Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/05/2024, 22:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe
-
Size
53KB
-
MD5
954bd9514b6a8e84eeb0a0b17c1139d0
-
SHA1
48eab341dbc49cc504a1797493976930ef9e2b7d
-
SHA256
a8fb740f1d4b7080daff1038db95b9a7d634fdbddad6b5fa81ef741e8d3801ae
-
SHA512
75e1f45756c5644a1858f2668152487eb2005453f8c44ba5a0434fe370ece50988551a3da446e80c2d1d59c9a02b50306553552c181839b55b7d06fdbdaa46e3
-
SSDEEP
1536:vN5g8r8Qi4iYav7Kp3StjEMjmLM3ztDJWZsXy4JzxPMk:i4iYavJJjmLM3zRJWZsXy4Jt
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" youineg.exe -
Executes dropped EXE 1 IoCs
pid Process 2860 youineg.exe -
Loads dropped DLL 2 IoCs
pid Process 2660 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe 2660 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\youineg = "C:\\Users\\Admin\\youineg.exe" youineg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe 2860 youineg.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2660 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe 2860 youineg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2860 2660 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2860 2660 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2860 2660 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe 28 PID 2660 wrote to memory of 2860 2660 954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe 28 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27 PID 2860 wrote to memory of 2660 2860 youineg.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\954bd9514b6a8e84eeb0a0b17c1139d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\youineg.exe"C:\Users\Admin\youineg.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD53de62002793419358cf6ccb12d712c4b
SHA14f4cb7ddeff7699a94c539f8f1b566461916c242
SHA256abf05998759935b787dff28d0803395f8a814b10976be08254ccfd40b2c90c3b
SHA512b8891744e6963cabaa405381d5dcc9a787bed7757a5f6f0c06ee42a54c95ca5216767d283b9202b2790968b7faa6b30ce523678e95aecbbe4f2ed2ab484e612d