Analysis
-
max time kernel
147s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 20:42
Static task
static1
Behavioral task
behavioral1
Sample
34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe
-
Size
237KB
-
MD5
34b8d1f97fc49f1e045ddd0bce268880
-
SHA1
aa83b2e1d3fbcf95ff5a4ee1fd0a7f8dd3a3cce9
-
SHA256
7700dda53886217863d72dd813e2a9c9b890b0e3dde2ad755d102fb4d1290259
-
SHA512
846f7cc28ba8b3122c55ea40bbf10681408c79911e3a952ffd44fd3608fa5e018306f96fa17831ca361c6947e3a6d88eb3a30c1387043df083868145ae7e9b13
-
SSDEEP
6144:6A2P27yTAnKGw0hjFhSR/W1nyAJ9v0pMtRCpYQ:6ATuTAnKGwUAWVycQqgj
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 932 4588 WerFault.exe winver.exe 4388 1304 WerFault.exe 34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exepid process 1304 34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe 1304 34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE Token: SeShutdownPrivilege 3404 Explorer.EXE Token: SeCreatePagefilePrivilege 3404 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
winver.exe34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exepid process 4588 winver.exe 1304 34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3404 Explorer.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exewinver.exedescription pid process target process PID 1304 wrote to memory of 4588 1304 34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe winver.exe PID 1304 wrote to memory of 4588 1304 34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe winver.exe PID 1304 wrote to memory of 4588 1304 34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe winver.exe PID 1304 wrote to memory of 4588 1304 34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe winver.exe PID 4588 wrote to memory of 3404 4588 winver.exe Explorer.EXE PID 1304 wrote to memory of 3404 1304 34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe Explorer.EXE PID 1304 wrote to memory of 2804 1304 34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\34b8d1f97fc49f1e045ddd0bce268880_NeikiAnalytics.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 3004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 8563⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4588 -ip 45881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1304 -ip 13041⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1304-1-0x0000000004730000-0x0000000004D88000-memory.dmpFilesize
6.3MB
-
memory/1304-2-0x0000000003D40000-0x0000000003D41000-memory.dmpFilesize
4KB
-
memory/1304-6-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1304-9-0x0000000005840000-0x0000000006240000-memory.dmpFilesize
10.0MB
-
memory/1304-15-0x0000000005840000-0x0000000006240000-memory.dmpFilesize
10.0MB
-
memory/1304-18-0x0000000004730000-0x0000000004D88000-memory.dmpFilesize
6.3MB
-
memory/2804-13-0x00000000004B0000-0x00000000004B6000-memory.dmpFilesize
24KB
-
memory/2804-19-0x00000000004B0000-0x00000000004B6000-memory.dmpFilesize
24KB
-
memory/3404-4-0x0000000001140000-0x0000000001146000-memory.dmpFilesize
24KB
-
memory/3404-5-0x0000000001140000-0x0000000001146000-memory.dmpFilesize
24KB
-
memory/3404-10-0x0000000001150000-0x0000000001156000-memory.dmpFilesize
24KB