04c05da1d0c3780c83b7468acb63916086f75dd82f9fa6b597e2acb07a1021b8

General

Target

1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe
Size

1.3MB
MD5

1b797600bd2e90cc098866df3b9d5290
SHA1

ae33f1236d6011b114ba73c264ce6ea4fe7b6db4
SHA256

04c05da1d0c3780c83b7468acb63916086f75dd82f9fa6b597e2acb07a1021b8
SHA512

d6ad79c3bb164a7763291092bdee8e4534dd47b861888ced1bce3845ffe5e11c9429d012478f27e2948c4187631f3d8219346fdec7934fb171aa8216ef8211d0
SSDEEP

24576:0/ApeDWpzxyLt1Y1o5n4s0Ab7Ixb0wiqu86LIzfWZB0vxI0:04xat1moBHcOwimtZH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3060	285D9.exe
2440	285D9.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe
2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\285D9.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 2440	3060	285D9.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2156	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2640	AcroRd32.exe
2640	AcroRd32.exe
2640	AcroRd32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2156	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	28
PID 2960 wrote to memory of 2156	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	28
PID 2960 wrote to memory of 2156	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	28
PID 2960 wrote to memory of 2156	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	28
PID 2960 wrote to memory of 3060	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	30
PID 2960 wrote to memory of 3060	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	30
PID 2960 wrote to memory of 3060	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	30
PID 2960 wrote to memory of 3060	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	30
PID 2960 wrote to memory of 2640	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	31
PID 2960 wrote to memory of 2640	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	31
PID 2960 wrote to memory of 2640	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	31
PID 2960 wrote to memory of 2640	2960	1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe	31
PID 3060 wrote to memory of 2440	3060	285D9.exe	32
PID 3060 wrote to memory of 2440	3060	285D9.exe	32
PID 3060 wrote to memory of 2440	3060	285D9.exe	32
PID 3060 wrote to memory of 2440	3060	285D9.exe	32
PID 3060 wrote to memory of 2440	3060	285D9.exe	32
PID 3060 wrote to memory of 2440	3060	285D9.exe	32

C:\Users\Admin\AppData\Local\Temp\1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1b797600bd2e90cc098866df3b9d5290_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\285D9.exe" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2156
- C:\Users\Admin\AppData\Roaming\285D9.exe
  "C:\Users\Admin\AppData\Roaming\285D9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Roaming\285D9.exe
    "C:\Users\Admin\AppData\Roaming\285D9.exe"
    3⤵
    - Executes dropped EXE
    PID:2440
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\fiore.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3c9f505d1750cd7ac4ae7614256ed860

SHA1
c8efe838560155b3c51b71fafc567979ba2ca902

SHA256
5edfbddca5d5984b62c342151853295bb4455a6861777d0ae27b2533ec814943

SHA512
0a5b077d92fd45edb78b624b0735336ab43358e04840235437eecb169fec92f641a4ab6a7e7d97c51596d03126b0176ec5c19e78fc8169bf4dce3e0898b827c6

Download Submit
C:\Users\Admin\AppData\Roaming\fiore.pdf

Filesize
209KB

MD5
8a7db5362268dd64b9cec01fd99db7c5

SHA1
3c27053b7309527659ed0c07fa986516a14b2d3c

SHA256
8bc7bbfc60dba3928611f77d80508bbf77762657d6be35106146830b5fe5edc5

SHA512
c17d9b58e7246938e66d52d65bd6a54eaa22b932023b1dcd8a34c0b2ac82e8f91f4c5ade12f7a1857c5c36f30aeec2c650a1f9b087627725cfd3613a4f683036

Download Submit
\Users\Admin\AppData\Roaming\285D9.exe

Filesize
1.3MB

MD5
1af92457d8734c640196de6b3a59557e

SHA1
8c861d29c894f9baa84e20c3441cf74878ead7d7

SHA256
b56dcd0330fcdea98d26d99adf697f01075740dbcc6598afa0d10403f0aa32a2

SHA512
f9158b0eea4a97c43af2891d7911042fea7c8affb5a39db1a5cbdda575493a80be4b5749bfe5caa8401238a0a26cdea4e1e181a40778b6d5b70b7199dc3af6d1

Download Submit
memory/2440-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2440-39-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2440-36-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2440-33-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2440-40-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2960-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2960-1-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2960-13-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/3060-38-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads