9b4be408e648f38959159f0e654b8b909d864f3744431795070eaeb00ea768d5

General

Target

57ed160701331244124fa084c706e950_NeikiAnalytics.exe
Size

84KB
MD5

57ed160701331244124fa084c706e950
SHA1

3408db2810b0b528225caf4607b357baa2f9f8f4
SHA256

9b4be408e648f38959159f0e654b8b909d864f3744431795070eaeb00ea768d5
SHA512

376a101263842b7d54bf9497bf720c8f6d714ea5e669d2793a278240d63f8422580ff98869d9e65d17ee07fe11f9993a99a068213dabc9ce570d6f52328e550b
SSDEEP

1536:1clIGFNMi+hJUneHoGTvvv4V9hqdhbtgS:+RMi+fUnCTvvv4V9hEhbCS

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

57ed160701331244124fa084c706e950_NeikiAnalytics.exelsass.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 4 IoCs

Processes:

lsass.exelsass.exelsass.exelsass.exe

pid process

4732 lsass.exe
3236 lsass.exe
1676 lsass.exe
3724 lsass.exe

pid	process
4732	lsass.exe
3236	lsass.exe
1676	lsass.exe
3724	lsass.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1548-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1548-4-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1548-5-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1548-31-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3236-46-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1548-51-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3236-81-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\system\\lsass.exe"	reg.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

57ed160701331244124fa084c706e950_NeikiAnalytics.exelsass.exelsass.exe

description	pid	process	target process
PID 5052 set thread context of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
PID 4732 set thread context of 3236	4732	lsass.exe	lsass.exe
PID 4732 set thread context of 1676	4732	lsass.exe	lsass.exe
PID 1676 set thread context of 3724	1676	lsass.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

lsass.exe

description	pid	process
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe
Token: SeDebugPrivilege	3236	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

57ed160701331244124fa084c706e950_NeikiAnalytics.exe57ed160701331244124fa084c706e950_NeikiAnalytics.exelsass.exelsass.exe

pid process

5052 57ed160701331244124fa084c706e950_NeikiAnalytics.exe
1548 57ed160701331244124fa084c706e950_NeikiAnalytics.exe
4732 lsass.exe
3236 lsass.exe

pid	process
5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
4732	lsass.exe
3236	lsass.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

57ed160701331244124fa084c706e950_NeikiAnalytics.exe57ed160701331244124fa084c706e950_NeikiAnalytics.execmd.exelsass.exelsass.exe

description	pid	process	target process
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
PID 5052 wrote to memory of 1548	5052	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	57ed160701331244124fa084c706e950_NeikiAnalytics.exe
PID 1548 wrote to memory of 5080	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	cmd.exe
PID 1548 wrote to memory of 5080	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	cmd.exe
PID 1548 wrote to memory of 5080	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	cmd.exe
PID 5080 wrote to memory of 1124	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 1124	5080	cmd.exe	reg.exe
PID 5080 wrote to memory of 1124	5080	cmd.exe	reg.exe
PID 1548 wrote to memory of 4732	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	lsass.exe
PID 1548 wrote to memory of 4732	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	lsass.exe
PID 1548 wrote to memory of 4732	1548	57ed160701331244124fa084c706e950_NeikiAnalytics.exe	lsass.exe
PID 4732 wrote to memory of 3236	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 3236	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 3236	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 3236	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 3236	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 3236	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 3236	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 3236	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 1676	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 1676	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 1676	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 1676	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 1676	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 1676	4732	lsass.exe	lsass.exe
PID 4732 wrote to memory of 1676	4732	lsass.exe	lsass.exe
PID 1676 wrote to memory of 3724	1676	lsass.exe	lsass.exe
PID 1676 wrote to memory of 3724	1676	lsass.exe	lsass.exe
PID 1676 wrote to memory of 3724	1676	lsass.exe	lsass.exe
PID 1676 wrote to memory of 3724	1676	lsass.exe	lsass.exe
PID 1676 wrote to memory of 3724	1676	lsass.exe	lsass.exe
PID 1676 wrote to memory of 3724	1676	lsass.exe	lsass.exe
PID 1676 wrote to memory of 3724	1676	lsass.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\57ed160701331244124fa084c706e950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57ed160701331244124fa084c706e950_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052

C:\Users\Admin\AppData\Local\Temp\57ed160701331244124fa084c706e950_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\57ed160701331244124fa084c706e950_NeikiAnalytics.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YXTVH.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Audio Driver" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\lsass.exe" /f
4⤵
- Adds Run key to start application
PID:1124

C:\Users\Admin\AppData\Roaming\system\lsass.exe
"C:\Users\Admin\AppData\Roaming\system\lsass.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Roaming\system\lsass.exe
"C:\Users\Admin\AppData\Roaming\system\lsass.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3236

C:\Users\Admin\AppData\Roaming\system\lsass.exe
"C:\Users\Admin\AppData\Roaming\system\lsass.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\system\lsass.exe
"C:\Users\Admin\AppData\Roaming\system\lsass.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxz.exe
Filesize
294B

MD5
00a5f8ff7b60e95cc60a848e2959d20f

SHA1
08f04fde8c0515bc7289ce15c343aa87ac61be49

SHA256
8716f67750fc9d29256aa749257ab38b977a28990579df01c2fbf23ca72305d9

SHA512
134d2b90f78b7570454989cb7a190166b561279fde1187c05438c383bd52ec4f9abbbaf68d227b559028ba2007692707cf79651db048516e91ce81efb7573a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\YXTVH.txt
Filesize
146B

MD5
c8cba0a9d4d5600b5f53c4c0681d1115

SHA1
0e5348e210ca70b2b0ffdc3ff7e6f611716df80c

SHA256
ca2b63f6d7bf17480415ae93e115bf9f9699335e84e62719eefdbcc5a78bd2e1

SHA512
a2ad6eb5ae2f6d57ca15363ac2f0c57ca3580474e94b9c010750948814cf4d5ffa0c3e7ef44634a3593da23f56011703ff220a3d7780f6f01785bf3b6676ced0

Download Submit
C:\Users\Admin\AppData\Roaming\system\lsass.exe
Filesize
84KB

MD5
4b0a9c41fda0ff1f2667332f4507438f

SHA1
23f492c4374c6017d1538fcfa7af5059ec3df323

SHA256
efc919f7371db9c59e862b3958483ec26eaf368ef87d6d9c56153099a1c3328f

SHA512
c3ff6b99951717cc004d9caf637acd9cec9fea26b5b70a21f24a6f29ed1da616f22a824d1243a1b536679ed9c2468d69d3b88a9b3bc0d6d8cb87cb5cebee3a5e

Download Submit
memory/1548-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1548-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1548-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1548-31-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1548-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1676-53-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1676-40-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1676-35-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1676-47-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1676-48-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3236-46-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3236-81-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3724-52-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3724-57-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/3724-79-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4732-45-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4732-44-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads