dafbfc898ee0edd426c32e480b4c931474af04d15b29fec44dc07c3dcff5b234

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20/05/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
Size

416KB
MD5

7ca0c037794d176ac91c690bab22787b
SHA1

1572f8c284cd27a9ed2d28640d7dddbc3fe1537a
SHA256

dafbfc898ee0edd426c32e480b4c931474af04d15b29fec44dc07c3dcff5b234
SHA512

de09ebdbdcea493332afec7cda07beb2488dab7458ca7aaefda34817eda01ab731bb037eaff26dcddea0e3a8a2a74939d9a5c860b53d842012812bfde6bb6097
SSDEEP

6144:tyH7xOc6H5c6HcT66vlm+jjIYb1lftjtNSx59xq84rDbRXB/UAn8CQxenvyLa:taPb1ptfKn4vb1BMANce6+

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2052	svchost.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
2132	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2052	svchost.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7Z.EXE	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7ZFM.EXE	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7ZG.EXE	svchost.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\UNINSTALL.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\SVCHOST.EXE	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe

Suspicious behavior: MapViewOfSection 23 IoCs

pid	Process
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
Token: SeTakeOwnershipPrivilege	2132	svchost.exe
Token: SeRestorePrivilege	2132	svchost.exe
Token: SeBackupPrivilege	2132	svchost.exe
Token: SeChangeNotifyPrivilege	2132	svchost.exe
Token: SeTakeOwnershipPrivilege	2132	svchost.exe
Token: SeRestorePrivilege	2132	svchost.exe
Token: SeBackupPrivilege	2132	svchost.exe
Token: SeChangeNotifyPrivilege	2132	svchost.exe
Token: SeTakeOwnershipPrivilege	2132	svchost.exe
Token: SeRestorePrivilege	2132	svchost.exe
Token: SeBackupPrivilege	2132	svchost.exe
Token: SeChangeNotifyPrivilege	2132	svchost.exe
Token: SeTakeOwnershipPrivilege	2132	svchost.exe
Token: SeRestorePrivilege	2132	svchost.exe
Token: SeBackupPrivilege	2132	svchost.exe
Token: SeChangeNotifyPrivilege	2132	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2052	2060	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 2052	2060	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 2052	2060	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	28
PID 2060 wrote to memory of 2052	2060	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	28
PID 2052 wrote to memory of 3008	2052	svchost.exe	29
PID 2052 wrote to memory of 3008	2052	svchost.exe	29
PID 2052 wrote to memory of 3008	2052	svchost.exe	29
PID 2052 wrote to memory of 3008	2052	svchost.exe	29
PID 3008 wrote to memory of 388	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	3
PID 3008 wrote to memory of 388	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	3
PID 3008 wrote to memory of 388	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	3
PID 3008 wrote to memory of 388	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	3
PID 3008 wrote to memory of 388	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	3
PID 3008 wrote to memory of 388	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	3
PID 3008 wrote to memory of 388	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	3
PID 3008 wrote to memory of 400	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	4
PID 3008 wrote to memory of 400	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	4
PID 3008 wrote to memory of 400	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	4
PID 3008 wrote to memory of 400	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	4
PID 3008 wrote to memory of 400	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	4
PID 3008 wrote to memory of 400	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	4
PID 3008 wrote to memory of 400	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	4
PID 3008 wrote to memory of 436	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 3008 wrote to memory of 436	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 3008 wrote to memory of 436	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 3008 wrote to memory of 436	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 3008 wrote to memory of 436	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 3008 wrote to memory of 436	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 3008 wrote to memory of 436	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	5
PID 3008 wrote to memory of 480	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	6
PID 3008 wrote to memory of 480	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	6
PID 3008 wrote to memory of 480	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	6
PID 3008 wrote to memory of 480	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	6
PID 3008 wrote to memory of 480	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	6
PID 3008 wrote to memory of 480	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	6
PID 3008 wrote to memory of 480	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	6
PID 3008 wrote to memory of 496	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 3008 wrote to memory of 496	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 3008 wrote to memory of 496	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 3008 wrote to memory of 496	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 3008 wrote to memory of 496	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 3008 wrote to memory of 496	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 3008 wrote to memory of 496	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	7
PID 3008 wrote to memory of 504	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 3008 wrote to memory of 504	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 3008 wrote to memory of 504	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 3008 wrote to memory of 504	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 3008 wrote to memory of 504	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 3008 wrote to memory of 504	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 3008 wrote to memory of 504	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	8
PID 3008 wrote to memory of 608	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 3008 wrote to memory of 608	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 3008 wrote to memory of 608	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 3008 wrote to memory of 608	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 3008 wrote to memory of 608	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 3008 wrote to memory of 608	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 3008 wrote to memory of 608	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	9
PID 3008 wrote to memory of 688	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 3008 wrote to memory of 688	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 3008 wrote to memory of 688	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 3008 wrote to memory of 688	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 3008 wrote to memory of 688	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 3008 wrote to memory of 688	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10
PID 3008 wrote to memory of 688	3008	7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe	10

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:608
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:1724
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:688
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:764
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:828
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1356
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:868
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:1004
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:352
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:296
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1028
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1296
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:1940
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2304
- - C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:496
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:504

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
35KB

MD5
ff948cfa9e42bc40cd308ecef233f087

SHA1
c3272caf5613c96dc56a306e84fba4062a2d928e

SHA256
3638dc9b5a971f313387af6c212d07afa764dd8bdcec72e58b758e6954dc0847

SHA512
12e47a2c575de7ae6b0db827944ba3bb68fcbbbe59d9bc33f13e7d84a08f18f84ac98ee50d531ef1ec82e25eeb15f55bbb941f8ce4f61f24105037319c83d4df

Download Submit
\Users\Admin\AppData\Local\Temp\7ca0c037794d176ac91c690bab22787b_NeikiAnalytics.exe

Filesize
381KB

MD5
e31dbc427ca414308d39a84a4883d987

SHA1
57997f63e96843c07e53a72f7836680f19a878e5

SHA256
d006702a028664bb619fe191d1358acd44976a85c36b6dea9cfe824be45793b8

SHA512
841bb09c207d1de53f837faa1cec75919bb34fccf39ec7a52fa20b5832d4ab4b40a7c62bee5202e08076eec4535d931b57d06e4677175ac9685b9d6f575fb521

Download Submit
memory/2052-13-0x0000000000120000-0x0000000000183000-memory.dmp

Filesize
396KB

Download
memory/2052-20-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2060-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2132-28-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2132-42-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2132-30-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/2132-19-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/3008-16-0x000000007726F000-0x0000000077270000-memory.dmp

Filesize
4KB

Download
memory/3008-27-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download
memory/3008-17-0x0000000077270000-0x0000000077271000-memory.dmp

Filesize
4KB

Download
memory/3008-15-0x0000000001000000-0x0000000001063000-memory.dmp

Filesize
396KB

Download