db2ac1a9475a243d6de8147c8082a86e2a6237870c4c61e00f02d198ed070583

General

Target

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe
Size

2.6MB
MD5

41c6927a623a6a5d3f8b365096124480
SHA1

bcb7d52997d28b917a306e5b83d45c362cf37f2c
SHA256

db2ac1a9475a243d6de8147c8082a86e2a6237870c4c61e00f02d198ed070583
SHA512

ea2aa7e0ae95663baae9d0f91747f8511b91be6b0a6db104d715971d34cac848f08daaec0db0e650b4a266007253d694b1dbd3dbd34378afa22de2d86511b247
SSDEEP

49152:+qe3f6aSzD7+H98AHaCfu6FCHCL+WuTmuKwEI:vSinD7E9vBunHCK5NKXI

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

pid process

2224 41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

pid	process
2224	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

Loads dropped DLL 3 IoCs

Processes:

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

pid	process
2204	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe
2224	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
2224	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

pid process

2224 41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2224	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe

description	pid	process	target process
PID 2204 wrote to memory of 2224	2204	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
PID 2204 wrote to memory of 2224	2204	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
PID 2204 wrote to memory of 2224	2204	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
PID 2204 wrote to memory of 2224	2204	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
PID 2204 wrote to memory of 2224	2204	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
PID 2204 wrote to memory of 2224	2204	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
PID 2204 wrote to memory of 2224	2204	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe	41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

C:\Users\Admin\AppData\Local\Temp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\is-QC02C.tmp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QC02C.tmp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp" /SL5="$30142,1785071,899584,C:\Users\Admin\AppData\Local\Temp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fda5c30fcfc34f4c9808c0dd5e1f0910

SHA1
87a38b57bfdc9bae7bf5a3a633d958da9761a4f7

SHA256
f214ba04dccbcb216dfeba2e90c24f49cb408a40068a535fa110336f26c4102a

SHA512
88940b9a7fa629d62cdec1bcc8037b50b1e8f339ac6f40f6f336e606829239f40e38ff2dc129782b69e84be1b31a4762db71d3be6b2cad4ed2b9195d92af7bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3842.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3854.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8LVRE.tmp\loader.gif

Filesize
3KB

MD5
d35d95fc6bd8be33d3ce5da2630b90bd

SHA1
be2fb4098a151f6c77a85ce8c274a3054a61178b

SHA256
dfa608be394c8f6d19aff352185917720f04072ac0412a8cab1174fec4939c08

SHA512
078fa3cf9c08c8bdaa554a52b153a159f537de3ee0ba923d64928cdd99b4f2528b4eb229c1b2352b946ef417efd478b453588a6cda1afc91b374e709afc730e4

Download Submit
\Users\Admin\AppData\Local\Temp\is-8LVRE.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-8LVRE.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
\Users\Admin\AppData\Local\Temp\is-QC02C.tmp\41c6927a623a6a5d3f8b365096124480_NeikiAnalytics.tmp

Filesize
3.0MB

MD5
eaf2c9683c1424abb77a6104b339fda5

SHA1
82fe536dc66036a759f620003f324bc726192da0

SHA256
a2c20488f11814b0bb8eb471f364c58d8f16a34fb526b84ccb97d15b98450d9a

SHA512
49d9482bb2f41aa87654d22f3ffc31abed183ac68545cef87125de932cf745f8c68a31d17e142c4a4f0f21e2bf1edab8cda59ba2b1b1827f8c84837352196bf1

Download Submit
memory/2204-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2204-0-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2204-131-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2204-143-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2224-8-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2224-135-0x0000000007970000-0x000000000797F000-memory.dmp

Filesize
60KB

Download
memory/2224-141-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/2224-132-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads