Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 22:56
Static task
static1
Behavioral task
behavioral1
Sample
522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
-
Size
7.4MB
-
MD5
522180e84817741a0c25656cf714d660
-
SHA1
45a74571ac938fcb21b38d786d7bfb8294f91de7
-
SHA256
6978cca5313d7108e115c9c31bc11b0649ab159b8c6dbf48790bf0e9221dfd5f
-
SHA512
47b5c70650ea79f5b8fff095a47256afbe1fe3ed44e33d63cafbb3eac02db3391c85e690176804cfe69211713edf93a89adec85ee1b087bbe5e3bb4127478119
-
SSDEEP
196608:gMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmA:5
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
Processes:
hosts.exe522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exeWScript.exeWScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PUMARTNR = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PUMARTNR = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PUMARTNR = "W_X_C.bat" WScript.exe -
Executes dropped EXE 6 IoCs
Processes:
avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 2440 avscan.exe 2608 avscan.exe 1280 hosts.exe 2632 hosts.exe 2540 avscan.exe 2240 hosts.exe -
Loads dropped DLL 5 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exehosts.exepid process 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe 2440 avscan.exe 1280 hosts.exe 1280 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exehosts.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
Processes:
avscan.exehosts.exe522180e84817741a0c25656cf714d660_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe File created C:\windows\W_X_C.vbs 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe File created \??\c:\windows\W_X_C.bat 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 9 IoCs
Processes:
REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exepid process 2496 REG.exe 1660 REG.exe 2880 REG.exe 1288 REG.exe 1672 REG.exe 988 REG.exe 1484 REG.exe 2832 REG.exe 936 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
avscan.exehosts.exepid process 2440 avscan.exe 1280 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe 2440 avscan.exe 2608 avscan.exe 1280 hosts.exe 2632 hosts.exe 2540 avscan.exe 2240 hosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.execmd.execmd.exehosts.execmd.exedescription pid process target process PID 2416 wrote to memory of 1288 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe REG.exe PID 2416 wrote to memory of 1288 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe REG.exe PID 2416 wrote to memory of 1288 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe REG.exe PID 2416 wrote to memory of 1288 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe REG.exe PID 2416 wrote to memory of 2440 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe avscan.exe PID 2416 wrote to memory of 2440 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe avscan.exe PID 2416 wrote to memory of 2440 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe avscan.exe PID 2416 wrote to memory of 2440 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe avscan.exe PID 2440 wrote to memory of 2608 2440 avscan.exe avscan.exe PID 2440 wrote to memory of 2608 2440 avscan.exe avscan.exe PID 2440 wrote to memory of 2608 2440 avscan.exe avscan.exe PID 2440 wrote to memory of 2608 2440 avscan.exe avscan.exe PID 2440 wrote to memory of 2740 2440 avscan.exe cmd.exe PID 2440 wrote to memory of 2740 2440 avscan.exe cmd.exe PID 2440 wrote to memory of 2740 2440 avscan.exe cmd.exe PID 2440 wrote to memory of 2740 2440 avscan.exe cmd.exe PID 2416 wrote to memory of 2876 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe cmd.exe PID 2416 wrote to memory of 2876 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe cmd.exe PID 2416 wrote to memory of 2876 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe cmd.exe PID 2416 wrote to memory of 2876 2416 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe cmd.exe PID 2876 wrote to memory of 1280 2876 cmd.exe hosts.exe PID 2876 wrote to memory of 1280 2876 cmd.exe hosts.exe PID 2876 wrote to memory of 1280 2876 cmd.exe hosts.exe PID 2876 wrote to memory of 1280 2876 cmd.exe hosts.exe PID 2740 wrote to memory of 2632 2740 cmd.exe hosts.exe PID 2740 wrote to memory of 2632 2740 cmd.exe hosts.exe PID 2740 wrote to memory of 2632 2740 cmd.exe hosts.exe PID 2740 wrote to memory of 2632 2740 cmd.exe hosts.exe PID 1280 wrote to memory of 2540 1280 hosts.exe avscan.exe PID 1280 wrote to memory of 2540 1280 hosts.exe avscan.exe PID 1280 wrote to memory of 2540 1280 hosts.exe avscan.exe PID 1280 wrote to memory of 2540 1280 hosts.exe avscan.exe PID 1280 wrote to memory of 2572 1280 hosts.exe cmd.exe PID 1280 wrote to memory of 2572 1280 hosts.exe cmd.exe PID 1280 wrote to memory of 2572 1280 hosts.exe cmd.exe PID 1280 wrote to memory of 2572 1280 hosts.exe cmd.exe PID 2572 wrote to memory of 2240 2572 cmd.exe hosts.exe PID 2572 wrote to memory of 2240 2572 cmd.exe hosts.exe PID 2572 wrote to memory of 2240 2572 cmd.exe hosts.exe PID 2572 wrote to memory of 2240 2572 cmd.exe hosts.exe PID 2572 wrote to memory of 1796 2572 cmd.exe WScript.exe PID 2572 wrote to memory of 1796 2572 cmd.exe WScript.exe PID 2572 wrote to memory of 1796 2572 cmd.exe WScript.exe PID 2572 wrote to memory of 1796 2572 cmd.exe WScript.exe PID 2876 wrote to memory of 1696 2876 cmd.exe WScript.exe PID 2876 wrote to memory of 1696 2876 cmd.exe WScript.exe PID 2876 wrote to memory of 1696 2876 cmd.exe WScript.exe PID 2876 wrote to memory of 1696 2876 cmd.exe WScript.exe PID 2740 wrote to memory of 1972 2740 cmd.exe WScript.exe PID 2740 wrote to memory of 1972 2740 cmd.exe WScript.exe PID 2740 wrote to memory of 1972 2740 cmd.exe WScript.exe PID 2740 wrote to memory of 1972 2740 cmd.exe WScript.exe PID 2440 wrote to memory of 1672 2440 avscan.exe REG.exe PID 2440 wrote to memory of 1672 2440 avscan.exe REG.exe PID 2440 wrote to memory of 1672 2440 avscan.exe REG.exe PID 2440 wrote to memory of 1672 2440 avscan.exe REG.exe PID 1280 wrote to memory of 2832 1280 hosts.exe REG.exe PID 1280 wrote to memory of 2832 1280 hosts.exe REG.exe PID 1280 wrote to memory of 2832 1280 hosts.exe REG.exe PID 1280 wrote to memory of 2832 1280 hosts.exe REG.exe PID 2440 wrote to memory of 988 2440 avscan.exe REG.exe PID 2440 wrote to memory of 988 2440 avscan.exe REG.exe PID 2440 wrote to memory of 988 2440 avscan.exe REG.exe PID 2440 wrote to memory of 988 2440 avscan.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\522180e84817741a0c25656cf714d660_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\522180e84817741a0c25656cf714d660_NeikiAnalytics.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"5⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
14.8MB
MD5e0d45e215d52cfee1789563a18f03f25
SHA1598fd3748c38285729e016264f7d892664c40e3e
SHA256e594185f99fc97cc74480ca0493722b1c2b6b9a79ea7c13f5d5031579688e856
SHA51257c5c2fb31a71ab1fd418cd3db1491651cf700a0000b68d89eaa0388ce6d52852c1c2a6f8cd0292b494e2b007ee5a9d635fd33d0e7ab3d10da214d5927b6606e
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
22.2MB
MD5fe286700fbdf815922f710bc0f874e75
SHA1fc72cdf46e42c9276be28ed2e67e71e703cf6418
SHA256923e8af3dc6406c31e96b1fdef9fff7d0c4d35d6efe7d43e1fd319d4cedc26b9
SHA512b5d9606fbd9ed04d26d59fbedb97ee4a9788e647ccfc1aa80bb9df4c48f99b0e254557e30c5a2f43e43355b5b1bb13a5ffbccf97c3653105929d18d6b54b87de
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
29.6MB
MD567c572605b07260aca3d55170b8b0622
SHA15e609a9e8113f880fae4dba5d9c7ee156c0f71ef
SHA2563f8af11db1a71be1a316bea3766a95ef4a2eb061d5327ace39e85c9340a540fa
SHA5120529a2dae3dd1cb9d15eac4996832d8c7571f0e57616527b83010dabe1c50e7fe9f134b5b97727c01416b2570639f4a5f321de42952c46aab502c32609bd0960
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
37.0MB
MD5d280cb88478dde1fc1f85ad94d122e53
SHA16ae369782fa20d02d3984b618e9c77ebdc11cc40
SHA256088dc1ce607b6743bdac253aa4fcee1c46902422e0dd5f7c84f83b44ab0a2006
SHA512fc79c4b5f971d1198691a257f57e0e112f6f3dcc8e531442763fc9ba4f69701ab11bc41fd89a3d0935c1d1ae59258613c38b11124296fd9f40ce97091a22dcb0
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
44.4MB
MD5e328c8439852f22f06cf95091d920791
SHA1fcd8c774292f9675caa434dae3a2a54706b7bb63
SHA2565ed162e4ea531ff9cf11d85dc00865fdd96ce4c8f9d81c84756f2890eabed2b1
SHA512d2669ff37a2ff87839fd806cc96df91a094a9c7d4da90f5703d0359ed1e1844a53f99b788c2349487bf9f85dcaae1a932196fd92b171c77feaa5a2b146148a85
-
C:\Users\Admin\AppData\Local\Temp\Admin.bmpFilesize
51.8MB
MD5135393370e55a53ee5ff80ee9452aa9f
SHA1c036cdc2df762e69ea41b3fbcd7c8bd5c4025867
SHA25640e99073e1071782702acd137d406d0e874953f79a37d51033d16c480f2052e8
SHA51235afd76fb50924e72ce6bb5f2d9ac53167a985a5159116d547254ac0b2e5078a0b1b199017d99e0acdcfc1123aebeb9661f9e8beb86279023a5ebac0d9a90259
-
C:\Windows\W_X_C.vbsFilesize
195B
MD52df57aa4500f46404a04cee9c40b1d64
SHA17cd4269994ddf8cc7a2de4b7ad1efcee00355501
SHA256a65ee8d770c67855f508271036ab2d35394ce6cecd0e6d31b7be17bf8c6f0749
SHA512eb205a059c086f048035ef6f21de8af577c482c9f6724f6ef991b44528a1a57939064d1930c72ba0a399004378671ac7c62634066240d9dfe168a1c73b51ec38
-
C:\Windows\hosts.exeFilesize
7.4MB
MD52dc04e94078c9c513fb3d3c1ff6902b7
SHA1b1925ea099a021df43380dd39bbaebc0c8b429a9
SHA256ed46c3b93e0f162a361a8e2b1317037f327d1c839a0fad180852336a2bb3a222
SHA512ef97c2fd164c9d8ea5c25a15d044f2683d5742a3607c0607bd964a5a35bc24b11f67ff7165476c673d5f402a8f02bd4e8e7828ec42b527ae0371fc2f02756393
-
\??\c:\windows\W_X_C.batFilesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b
-
\Users\Admin\AppData\Local\Temp\avscan.exeFilesize
7.4MB
MD513742e91b0756b3745aa52cbc4e536d5
SHA18d97d2aa0a817ea3391a91af4bc957b2f9b6b745
SHA2567bd3486cb637eccb29d01ebc65774465c220769ba91ea3efdf67c3f217d05919
SHA512d2f7fb05de642906a280b3e7cad8da33fd505dc049fcc9b486d9916a282cfe8ab78edd9e7d45243943eebab6b5479ac901381651c7fcf9c95d0373a6f72bb239
-
memory/2240-75-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB
-
memory/2240-74-0x0000000000220000-0x0000000000230000-memory.dmpFilesize
64KB