Analysis
-
max time kernel
127s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 08:28
Behavioral task
behavioral1
Sample
dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe
-
Size
256KB
-
MD5
dfa42edcacf62525e9d402e0ea5dceb0
-
SHA1
23ff3d211ddd602abc153db255fd9a31367a24bb
-
SHA256
de2a63770755c84768f8420a14f3af760fd77c026770abdbad7989aca16914c7
-
SHA512
b7c3232192ce0bb6c8de8510e08ff12c09c3421ed1317ff1c19e3be4b7ea2cf7d49591ef18dd0a23a09d878a95c01ea16b3f1ba439563d973c9de95f71198767
-
SSDEEP
6144:0DLQxoyQ1LpnFyZ+dayL9rvolH8u3ZhGod:UQCyQ1LHk+zR7QHjGo
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\system32\drivers\etc\hosts dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 2920 cmd.exe -
resource yara_rule behavioral1/memory/1312-1-0x0000000000400000-0x000000000048C000-memory.dmp vmprotect behavioral1/memory/1312-0-0x0000000000400000-0x000000000048C000-memory.dmp vmprotect behavioral1/memory/1312-19-0x0000000000400000-0x000000000048C000-memory.dmp vmprotect behavioral1/files/0x0008000000016056-21.dat vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.2637.cn/?56" dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1312 dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe Token: SeShutdownPrivilege 2736 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe 2736 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1312 wrote to memory of 2736 1312 dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe 28 PID 1312 wrote to memory of 2736 1312 dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe 28 PID 1312 wrote to memory of 2736 1312 dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe 28 PID 1312 wrote to memory of 2736 1312 dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe 28 PID 1312 wrote to memory of 2920 1312 dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe 30 PID 1312 wrote to memory of 2920 1312 dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe 30 PID 1312 wrote to memory of 2920 1312 dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe 30 PID 1312 wrote to memory of 2920 1312 dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe 30 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\dfa42edcacf62525e9d402e0ea5dceb0_NeikiAnalytics.exe"1⤵
- Drops file in Drivers directory
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\yyyy.bat2⤵
- Deletes itself
PID:2920
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD51dca55d584ef12f91d331597f44babc0
SHA15ddc6bf8a8032a7a731a3d97d0948dd463fa95ad
SHA2567d2287fe634810e7db8940e1419d2dedef63dab5b5615be63efb32a0d589a5cb
SHA51233102c225c8be496f8ac403771bb2e54d9d0c1ccb2c49073a10a5314aec3620b5b43ff4979043c2d4bc58c879ea569164e9a95182e12f881eef8bbd4585a18c1
-
Filesize
337B
MD5a227b8cb6c2cd1db1dbf57d656327afd
SHA130ccad6a1473afef036421ed6138f385131f5ffa
SHA25623862081c241b2989be01cb445521f4d6a3389308c3f90a9ecf8597e0e66b062
SHA512242df788005e263933306386e1b5af010223737e2b45d52dfc91422344884ddeee1a1dad475b7a1b9d285d1d191ac86b9ebf40951011230f9ea041711a713ef1
-
Filesize
2KB
MD5a1d921556cf3a3d9d26b2ef002a7f87e
SHA16d35761aa3c8d24ab25db1d6a6e8a964bebd7121
SHA256be7dfb47e11615f6b0cda24d8d568fccb6cea492112f723b8784ee26cbe5d309
SHA512282607c9fc123c57dff829e728c4b08fe7fa27a130903907856127c9aec7d7f2c83c8e6d812208291c495cf25af195404d9010391cf53fcd12f2647475acc049