9b4be408e648f38959159f0e654b8b909d864f3744431795070eaeb00ea768d5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57ed160701331244124fa084c706e950_NeikiAnalytics.exe
Size

84KB
MD5

57ed160701331244124fa084c706e950
SHA1

3408db2810b0b528225caf4607b357baa2f9f8f4
SHA256

9b4be408e648f38959159f0e654b8b909d864f3744431795070eaeb00ea768d5
SHA512

376a101263842b7d54bf9497bf720c8f6d714ea5e669d2793a278240d63f8422580ff98869d9e65d17ee07fe11f9993a99a068213dabc9ce570d6f52328e550b
SSDEEP

1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 4 IoCs

pid	Process
4732	lsass.exe
3236	lsass.exe
1676	lsass.exe
3724	lsass.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1548-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1548-4-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1548-5-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1548-31-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3236-46-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1548-51-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3236-81-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\lsass.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	89
PID 4732 set thread context of 3236	4732	lsass.exe	96
PID 4732 set thread context of 1676	4732	lsass.exe	97
PID 1676 set thread context of 3724	1676	lsass.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
4732	lsass.exe
3236	lsass.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	89
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	89
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	89
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	89
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	89
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	89
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	89
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	89
PID 1548 wrote to memory of 5080	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	90
PID 1548 wrote to memory of 5080	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	90
PID 1548 wrote to memory of 5080	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	90
PID 5080 wrote to memory of 1124	5080	cmd.exe	93
PID 5080 wrote to memory of 1124	5080	cmd.exe	93
PID 5080 wrote to memory of 1124	5080	cmd.exe	93
PID 1548 wrote to memory of 4732	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	94
PID 1548 wrote to memory of 4732	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	94
PID 1548 wrote to memory of 4732	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	94
PID 4732 wrote to memory of 3236	4732	lsass.exe	96
PID 4732 wrote to memory of 3236	4732	lsass.exe	96
PID 4732 wrote to memory of 3236	4732	lsass.exe	96
PID 4732 wrote to memory of 3236	4732	lsass.exe	96
PID 4732 wrote to memory of 3236	4732	lsass.exe	96
PID 4732 wrote to memory of 3236	4732	lsass.exe	96
PID 4732 wrote to memory of 3236	4732	lsass.exe	96
PID 4732 wrote to memory of 3236	4732	lsass.exe	96
PID 4732 wrote to memory of 1676	4732	lsass.exe	97
PID 4732 wrote to memory of 1676	4732	lsass.exe	97
PID 4732 wrote to memory of 1676	4732	lsass.exe	97
PID 4732 wrote to memory of 1676	4732	lsass.exe	97
PID 4732 wrote to memory of 1676	4732	lsass.exe	97
PID 4732 wrote to memory of 1676	4732	lsass.exe	97
PID 4732 wrote to memory of 1676	4732	lsass.exe	97
PID 1676 wrote to memory of 3724	1676	lsass.exe	98
PID 1676 wrote to memory of 3724	1676	lsass.exe	98
PID 1676 wrote to memory of 3724	1676	lsass.exe	98
PID 1676 wrote to memory of 3724	1676	lsass.exe	98
PID 1676 wrote to memory of 3724	1676	lsass.exe	98
PID 1676 wrote to memory of 3724	1676	lsass.exe	98
PID 1676 wrote to memory of 3724	1676	lsass.exe	98

C:\Users\Admin\AppData\Local\Temp\57ed160701331244124fa084c706e950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57ed160701331244124fa084c706e950_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\57ed160701331244124fa084c706e950_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\57ed160701331244124fa084c706e950_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YXTVH.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f
      4⤵
      Adds Run key to start application
      PID:1124
- - C:\Users\Admin\AppData\Roaming\system\lsass.exe
    "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
      "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3236
  - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
      "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Users\Admin\AppData\Roaming\system\lsass.exe
        
        "C:\Users\Admin\AppData\Roaming\system\lsass.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe

Filesize
294B

MD5
00a5f8ff7b60e95cc60a848e2959d20f

SHA1
08f04fde8c0515bc7289ce15c343aa87ac61be49

SHA256
8716f67750fc9d29256aa749257ab38b977a28990579df01c2fbf23ca72305d9

SHA512
134d2b90f78b7570454989cb7a190166b561279fde1187c05438c383bd52ec4f9abbbaf68d227b559028ba2007692707cf79651db048516e91ce81efb7573a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\YXTVH.txt

Filesize
146B

MD5
c8cba0a9d4d5600b5f53c4c0681d1115

SHA1
0e5348e210ca70b2b0ffdc3ff7e6f611716df80c

SHA256
ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1

SHA512
a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0

Download Submit
C:\Users\Admin\AppData\Roaming\system\lsass.exe

Filesize
84KB

MD5
4b0a9c41fda0ff1f2667332f4507438f

SHA1
23f492c4374c6017d1538fcfa7af5059ec3df323

SHA256
efc919f7371db9c59e862b3958483ec26eaf368ef87d6d9c56153099a1c3328f

SHA512
c3ff6b99951717cc004d9caf637acd9cec9fea26b5b70a21f24a6f29ed1da616f22a824d1243a1b536679ed9c2468d69d3b88a9b3bc0d6d8cb87cb5cebee3a5e

Download Submit
memory/1548-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1548-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1548-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1548-31-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1548-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1676-53-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1676-40-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1676-35-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1676-47-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1676-48-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3236-46-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3236-81-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3724-52-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3724-57-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3724-79-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4732-45-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4732-44-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads