141774eca9c4d74eaf7a2e617b5e92c8138c80fe49cf0aa388a4cc72a6739e02

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 02:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe
Size

521KB
MD5

8f6de4f265f6a4805215531b3f88dd90
SHA1

9f9091f272ea6499393a6abaf06d83e0be5b9052
SHA256

141774eca9c4d74eaf7a2e617b5e92c8138c80fe49cf0aa388a4cc72a6739e02
SHA512

364bdb2a2c8ea5114bd4c2cdb7428be6e4b8a93b21a583be7a9a48030ee0566b44e42350db6ad4487d34c4f3973b2eb4d86809177ff2e5f9f9b0b36775ab1a44
SSDEEP

12288:HP0JHPs1gL5pRTcAkS/3hzN8qE43fm78V:4B5jcAkSYqyE

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe fsb.exe"	tmp259394609.exe

Executes dropped EXE 2 IoCs

pid	Process
2264	tmp259394609.exe
1444	tmp259394624.exe

Loads dropped DLL 4 IoCs

pid	Process
2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe
2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe
2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe
2556	Process not Found

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2768-1-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2768-15-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0002000000011ca3-25.dat	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsb.stb	tmp259394609.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp259394609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp259394609.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe-	tmp259394609.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	tmp259394609.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe-	tmp259394609.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe-	tmp259394609.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe-	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe-	tmp259394609.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe-	tmp259394609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe-	tmp259394609.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe-	tmp259394609.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	tmp259394609.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE-	tmp259394609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe-	tmp259394609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE	tmp259394609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE-	tmp259394609.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe-	tmp259394609.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe-	tmp259394609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	tmp259394609.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe-	tmp259394609.exe
File created	C:\Program Files\Java\jre7\bin\ssvagent.exe-	tmp259394609.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe-	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	tmp259394609.exe
File created	C:\Program Files\Java\jre7\bin\policytool.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	tmp259394609.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe-	tmp259394609.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe-	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE-	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe-	tmp259394609.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe	tmp259394609.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe-	tmp259394609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE-	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	tmp259394609.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE-	tmp259394609.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe-	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe-	tmp259394609.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	tmp259394609.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	tmp259394609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE-	tmp259394609.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	tmp259394609.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	tmp259394609.exe
File created	C:\Program Files (x86)\Google\Update\Install\{4EFAFADA-208B-4BC3-8A2E-F71970AC49AC}\chrome_installer.exe-	tmp259394609.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE	tmp259394609.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2264	2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe	28
PID 2768 wrote to memory of 2264	2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe	28
PID 2768 wrote to memory of 2264	2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe	28
PID 2768 wrote to memory of 2264	2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe	28
PID 2768 wrote to memory of 1444	2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe	29
PID 2768 wrote to memory of 1444	2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe	29
PID 2768 wrote to memory of 1444	2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe	29
PID 2768 wrote to memory of 1444	2768	8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8f6de4f265f6a4805215531b3f88dd90_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\tmp259394609.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259394609.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\tmp259394624.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259394624.exe
  2⤵
  - Executes dropped EXE
  PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
607KB

MD5
f9418a422e5ae2327ab28ff1fe8e6a5d

SHA1
12b60363dda5e6cce9e31e12a8329fbb077777a8

SHA256
9d6840c39dcfec7831e8aaa3a55bf4a0807a73f04038d1ab4518008e0ea44d84

SHA512
cdce40d4d30938248bbc126ec53797ae69b047f26afc20e79b68f3120eca2be0ba649956feeb9d5b9caaeee3e97fc70fda2b08d0b0e0dd779a66c8a2ac8f9230

Download Submit
\Users\Admin\AppData\Local\Temp\tmp259394609.exe

Filesize
52KB

MD5
6d35c2c2e74d9976b19b9daa48cba217

SHA1
81131aa145ae2c86b8e9279cd3cc102798425a05

SHA256
3d2e7ed1a9677ce8f921f8df782ea63349400f66ff5d1c290df5d9e17dca1c70

SHA512
2ce2a6ecead2cc1d831422f583c601ad6468ff0b09c9b4930598d16ce9c3236d75f3ede6ab45d19882c2d6f564f077b3cd62a3222fdc3e704edb8d158b5f8093

Download Submit
\Users\Admin\AppData\Local\Temp\tmp259394624.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/2264-1650-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-1649-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-1653-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-1657-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-1658-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-1660-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-1661-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2264-1662-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2768-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads