Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 03:24
Static task
static1
Behavioral task
behavioral1
Sample
154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe
-
Size
4.8MB
-
MD5
154fdd8d7a5ead17e65368304bef4670
-
SHA1
599d2f53163ea8aa76f48dffb34691f44a0c4608
-
SHA256
9adde015996141199f100d4601cc5be9765997170b9fcbb95a23e4b474a6ac30
-
SHA512
f88c55f9a4b98a46c15b25726f583c050f04dcd20ae9efb3589f82957f0360f3503130491c336480fdb32ef3d4507debe8881ca8e3a71b5376cdd49bd4290c9a
-
SSDEEP
98304:g2mDMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mDX:g2mDMmD2mDe2mDMmD2mDc2mDMmD2mDeW
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
Processes:
154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
Processes:
154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.exehosts.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exeWScript.exeWScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SPDOHFMA = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SPDOHFMA = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\SPDOHFMA = "W_X_C.bat" WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
Processes:
avscan.exeavscan.exehosts.exeavscan.exehosts.exehosts.exepid process 1528 avscan.exe 4520 avscan.exe 2972 hosts.exe 2916 avscan.exe 2896 hosts.exe 464 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
hosts.exe154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe -
Drops file in Windows directory 5 IoCs
Processes:
154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.exehosts.exedescription ioc process File created C:\windows\W_X_C.vbs 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe File created \??\c:\windows\W_X_C.bat 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
Processes:
154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.execmd.execmd.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 9 IoCs
Processes:
REG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exeREG.exepid process 5068 REG.exe 3828 REG.exe 1232 REG.exe 3332 REG.exe 4208 REG.exe 1424 REG.exe 1568 REG.exe 5004 REG.exe 852 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
avscan.exehosts.exepid process 1528 avscan.exe 2972 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.exeavscan.exehosts.exeavscan.exehosts.exehosts.exepid process 3764 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe 1528 avscan.exe 4520 avscan.exe 2972 hosts.exe 2916 avscan.exe 2896 hosts.exe 464 hosts.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exeavscan.execmd.exehosts.execmd.execmd.exedescription pid process target process PID 3764 wrote to memory of 1424 3764 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe REG.exe PID 3764 wrote to memory of 1424 3764 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe REG.exe PID 3764 wrote to memory of 1424 3764 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe REG.exe PID 3764 wrote to memory of 1528 3764 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe avscan.exe PID 3764 wrote to memory of 1528 3764 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe avscan.exe PID 3764 wrote to memory of 1528 3764 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe avscan.exe PID 1528 wrote to memory of 4520 1528 avscan.exe avscan.exe PID 1528 wrote to memory of 4520 1528 avscan.exe avscan.exe PID 1528 wrote to memory of 4520 1528 avscan.exe avscan.exe PID 1528 wrote to memory of 1740 1528 avscan.exe cmd.exe PID 1528 wrote to memory of 1740 1528 avscan.exe cmd.exe PID 1528 wrote to memory of 1740 1528 avscan.exe cmd.exe PID 3764 wrote to memory of 3204 3764 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe cmd.exe PID 3764 wrote to memory of 3204 3764 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe cmd.exe PID 3764 wrote to memory of 3204 3764 154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe cmd.exe PID 1740 wrote to memory of 2972 1740 cmd.exe hosts.exe PID 1740 wrote to memory of 2972 1740 cmd.exe hosts.exe PID 1740 wrote to memory of 2972 1740 cmd.exe hosts.exe PID 2972 wrote to memory of 2916 2972 hosts.exe avscan.exe PID 2972 wrote to memory of 2916 2972 hosts.exe avscan.exe PID 2972 wrote to memory of 2916 2972 hosts.exe avscan.exe PID 1740 wrote to memory of 3352 1740 cmd.exe WScript.exe PID 1740 wrote to memory of 3352 1740 cmd.exe WScript.exe PID 1740 wrote to memory of 3352 1740 cmd.exe WScript.exe PID 3204 wrote to memory of 2896 3204 cmd.exe hosts.exe PID 3204 wrote to memory of 2896 3204 cmd.exe hosts.exe PID 3204 wrote to memory of 2896 3204 cmd.exe hosts.exe PID 2972 wrote to memory of 4812 2972 hosts.exe cmd.exe PID 2972 wrote to memory of 4812 2972 hosts.exe cmd.exe PID 2972 wrote to memory of 4812 2972 hosts.exe cmd.exe PID 4812 wrote to memory of 464 4812 cmd.exe hosts.exe PID 4812 wrote to memory of 464 4812 cmd.exe hosts.exe PID 4812 wrote to memory of 464 4812 cmd.exe hosts.exe PID 3204 wrote to memory of 852 3204 cmd.exe WScript.exe PID 3204 wrote to memory of 852 3204 cmd.exe WScript.exe PID 3204 wrote to memory of 852 3204 cmd.exe WScript.exe PID 4812 wrote to memory of 856 4812 cmd.exe WScript.exe PID 4812 wrote to memory of 856 4812 cmd.exe WScript.exe PID 4812 wrote to memory of 856 4812 cmd.exe WScript.exe PID 1528 wrote to memory of 5068 1528 avscan.exe REG.exe PID 1528 wrote to memory of 5068 1528 avscan.exe REG.exe PID 1528 wrote to memory of 5068 1528 avscan.exe REG.exe PID 2972 wrote to memory of 3828 2972 hosts.exe REG.exe PID 2972 wrote to memory of 3828 2972 hosts.exe REG.exe PID 2972 wrote to memory of 3828 2972 hosts.exe REG.exe PID 1528 wrote to memory of 1568 1528 avscan.exe REG.exe PID 1528 wrote to memory of 1568 1528 avscan.exe REG.exe PID 1528 wrote to memory of 1568 1528 avscan.exe REG.exe PID 2972 wrote to memory of 1232 2972 hosts.exe REG.exe PID 2972 wrote to memory of 1232 2972 hosts.exe REG.exe PID 2972 wrote to memory of 1232 2972 hosts.exe REG.exe PID 1528 wrote to memory of 3332 1528 avscan.exe REG.exe PID 1528 wrote to memory of 3332 1528 avscan.exe REG.exe PID 1528 wrote to memory of 3332 1528 avscan.exe REG.exe PID 2972 wrote to memory of 5004 2972 hosts.exe REG.exe PID 2972 wrote to memory of 5004 2972 hosts.exe REG.exe PID 2972 wrote to memory of 5004 2972 hosts.exe REG.exe PID 1528 wrote to memory of 852 1528 avscan.exe REG.exe PID 1528 wrote to memory of 852 1528 avscan.exe REG.exe PID 1528 wrote to memory of 852 1528 avscan.exe REG.exe PID 2972 wrote to memory of 4208 2972 hosts.exe REG.exe PID 2972 wrote to memory of 4208 2972 hosts.exe REG.exe PID 2972 wrote to memory of 4208 2972 hosts.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\154fdd8d7a5ead17e65368304bef4670_NeikiAnalytics.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat5⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:464 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
PID:856 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:3828 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1232 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:5004 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:4208 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:3352 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:5068 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1568 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:3332 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2896 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:852
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD58b953f66ab362687357edf5e86702f77
SHA1959fd0d38d7ab4493792a9cc3fb264dfed085b0d
SHA256e12a11854766c495fac8f8f0c424ee5d46289ac9305ed8079f932b117b161d93
SHA512ae8e7f78f81b8025d2ac2dd7b2961a5ceb4828cd1c589e580c3600a84641a0f1509fb24d454a312b38fe1d351769b43fdfa7d01dad396ff0aea0adc1331dcfc3
-
Filesize
195B
MD5338224f444afbfff81c0b0b4d06cd8b3
SHA1ccf8d9ec111de1ab6ae57d1f1f0d7e35e1709632
SHA25642c83a3faf58327b65a99b1720783d354ce6d8d413ae4acfbb2a55bb43aed4ea
SHA512ce79dc5d82cf23ac2e95e3f8f4dd49b0f6fb2691aa2dfbd8ea8e200e9b934094029f10a1336b4537fb0a1afa81013b070d0653cf0b1429a3137aa66050068d17
-
Filesize
4.8MB
MD591af6d5d25d7ef266332da411fde6f5f
SHA10623943d0739def9bde804a5be5c685b3b3ec087
SHA2569eced061d52a1300dc3cc99ebdbea181344adaea015402a4c76bcd96f6dd5449
SHA512e8c39dd42c978aa99e6a6dd398642bacc212de159e49a9e4046bd156079a0a93bcedd44309b535d97094cfc25767533a7dd24b52b59d9acd65548fc08cf29c6f
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b