f5475563cd3582fd2704b2a334d85d5cf6e9bb5eebad8467767682d7a75445ad

Analysis

max time kernel
148s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe
Size

293KB
MD5

d99ad19cdfcb07ada8ca910737295610
SHA1

f64e47399be079f0933068166fccc44c47649af9
SHA256

f5475563cd3582fd2704b2a334d85d5cf6e9bb5eebad8467767682d7a75445ad
SHA512

0bd76a32b7a7e57585eae8fa264d6ce472cbe9c091a75ef85eab08d24662155b115b9ea52548659046e2f3c359bfc55aa95dbba67fa9ad28795b1bd0fd1220d5
SSDEEP

6144:g750HizPy7n+g47wSAr2QxMcnpjRBM8Aat6E5PB0beIwa2pX8EIHBZrfxoS4iJd:Diz+n87tArhxVjVAA6aPBwSXrk7rJoSj

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

pid	Process
2812	Firefox.exe
5020	Firefox.exe
5000	Firefox.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2984-0-0x0000000000400000-0x00000000005DA000-memory.dmp	upx
behavioral2/files/0x0008000000023412-16.dat	upx
behavioral2/memory/2812-28-0x0000000000400000-0x00000000005DA000-memory.dmp	upx
behavioral2/memory/2984-30-0x0000000000400000-0x00000000005DA000-memory.dmp	upx
behavioral2/memory/5020-33-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/5020-36-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/5020-38-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/5000-39-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/5000-43-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/5000-46-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/2812-49-0x0000000000400000-0x00000000005DA000-memory.dmp	upx
behavioral2/memory/5020-53-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/5000-54-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/5020-55-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/5020-61-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/5020-66-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/5020-77-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater 3 = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2812 set thread context of 5020	2812	Firefox.exe	89
PID 2812 set thread context of 5000	2812	Firefox.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4068	reg.exe
4440	reg.exe
1692	reg.exe
2924	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	5020	Firefox.exe
Token: SeCreateTokenPrivilege	5020	Firefox.exe
Token: SeAssignPrimaryTokenPrivilege	5020	Firefox.exe
Token: SeLockMemoryPrivilege	5020	Firefox.exe
Token: SeIncreaseQuotaPrivilege	5020	Firefox.exe
Token: SeMachineAccountPrivilege	5020	Firefox.exe
Token: SeTcbPrivilege	5020	Firefox.exe
Token: SeSecurityPrivilege	5020	Firefox.exe
Token: SeTakeOwnershipPrivilege	5020	Firefox.exe
Token: SeLoadDriverPrivilege	5020	Firefox.exe
Token: SeSystemProfilePrivilege	5020	Firefox.exe
Token: SeSystemtimePrivilege	5020	Firefox.exe
Token: SeProfSingleProcessPrivilege	5020	Firefox.exe
Token: SeIncBasePriorityPrivilege	5020	Firefox.exe
Token: SeCreatePagefilePrivilege	5020	Firefox.exe
Token: SeCreatePermanentPrivilege	5020	Firefox.exe
Token: SeBackupPrivilege	5020	Firefox.exe
Token: SeRestorePrivilege	5020	Firefox.exe
Token: SeShutdownPrivilege	5020	Firefox.exe
Token: SeDebugPrivilege	5020	Firefox.exe
Token: SeAuditPrivilege	5020	Firefox.exe
Token: SeSystemEnvironmentPrivilege	5020	Firefox.exe
Token: SeChangeNotifyPrivilege	5020	Firefox.exe
Token: SeRemoteShutdownPrivilege	5020	Firefox.exe
Token: SeUndockPrivilege	5020	Firefox.exe
Token: SeSyncAgentPrivilege	5020	Firefox.exe
Token: SeEnableDelegationPrivilege	5020	Firefox.exe
Token: SeManageVolumePrivilege	5020	Firefox.exe
Token: SeImpersonatePrivilege	5020	Firefox.exe
Token: SeCreateGlobalPrivilege	5020	Firefox.exe
Token: 31	5020	Firefox.exe
Token: 32	5020	Firefox.exe
Token: 33	5020	Firefox.exe
Token: 34	5020	Firefox.exe
Token: 35	5020	Firefox.exe
Token: SeDebugPrivilege	5000	Firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2984	d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe
2812	Firefox.exe
5020	Firefox.exe
5020	Firefox.exe
5000	Firefox.exe
5020	Firefox.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2028	2984	d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe	83
PID 2984 wrote to memory of 2028	2984	d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe	83
PID 2984 wrote to memory of 2028	2984	d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe	83
PID 2028 wrote to memory of 4456	2028	cmd.exe	86
PID 2028 wrote to memory of 4456	2028	cmd.exe	86
PID 2028 wrote to memory of 4456	2028	cmd.exe	86
PID 2984 wrote to memory of 2812	2984	d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe	88
PID 2984 wrote to memory of 2812	2984	d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe	88
PID 2984 wrote to memory of 2812	2984	d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe	88
PID 2812 wrote to memory of 5020	2812	Firefox.exe	89
PID 2812 wrote to memory of 5020	2812	Firefox.exe	89
PID 2812 wrote to memory of 5020	2812	Firefox.exe	89
PID 2812 wrote to memory of 5020	2812	Firefox.exe	89
PID 2812 wrote to memory of 5020	2812	Firefox.exe	89
PID 2812 wrote to memory of 5020	2812	Firefox.exe	89
PID 2812 wrote to memory of 5020	2812	Firefox.exe	89
PID 2812 wrote to memory of 5020	2812	Firefox.exe	89
PID 2812 wrote to memory of 5000	2812	Firefox.exe	90
PID 2812 wrote to memory of 5000	2812	Firefox.exe	90
PID 2812 wrote to memory of 5000	2812	Firefox.exe	90
PID 2812 wrote to memory of 5000	2812	Firefox.exe	90
PID 2812 wrote to memory of 5000	2812	Firefox.exe	90
PID 2812 wrote to memory of 5000	2812	Firefox.exe	90
PID 2812 wrote to memory of 5000	2812	Firefox.exe	90
PID 2812 wrote to memory of 5000	2812	Firefox.exe	90
PID 5020 wrote to memory of 2376	5020	Firefox.exe	91
PID 5020 wrote to memory of 2376	5020	Firefox.exe	91
PID 5020 wrote to memory of 2376	5020	Firefox.exe	91
PID 5020 wrote to memory of 4904	5020	Firefox.exe	92
PID 5020 wrote to memory of 4904	5020	Firefox.exe	92
PID 5020 wrote to memory of 4904	5020	Firefox.exe	92
PID 5020 wrote to memory of 3428	5020	Firefox.exe	93
PID 5020 wrote to memory of 3428	5020	Firefox.exe	93
PID 5020 wrote to memory of 3428	5020	Firefox.exe	93
PID 5020 wrote to memory of 3120	5020	Firefox.exe	94
PID 5020 wrote to memory of 3120	5020	Firefox.exe	94
PID 5020 wrote to memory of 3120	5020	Firefox.exe	94
PID 3120 wrote to memory of 4440	3120	cmd.exe	99
PID 3120 wrote to memory of 4440	3120	cmd.exe	99
PID 3120 wrote to memory of 4440	3120	cmd.exe	99
PID 4904 wrote to memory of 4068	4904	cmd.exe	100
PID 4904 wrote to memory of 4068	4904	cmd.exe	100
PID 4904 wrote to memory of 4068	4904	cmd.exe	100
PID 2376 wrote to memory of 2924	2376	cmd.exe	101
PID 2376 wrote to memory of 2924	2376	cmd.exe	101
PID 2376 wrote to memory of 2924	2376	cmd.exe	101
PID 3428 wrote to memory of 1692	3428	cmd.exe	102
PID 3428 wrote to memory of 1692	3428	cmd.exe	102
PID 3428 wrote to memory of 1692	3428	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d99ad19cdfcb07ada8ca910737295610_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GsQAK.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Updater 3" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4456
- C:\Users\Admin\AppData\Roaming\Firefox.exe
  "C:\Users\Admin\AppData\Roaming\Firefox.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Roaming\Firefox.exe
    C:\Users\Admin\AppData\Roaming\Firefox.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4440
- - C:\Users\Admin\AppData\Roaming\Firefox.exe
    C:\Users\Admin\AppData\Roaming\Firefox.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GsQAK.txt

Filesize
143B

MD5
962bc493b87f298696ad6e3eed7c7937

SHA1
985cc0c7e37e2465c4349abd528e120663ebd205

SHA256
c167e2faa5307ac291ff833b8a1f5f802eaa028d1aba8d1ad342ca84c07bdb01

SHA512
9dd2b755a404b74206b713ab17d2ddedacc48910e942dab71cf7e98d8d25322c24e32648f0881136e5425134aaccfbfd9bdc52ceb4519bd07e97c5564116f173

Download Submit
C:\Users\Admin\AppData\Roaming\Firefox.txt

Filesize
293KB

MD5
b4eba99b3b11b845328013489dab9cba

SHA1
f86bcac33d388de8490ec39a8de9f41a8f59523d

SHA256
86d57d62b36d4c13893949286a8fa3983f0c5c4b91021199f84f1178489e0e4a

SHA512
78d0d612d7afb371d6a9e9be4d7a6c2cb9e21c9c623f5d8da864e139ffbc297f7b43ed1440861970f408da03fa2dcf8539e1b6dc845a0d519cd47ff586b5811c

Download Submit
memory/2812-28-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2812-49-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2984-0-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2984-30-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/5000-39-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5000-43-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5000-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5000-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5020-38-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5020-36-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5020-33-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5020-53-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5020-55-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5020-61-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5020-66-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5020-77-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads