Analysis
-
max time kernel
138s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 22:56
Static task
static1
Behavioral task
behavioral1
Sample
522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
522180e84817741a0c25656cf714d660_NeikiAnalytics.exe
-
Size
7.4MB
-
MD5
522180e84817741a0c25656cf714d660
-
SHA1
45a74571ac938fcb21b38d786d7bfb8294f91de7
-
SHA256
6978cca5313d7108e115c9c31bc11b0649ab159b8c6dbf48790bf0e9221dfd5f
-
SHA512
47b5c70650ea79f5b8fff095a47256afbe1fe3ed44e33d63cafbb3eac02db3391c85e690176804cfe69211713edf93a89adec85ee1b087bbe5e3bb4127478119
-
SSDEEP
196608:gMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmA:5
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exeWScript.exeWScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BVRKIPTS = "W_X_C.bat" WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
Processes:
avscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 4968 avscan.exe 2440 avscan.exe 4428 hosts.exe 740 hosts.exe 368 avscan.exe 1672 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exehosts.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
Processes:
avscan.exehosts.exe522180e84817741a0c25656cf714d660_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe File created C:\windows\W_X_C.vbs 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe File created \??\c:\windows\W_X_C.bat 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.execmd.execmd.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 9 IoCs
Processes:
REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exepid process 2952 REG.exe 2360 REG.exe 3604 REG.exe 2624 REG.exe 4500 REG.exe 1204 REG.exe 1068 REG.exe 5024 REG.exe 2932 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
avscan.exehosts.exepid process 4968 avscan.exe 4428 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.exeavscan.exehosts.exehosts.exeavscan.exehosts.exepid process 3352 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe 4968 avscan.exe 2440 avscan.exe 4428 hosts.exe 740 hosts.exe 368 avscan.exe 1672 hosts.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
522180e84817741a0c25656cf714d660_NeikiAnalytics.exeavscan.execmd.execmd.exehosts.execmd.exedescription pid process target process PID 3352 wrote to memory of 1068 3352 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe REG.exe PID 3352 wrote to memory of 1068 3352 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe REG.exe PID 3352 wrote to memory of 1068 3352 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe REG.exe PID 3352 wrote to memory of 4968 3352 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe avscan.exe PID 3352 wrote to memory of 4968 3352 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe avscan.exe PID 3352 wrote to memory of 4968 3352 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe avscan.exe PID 4968 wrote to memory of 2440 4968 avscan.exe avscan.exe PID 4968 wrote to memory of 2440 4968 avscan.exe avscan.exe PID 4968 wrote to memory of 2440 4968 avscan.exe avscan.exe PID 4968 wrote to memory of 4216 4968 avscan.exe cmd.exe PID 4968 wrote to memory of 4216 4968 avscan.exe cmd.exe PID 4968 wrote to memory of 4216 4968 avscan.exe cmd.exe PID 3352 wrote to memory of 4588 3352 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe cmd.exe PID 3352 wrote to memory of 4588 3352 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe cmd.exe PID 3352 wrote to memory of 4588 3352 522180e84817741a0c25656cf714d660_NeikiAnalytics.exe cmd.exe PID 4216 wrote to memory of 4428 4216 cmd.exe hosts.exe PID 4216 wrote to memory of 4428 4216 cmd.exe hosts.exe PID 4216 wrote to memory of 4428 4216 cmd.exe hosts.exe PID 4588 wrote to memory of 740 4588 cmd.exe hosts.exe PID 4588 wrote to memory of 740 4588 cmd.exe hosts.exe PID 4588 wrote to memory of 740 4588 cmd.exe hosts.exe PID 4428 wrote to memory of 368 4428 hosts.exe avscan.exe PID 4428 wrote to memory of 368 4428 hosts.exe avscan.exe PID 4428 wrote to memory of 368 4428 hosts.exe avscan.exe PID 4216 wrote to memory of 4740 4216 cmd.exe WScript.exe PID 4216 wrote to memory of 4740 4216 cmd.exe WScript.exe PID 4216 wrote to memory of 4740 4216 cmd.exe WScript.exe PID 4588 wrote to memory of 4596 4588 cmd.exe WScript.exe PID 4588 wrote to memory of 4596 4588 cmd.exe WScript.exe PID 4588 wrote to memory of 4596 4588 cmd.exe WScript.exe PID 4428 wrote to memory of 4868 4428 hosts.exe cmd.exe PID 4428 wrote to memory of 4868 4428 hosts.exe cmd.exe PID 4428 wrote to memory of 4868 4428 hosts.exe cmd.exe PID 4868 wrote to memory of 1672 4868 cmd.exe hosts.exe PID 4868 wrote to memory of 1672 4868 cmd.exe hosts.exe PID 4868 wrote to memory of 1672 4868 cmd.exe hosts.exe PID 4868 wrote to memory of 1956 4868 cmd.exe WScript.exe PID 4868 wrote to memory of 1956 4868 cmd.exe WScript.exe PID 4868 wrote to memory of 1956 4868 cmd.exe WScript.exe PID 4968 wrote to memory of 5024 4968 avscan.exe REG.exe PID 4968 wrote to memory of 5024 4968 avscan.exe REG.exe PID 4968 wrote to memory of 5024 4968 avscan.exe REG.exe PID 4428 wrote to memory of 2952 4428 hosts.exe REG.exe PID 4428 wrote to memory of 2952 4428 hosts.exe REG.exe PID 4428 wrote to memory of 2952 4428 hosts.exe REG.exe PID 4968 wrote to memory of 2360 4968 avscan.exe REG.exe PID 4968 wrote to memory of 2360 4968 avscan.exe REG.exe PID 4968 wrote to memory of 2360 4968 avscan.exe REG.exe PID 4428 wrote to memory of 3604 4428 hosts.exe REG.exe PID 4428 wrote to memory of 3604 4428 hosts.exe REG.exe PID 4428 wrote to memory of 3604 4428 hosts.exe REG.exe PID 4968 wrote to memory of 2932 4968 avscan.exe REG.exe PID 4968 wrote to memory of 2932 4968 avscan.exe REG.exe PID 4968 wrote to memory of 2932 4968 avscan.exe REG.exe PID 4428 wrote to memory of 2624 4428 hosts.exe REG.exe PID 4428 wrote to memory of 2624 4428 hosts.exe REG.exe PID 4428 wrote to memory of 2624 4428 hosts.exe REG.exe PID 4968 wrote to memory of 4500 4968 avscan.exe REG.exe PID 4968 wrote to memory of 4500 4968 avscan.exe REG.exe PID 4968 wrote to memory of 4500 4968 avscan.exe REG.exe PID 4428 wrote to memory of 1204 4428 hosts.exe REG.exe PID 4428 wrote to memory of 1204 4428 hosts.exe REG.exe PID 4428 wrote to memory of 1204 4428 hosts.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\522180e84817741a0c25656cf714d660_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\522180e84817741a0c25656cf714d660_NeikiAnalytics.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeFilesize
7.4MB
MD5d26135f73a9b32c77529cf2c42775429
SHA1c0be573ee96619bd536f28b594f7fd66e205f2c5
SHA256bae2376c2ef00c9b1784f03b2bcc1b6978bee236a26e8ca8ece2de8223ce4ee8
SHA512bf7fe599f66fc0c20116b1f09e70aa6b434bedf1b8ed619646933edb9f96d86c75f06940f1ba9557c9e0a6454b48dcca1e2d3f0e84631ce0ca46df501e338e51
-
C:\Windows\W_X_C.vbsFilesize
195B
MD52bf5a187f48b0e3c967d35345b39cf75
SHA15dc7cfa3b9818baa039314fd49d38825a88f30f2
SHA2569676e777e8eec50aa91525d3c0ed7c17047ddf363cb28a83a474c2840cd4c7b1
SHA5121f0c2d5fadc2304f910caf7569a968b1824687cb57dd8f470dc67b8262cb009809c83ea626f2f99d9ce4e8113efb46c53b979f6dc3113433f7503ca4d119e16c
-
C:\Windows\hosts.exeFilesize
7.4MB
MD5937b51c7a5e145e8a24272f9a54792c9
SHA1087aa044761de832757921dccc5bbfe29f31e60e
SHA256b0eb1fc4720650999366d6b7c7aa9389b01dd28c146466aae2b8fbd3baff2453
SHA512c6920515e6ce0c2f1d4031a4d58294274953350b141eecfa1255f2cc9c0cab86d8ecad58e11d88a43154b59f2083535464299cf32b7c4c558cdff8605f878e82
-
\??\c:\windows\W_X_C.batFilesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b