Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 12:25
Behavioral task
behavioral1
Sample
4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe
-
Size
283KB
-
MD5
d34affe27303efd466527f7e2580a950
-
SHA1
515522de0fc8f037c5f5800b1c1db784f5390b87
-
SHA256
4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1
-
SHA512
930d9a31e7e141a8c4af56cac68fb5d0e676c8b2ddb7acc77334dde474f8eeb33ca4295983eb76f3e9d8e6b0890b79f5c647110286c9b17e7059b9ada8b9504f
-
SSDEEP
6144:VcNYS99KGGyqRFIqU7lT73sctFM7Pz4pSXJSzAnh:VcWB1zktFSUxAh
Malware Config
Extracted
darkcomet
Slave
bssbig.no-ip.org:699
zymic99k.no-ip.org:699
DC_MUTEX-9UYCUYX
-
InstallPath
winlogon.exe
-
gencode
6dYodXAtJ1da
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winlogon
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\winlogon.exe" 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
winlogon.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2660 attrib.exe 2720 attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
winlogon.exepid process 2736 winlogon.exe -
Loads dropped DLL 2 IoCs
Processes:
4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exepid process 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/memory/1860-0-0x0000000000400000-0x00000000004C7000-memory.dmp upx \Windows\SysWOW64\winlogon.exe upx behavioral1/memory/2736-15-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1860-12-0x0000000004480000-0x0000000004547000-memory.dmp upx behavioral1/memory/2736-19-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/2752-17-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral1/memory/1860-59-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exewinlogon.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\winlogon.exe" 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\winlogon.exe" iexplore.exe -
Drops file in System32 directory 3 IoCs
Processes:
4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe File created C:\Windows\SysWOW64\winlogon.exe 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\winlogon.exe 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winlogon.exedescription pid process target process PID 2736 set thread context of 2752 2736 winlogon.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2752 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exewinlogon.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeSecurityPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeTakeOwnershipPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeLoadDriverPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeSystemProfilePrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeSystemtimePrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeProfSingleProcessPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeIncBasePriorityPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeCreatePagefilePrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeBackupPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeRestorePrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeShutdownPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeDebugPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeSystemEnvironmentPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeChangeNotifyPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeRemoteShutdownPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeUndockPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeManageVolumePrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeImpersonatePrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeCreateGlobalPrivilege 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: 33 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: 34 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: 35 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe Token: SeIncreaseQuotaPrivilege 2736 winlogon.exe Token: SeSecurityPrivilege 2736 winlogon.exe Token: SeTakeOwnershipPrivilege 2736 winlogon.exe Token: SeLoadDriverPrivilege 2736 winlogon.exe Token: SeSystemProfilePrivilege 2736 winlogon.exe Token: SeSystemtimePrivilege 2736 winlogon.exe Token: SeProfSingleProcessPrivilege 2736 winlogon.exe Token: SeIncBasePriorityPrivilege 2736 winlogon.exe Token: SeCreatePagefilePrivilege 2736 winlogon.exe Token: SeBackupPrivilege 2736 winlogon.exe Token: SeRestorePrivilege 2736 winlogon.exe Token: SeShutdownPrivilege 2736 winlogon.exe Token: SeDebugPrivilege 2736 winlogon.exe Token: SeSystemEnvironmentPrivilege 2736 winlogon.exe Token: SeChangeNotifyPrivilege 2736 winlogon.exe Token: SeRemoteShutdownPrivilege 2736 winlogon.exe Token: SeUndockPrivilege 2736 winlogon.exe Token: SeManageVolumePrivilege 2736 winlogon.exe Token: SeImpersonatePrivilege 2736 winlogon.exe Token: SeCreateGlobalPrivilege 2736 winlogon.exe Token: 33 2736 winlogon.exe Token: 34 2736 winlogon.exe Token: 35 2736 winlogon.exe Token: SeIncreaseQuotaPrivilege 2752 iexplore.exe Token: SeSecurityPrivilege 2752 iexplore.exe Token: SeTakeOwnershipPrivilege 2752 iexplore.exe Token: SeLoadDriverPrivilege 2752 iexplore.exe Token: SeSystemProfilePrivilege 2752 iexplore.exe Token: SeSystemtimePrivilege 2752 iexplore.exe Token: SeProfSingleProcessPrivilege 2752 iexplore.exe Token: SeIncBasePriorityPrivilege 2752 iexplore.exe Token: SeCreatePagefilePrivilege 2752 iexplore.exe Token: SeBackupPrivilege 2752 iexplore.exe Token: SeRestorePrivilege 2752 iexplore.exe Token: SeShutdownPrivilege 2752 iexplore.exe Token: SeDebugPrivilege 2752 iexplore.exe Token: SeSystemEnvironmentPrivilege 2752 iexplore.exe Token: SeChangeNotifyPrivilege 2752 iexplore.exe Token: SeRemoteShutdownPrivilege 2752 iexplore.exe Token: SeUndockPrivilege 2752 iexplore.exe Token: SeManageVolumePrivilege 2752 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2752 iexplore.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.execmd.execmd.exewinlogon.exeiexplore.exedescription pid process target process PID 1860 wrote to memory of 2264 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe cmd.exe PID 1860 wrote to memory of 2264 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe cmd.exe PID 1860 wrote to memory of 2264 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe cmd.exe PID 1860 wrote to memory of 2264 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe cmd.exe PID 1860 wrote to memory of 2140 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe cmd.exe PID 1860 wrote to memory of 2140 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe cmd.exe PID 1860 wrote to memory of 2140 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe cmd.exe PID 1860 wrote to memory of 2140 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe cmd.exe PID 2264 wrote to memory of 2660 2264 cmd.exe attrib.exe PID 2264 wrote to memory of 2660 2264 cmd.exe attrib.exe PID 2264 wrote to memory of 2660 2264 cmd.exe attrib.exe PID 2264 wrote to memory of 2660 2264 cmd.exe attrib.exe PID 2140 wrote to memory of 2720 2140 cmd.exe attrib.exe PID 2140 wrote to memory of 2720 2140 cmd.exe attrib.exe PID 2140 wrote to memory of 2720 2140 cmd.exe attrib.exe PID 2140 wrote to memory of 2720 2140 cmd.exe attrib.exe PID 1860 wrote to memory of 2736 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe winlogon.exe PID 1860 wrote to memory of 2736 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe winlogon.exe PID 1860 wrote to memory of 2736 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe winlogon.exe PID 1860 wrote to memory of 2736 1860 4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe winlogon.exe PID 2736 wrote to memory of 2752 2736 winlogon.exe iexplore.exe PID 2736 wrote to memory of 2752 2736 winlogon.exe iexplore.exe PID 2736 wrote to memory of 2752 2736 winlogon.exe iexplore.exe PID 2736 wrote to memory of 2752 2736 winlogon.exe iexplore.exe PID 2736 wrote to memory of 2752 2736 winlogon.exe iexplore.exe PID 2736 wrote to memory of 2752 2736 winlogon.exe iexplore.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe PID 2752 wrote to memory of 2464 2752 iexplore.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2660 attrib.exe 2720 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\4a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1_NeikiAnalytics.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"2⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\SysWOW64\winlogon.exeFilesize
283KB
MD5d34affe27303efd466527f7e2580a950
SHA1515522de0fc8f037c5f5800b1c1db784f5390b87
SHA2564a05ce132b97e62e2d53803e7f89d02bd3c57424e62699aea43c098fc1455fa1
SHA512930d9a31e7e141a8c4af56cac68fb5d0e676c8b2ddb7acc77334dde474f8eeb33ca4295983eb76f3e9d8e6b0890b79f5c647110286c9b17e7059b9ada8b9504f
-
memory/1860-0-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1860-1-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1860-13-0x0000000004480000-0x0000000004547000-memory.dmpFilesize
796KB
-
memory/1860-12-0x0000000004480000-0x0000000004547000-memory.dmpFilesize
796KB
-
memory/1860-59-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2464-20-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2464-58-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2736-15-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2736-19-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2752-17-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB