a4318e20084c8a995ea5e0aecf8de1accc757b3d48e0e5ec74ec7e4c3e0166b8

General

Target

5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
Size

232KB
MD5

5b535232bc6e6878ce6a83cc19968f10
SHA1

0404c446654d286a206cf06a9c89b5acc0afaae6
SHA256

a4318e20084c8a995ea5e0aecf8de1accc757b3d48e0e5ec74ec7e4c3e0166b8
SHA512

06d57d5f68d0c22406501086f091ba3b2a30955ab23070bbff24a83c9b57aef628c43b28bbf21f41950e7ebdc87b59a0af4075f37cc63f05d842bcd06cd6c111
SSDEEP

3072:i1i/NU8bOMYcYYcmy51VRgiFCpCIXUWOLTsEsigcL3P6xxc1VOz1i/NU82OMYcYU:ci/NjO5xbg/CSUFLTwMjs6oi/N+O7

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}\StubPath = "C:\\system.exe"	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/816-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
C:\WINDOWS\windows.exe	upx
C:\system.exe	upx
behavioral2/memory/816-154-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\qx.bat	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
File created	C:\WINDOWS\SysWOW64\ie.bat	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exeattrib.exe

description	ioc	process
File created	C:\WINDOWS\windows.exe	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\windows.exe	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
File opened for modification	C:\WINDOWS\windows.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2093835267"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2095709825"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008dd12f171901f34fb00998653e43a8820000000002000000000010660000000100002000000045a7b2c19c76d89516e127a6e180a11e0e4fc913e2e8a00aaab2c15f474d21f0000000000e800000000200002000000019d06e9279bad83d33fe224dee683c3a732fde4d22393bb879017db6d10fd0bb200000009ea748a643089ed2519ee202980d8fa9ed98f39ec5fb5c4da47170569e18cef040000000f87ef7fa12cdc4f31428a3e3faa43c31b8dff6b9461217002378e13138de588ef9ab036974a2a8da81b59ad8aca9ebc685be84e6287ec77631925025f5ea3ddc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423186627"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108258"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10fe3b94a2acda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008dd12f171901f34fb00998653e43a8820000000002000000000010660000000100002000000009cf8455342bc8aaa5184469e8f6d161dc6698547e66dd3f06179b99a35c148e000000000e800000000200002000000012116ea70ac57f7a2f0d2ca93f71d822ef8fe0b307dcfe57ecb13cef395bc17420000000d3a0ac6a080c11f2e398ae9713646a9081a3639ac1a55e04e35454d094d441b840000000f31150dc313700295d85399f0443ecfd64bd2f1c97c7e58a3c9b5f47576ab547d62f2fae8d372db3a3a6c2b957ccb685f53a44fcaaf2927748496b08e59236e7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d23494a2acda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108258"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108258"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A84E61D7-1895-11EF-B826-76A3C14B7D9C} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2093835267"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://dhku.com"	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

pid	process
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4480 iexplore.exe

pid	process
4480	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exeiexplore.exeIEXPLORE.EXE

pid	process
816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
4480	iexplore.exe
4480	iexplore.exe
4320	IEXPLORE.EXE
4320	IEXPLORE.EXE
4320	IEXPLORE.EXE
4320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exeiexplore.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 4480	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	iexplore.exe
PID 816 wrote to memory of 4480	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	iexplore.exe
PID 4480 wrote to memory of 4320	4480	iexplore.exe	IEXPLORE.EXE
PID 4480 wrote to memory of 4320	4480	iexplore.exe	IEXPLORE.EXE
PID 4480 wrote to memory of 4320	4480	iexplore.exe	IEXPLORE.EXE
PID 816 wrote to memory of 3528	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 3528	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 3528	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 3528 wrote to memory of 4376	3528	cmd.exe	attrib.exe
PID 3528 wrote to memory of 4376	3528	cmd.exe	attrib.exe
PID 3528 wrote to memory of 4376	3528	cmd.exe	attrib.exe
PID 816 wrote to memory of 1684	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 1684	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 1684	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 1684 wrote to memory of 3332	1684	cmd.exe	attrib.exe
PID 1684 wrote to memory of 3332	1684	cmd.exe	attrib.exe
PID 1684 wrote to memory of 3332	1684	cmd.exe	attrib.exe
PID 816 wrote to memory of 3940	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 3940	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 3940	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 3940 wrote to memory of 2784	3940	cmd.exe	attrib.exe
PID 3940 wrote to memory of 2784	3940	cmd.exe	attrib.exe
PID 3940 wrote to memory of 2784	3940	cmd.exe	attrib.exe
PID 816 wrote to memory of 2760	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 2760	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 2760	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 2760 wrote to memory of 4364	2760	cmd.exe	attrib.exe
PID 2760 wrote to memory of 4364	2760	cmd.exe	attrib.exe
PID 2760 wrote to memory of 4364	2760	cmd.exe	attrib.exe
PID 816 wrote to memory of 640	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 640	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 640	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 640 wrote to memory of 2488	640	cmd.exe	wmiprvse.exe
PID 640 wrote to memory of 2488	640	cmd.exe	wmiprvse.exe
PID 640 wrote to memory of 2488	640	cmd.exe	wmiprvse.exe
PID 816 wrote to memory of 3284	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 3284	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 3284	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 3284 wrote to memory of 1984	3284	cmd.exe	attrib.exe
PID 3284 wrote to memory of 1984	3284	cmd.exe	attrib.exe
PID 3284 wrote to memory of 1984	3284	cmd.exe	attrib.exe
PID 816 wrote to memory of 4876	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 4876	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 4876	816	5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe	cmd.exe
PID 4876 wrote to memory of 4836	4876	cmd.exe	attrib.exe
PID 4876 wrote to memory of 4836	4876	cmd.exe	attrib.exe
PID 4876 wrote to memory of 4836	4876	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 7 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2488 attrib.exe
1984 attrib.exe
4836 attrib.exe
4376 attrib.exe
3332 attrib.exe
2784 attrib.exe
4364 attrib.exe

pid	process
2488	attrib.exe
1984	attrib.exe
4836	attrib.exe
4376	attrib.exe
3332	attrib.exe
2784	attrib.exe
4364	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5b535232bc6e6878ce6a83cc19968f10_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4480 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
2⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
3⤵
- Views/modifies file attributes
PID:4376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
2⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
3⤵
- Views/modifies file attributes
PID:3332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
2⤵
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
3⤵
- Views/modifies file attributes
PID:2784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
3⤵
- Views/modifies file attributes
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
2⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
3⤵
- Views/modifies file attributes
PID:2488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\windows.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\attrib.exe
attrib +h "C:\WINDOWS\windows.exe"
3⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "c:\system.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\attrib.exe
attrib +h "c:\system.exe"
3⤵
- Views/modifies file attributes
PID:4836

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
01409a92b179c99711ea8c28d307d0c4

SHA1
a9cc2b0c5727e2af14819f3908c4693f8e891392

SHA256
3034962a4c308ef5e66a2de7faf1ed2439b7e59086a8c07ad59ce3669b8ee01c

SHA512
8e86173a54d253f3e05443c603222b9018d63a3fb8e3a26b2b5602c083c07b117d5c53ede08056b6aa4503380562444c6704de32b2cce76f146478616b7278c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
c9f16dd9bcc031ac9e9f1db079dc3865

SHA1
f0b39ea4844ed3d430b361fdca65a4beac03f7fc

SHA256
80a8e753bc141c818dfc6c0404c203243c2243ab10e0e483c9b28245700b78f1

SHA512
5b23a7ec6b44bc5d996a8734fe4afd599bff0fbd433104d5dc923d1ed743e95631f64ffc4e706b2ef11c3a7be93ea74d2fd84f33c250134b8f97c9e0a6e85f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SG9GK5FX\favicon[1].htm

Filesize
776B

MD5
0542ad8156f4dfca7ddcfcb62a6cb452

SHA1
485282ba12fc0daf6f6aed96f1ababb8f91a6324

SHA256
c90cdefdb6d7ad5a9a132e0d3b74ecdb5b0d5b442da482129ba67925a2f47e8f

SHA512
0b41affa129277bf4b17d3e103dc4c241bc2ac338858cc17c22e172ec2ac65539b63e802246efb462cd134d99907d9c5ed9bc03937cadcca3155b703ac6e3195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WOBB13N1\js-sdk-pro.min[1].js

Filesize
33KB

MD5
24bb520e9517f2ed3ed987b46aeaf723

SHA1
846723563d7dd2bff3954f93633b11af0103adc8

SHA256
d1f1bfe698f2ffb7b3e7a885a301d58f9554d45df0a31c3e8b53c84b33c80d27

SHA512
31afbcd2ee87c84cc3e56355da8ddc741a69d918c2687984265745d8046deb18c494cbca6aaf8d4eae6b035e888e6f7cf9b0d59a255f2714963d7b3edbb3c87f

Download Submit
C:\WINDOWS\windows.exe

Filesize
232KB

MD5
16e2b5ced1ca9ce56e0fb73c3941970a

SHA1
f821f500d40fd064e1a9e1a1ab588026d80172a2

SHA256
0503abd93369998764fb1724294d3a7685e2df98adb18f540db8e56a176330cf

SHA512
4429e833a47b98c1a1a48f18477ac07964e963b1d1511cd61a9d9df5a9f79186f636a5694b4ca1fd75d9821cd89235f95d6f00fff84a6321056354264c926ab5

Download Submit
C:\system.exe

Filesize
232KB

MD5
6284e5028aa1b3c251ca3914e4d3fabf

SHA1
8bce131a40dc6e81a72f1e7993dea3935e2b4241

SHA256
b8cc180c1569b15bd0850e534e4146f1f546a2300195b47afa8d36beca755bf3

SHA512
cc3bacbd95a5a2ba0858be1e8ae289f18a869b300c7f8d1f55cb0fcf210dcc9c0fc2595e47c76b834c8f2a19580be80093f99dfb3b1f1f1e9b441771af73e6f5

Download Submit
memory/816-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/816-154-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads