636af629e9014596da13895a9449d6752d69c0386166f7b62bb3ef8707360dd2

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
Size

144KB
MD5

217666beef3a41d0caa8033721e4e430
SHA1

9510a3c797b954c6568bf32b26c494e735d1b90f
SHA256

636af629e9014596da13895a9449d6752d69c0386166f7b62bb3ef8707360dd2
SHA512

5f030ebaf11a8d9ad9e3b061bf1ee549c809b6697bd6f2fb565bcf58baebbb9e5492b31f94c88cda03f42e59d3824f5930b058fa26fdcdf678e8b0d6205828db
SSDEEP

3072:l5SVkkgUgXC7AdYzrV+Dljy/32ubwZ/qJ:SUFCkdYzrVolu/J0Z/

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2360	WindowsService.exe
2512	WindowsService.exe
1732	WindowsService.exe

Loads dropped DLL 5 IoCs

pid	Process
1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-445-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1712-1031-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2512-1028-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2512-1038-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 1712	2308	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	28
PID 2360 set thread context of 2512	2360	WindowsService.exe	33
PID 2360 set thread context of 1732	2360	WindowsService.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe
Token: SeDebugPrivilege	2512	WindowsService.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2308	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
2360	WindowsService.exe
2512	WindowsService.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1712	2308	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	28
PID 2308 wrote to memory of 1712	2308	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	28
PID 2308 wrote to memory of 1712	2308	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	28
PID 2308 wrote to memory of 1712	2308	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	28
PID 2308 wrote to memory of 1712	2308	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	28
PID 2308 wrote to memory of 1712	2308	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	28
PID 2308 wrote to memory of 1712	2308	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	28
PID 2308 wrote to memory of 1712	2308	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	28
PID 1712 wrote to memory of 2688	1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	29
PID 1712 wrote to memory of 2688	1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	29
PID 1712 wrote to memory of 2688	1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	29
PID 1712 wrote to memory of 2688	1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	29
PID 2688 wrote to memory of 2676	2688	cmd.exe	31
PID 2688 wrote to memory of 2676	2688	cmd.exe	31
PID 2688 wrote to memory of 2676	2688	cmd.exe	31
PID 2688 wrote to memory of 2676	2688	cmd.exe	31
PID 1712 wrote to memory of 2360	1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	32
PID 1712 wrote to memory of 2360	1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	32
PID 1712 wrote to memory of 2360	1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	32
PID 1712 wrote to memory of 2360	1712	217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe	32
PID 2360 wrote to memory of 2512	2360	WindowsService.exe	33
PID 2360 wrote to memory of 2512	2360	WindowsService.exe	33
PID 2360 wrote to memory of 2512	2360	WindowsService.exe	33
PID 2360 wrote to memory of 2512	2360	WindowsService.exe	33
PID 2360 wrote to memory of 2512	2360	WindowsService.exe	33
PID 2360 wrote to memory of 2512	2360	WindowsService.exe	33
PID 2360 wrote to memory of 2512	2360	WindowsService.exe	33
PID 2360 wrote to memory of 2512	2360	WindowsService.exe	33
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34
PID 2360 wrote to memory of 1732	2360	WindowsService.exe	34

C:\Users\Admin\AppData\Local\Temp\217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\217666beef3a41d0caa8033721e4e430_NeikiAnalytics.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\HGUBK.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
      4⤵
      Adds Run key to start application
      PID:2676
- - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2512
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HGUBK.bat

Filesize
157B

MD5
f6a90c20834f271a907a4e2bc28184c2

SHA1
36c9d1602b74f622346fbb22693597d7889df48d

SHA256
73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

SHA512
39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

Download Submit
\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Filesize
144KB

MD5
42dcac77dd188f13e84994d3f75c34d6

SHA1
ef68e1e9d438a17d3e26c8b61546a1fcc2f44db9

SHA256
2512973f7d37fe067e1bd4a1ffd8b81d0750993c0196272f095f546eb28902b4

SHA512
12602adfe33aba26f91351a1ec0011ca9a2345a366ed2869d7f8a5d2a68b89f6644665b188ca3cc73136aa0195c7be420663fc544525b96f1e801b2fa007f351

Download Submit
memory/1712-445-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1712-1031-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2308-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2512-1028-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2512-1038-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads