe Explorer.EXE PID 1992 wrote to memory of 304 1992 winver.exe DllHost.exe PID 1992 wrote to memory of 1852 1992 winver.exe 6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6cdc7b35e19481c2cdd4b0dedc6c1ef0_NeikiAnalytics.exe"2⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/304-22-0x0000000000590000-0x0000000000597000-memory.dmpFilesize
28KB
-
memory/304-29-0x0000000000590000-0x0000000000597000-memory.dmpFilesize
28KB
-
memory/304-26-0x0000000077901000-0x0000000077902000-memory.dmpFilesize
4KB
-
memory/1112-27-0x0000000000450000-0x0000000000457000-memory.dmpFilesize
28KB
-
memory/1112-28-0x0000000077901000-0x0000000077902000-memory.dmpFilesize
4KB
-
memory/1112-15-0x0000000000450000-0x0000000000457000-memory.dmpFilesize
28KB
-
memory/1172-30-0x0000000001F90000-0x0000000001F97000-memory.dmpFilesize
28KB
-
memory/1172-17-0x0000000001F90000-0x0000000001F97000-memory.dmpFilesize
28KB
-
memory/1260-9-0x00000000025D0000-0x00000000025D7000-memory.dmpFilesize
28KB
-
memory/1260-6-0x00000000025D0000-0x00000000025D7000-memory.dmpFilesize
28KB
-
memory/1260-31-0x00000000025E0000-0x00000000025E7000-memory.dmpFilesize
28KB
-
memory/1260-12-0x0000000077901000-0x0000000077902000-memory.dmpFilesize
4KB
-
memory/1260-20-0x00000000025E0000-0x00000000025E7000-memory.dmpFilesize
28KB
-
memory/1260-5-0x00000000025D0000-0x00000000025D7000-memory.dmpFilesize
28KB
-
memory/1852-25-0x0000000000400000-0x0000000000404A00-memory.dmpFilesize
18KB
-
memory/1852-0-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/1852-4-0x00000000001B0000-0x00000000001C6000-memory.dmpFilesize
88KB
-
memory/1852-3-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/1852-2-0x0000000000400000-0x0000000000405000-memory.dmpFilesize
20KB
-
memory/1852-1-0x0000000000410000-0x0000000000413000-memory.dmpFilesize
12KB
-
memory/1992-13-0x00000000778B0000-0x0000000077A59000-memory.dmpFilesize
1.7MB
-
memory/1992-7-0x0000000000120000-0x0000000000127000-memory.dmpFilesize
28KB
-
memory/1992-10-0x0000000000D81000-0x0000000000D82000-memory.dmpFilesize
4KB
-
memory/1992-11-0x0000000000D80000-0x0000000000D96000-memory.dmpFilesize
88KB