143b2a7f82ebd4a7348f04d329a84bcd90897e6e4177c8b2f0cd77e55fc13d7a

General

Target

35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
Size

53KB
MD5

35359fa7090798bce03f0740585e4b10
SHA1

70df8305d0dc28d82ee7351ee2c2cdb7def49962
SHA256

143b2a7f82ebd4a7348f04d329a84bcd90897e6e4177c8b2f0cd77e55fc13d7a
SHA512

4e181e504285cf683f41c0595a050ec39234fcbdd4fa9ecbd9c9678994da028aeb881c5e7ff8cfbc8c219f46304a7a320aadd5ebd2465cd87c174c42e76a3db3
SSDEEP

1536:S5qsVsIEVfEoAlHa6K0mrdkT9lcP1RnPg9+aKK2d0Q:cVv08oewxwcP7nPg9+aKK2d0Q

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe fsb.exe"	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files\7-Zip\7z.exe	upx

Drops file in System32 directory 3 IoCs

Processes:

35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fsb.stb	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\fsb.tmp	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe

Drops file in Program Files directory 64 IoCs

Processes:

35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\jp2launcher.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\unpack200.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\javaw.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\ielowutil.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\7z.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Games\Chess\Chess.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\7-Zip\Uninstall.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jre7\bin\javacpl.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE-	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35359fa7090798bce03f0740585e4b10_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
521KB

MD5
baf3200f201c5fedb4868866a46a8907

SHA1
35276732e9d3b37882a7b578cf83c6d98d17061f

SHA256
b29d7e34dffe4533e3ca2befc4022202d6f39ea40ac5716c46c03df89ce6151d

SHA512
c9282cf0b3649a99091b759db6e0922fc881f199575f765b9d45085de2b3cf4184b8eb472f3f7e7432ea40e86f75e4ab928623f3621af3d8f75adb72e9d866a8

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
53KB

MD5
35359fa7090798bce03f0740585e4b10

SHA1
70df8305d0dc28d82ee7351ee2c2cdb7def49962

SHA256
143b2a7f82ebd4a7348f04d329a84bcd90897e6e4177c8b2f0cd77e55fc13d7a

SHA512
4e181e504285cf683f41c0595a050ec39234fcbdd4fa9ecbd9c9678994da028aeb881c5e7ff8cfbc8c219f46304a7a320aadd5ebd2465cd87c174c42e76a3db3

Download Submit
memory/1848-1638-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-1639-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-1640-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-1642-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-1643-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-1644-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-1646-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-1647-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-1648-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-1650-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1848-1651-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads