Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 20:40
Static task
static1
Behavioral task
behavioral1
Sample
3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe
-
Size
2.7MB
-
MD5
3667e4eb3688a1c1973ea66d4bfe0e90
-
SHA1
9e6a8264f69b5fc41cb51944b99557f45dd91cc8
-
SHA256
0918d2dec622289c197e987da6e6ce1ec01561dacb0e113156f7069a31100765
-
SHA512
edad7928694f6986be21bf491613b851376a40b533ab03c0d0fbb10107a6b9c4c7d586d739baebeb177920215a9ae34023663d5a4661ab7681d8df666b979eb5
-
SSDEEP
49152:aYrC8UsGuTwkA6gn2UkCsOCHdeQKyZURQ1EjT2:w8UsXCC9eQKyZURQ1EjT
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\mls = "\"C:\\Users\\Admin\\AppData\\Roaming\\RAC\\mls.exe\" -s" 3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2612 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2612 AcroRd32.exe 2612 AcroRd32.exe 2612 AcroRd32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exedescription pid process target process PID 2204 wrote to memory of 2612 2204 3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe AcroRd32.exe PID 2204 wrote to memory of 2612 2204 3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe AcroRd32.exe PID 2204 wrote to memory of 2612 2204 3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe AcroRd32.exe PID 2204 wrote to memory of 2612 2204 3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\148729502.tmpFilesize
2.7MB
MD53667e4eb3688a1c1973ea66d4bfe0e90
SHA19e6a8264f69b5fc41cb51944b99557f45dd91cc8
SHA2560918d2dec622289c197e987da6e6ce1ec01561dacb0e113156f7069a31100765
SHA512edad7928694f6986be21bf491613b851376a40b533ab03c0d0fbb10107a6b9c4c7d586d739baebeb177920215a9ae34023663d5a4661ab7681d8df666b979eb5
-
C:\Users\Admin\AppData\Local\Temp\3667e4eb3688a1c1973ea66d4bfe0e90_NeikiAnalytics.pdfFilesize
1.1MB
MD558ba263ee6d8d64d69957c44cb10bbc3
SHA1a4c86768b63a7e3a51203618f3cf51df9f3f9027
SHA25684e09359b0b15eb947814e39cb5007b6ccf158682edf74ccdeb874299858e27a
SHA51209f52028f91828aa79d76f59782c1910af9210ccf67041b13558af6b421101199671f97b02f549249b6c263ff7e9c95574c6a26739c417ca3e4097aacfe878e3
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD580ad6b42eb74b060eabc8da294b93045
SHA1107ee5bfb54885a0251d8d0ff1c35ba05ea17c73
SHA256514b1442986703757b591818b30e38252dbf990d2be78a07e9a3b4316229c3cd
SHA512276871fa83714e5525f1f39d092e91af7f600c644051256bb43131b8b3c1fc2d32daa5e11da7444a3d93e68342b43809ccb9cf58abe0834d6e22a7ee4f6bb7a7