98c4769c22fd1bbadd31e701dbfbb944375d7502346bd0bf5befd172f814ffa3

General

Target

5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe
Size

248KB
MD5

5ee65e499276e5d1a8421c67f7505180
SHA1

6d878ef2b8ebd59ecd706376c1ceb18d7a9e4477
SHA256

98c4769c22fd1bbadd31e701dbfbb944375d7502346bd0bf5befd172f814ffa3
SHA512

5bee4759b938cf81c74bec184de2ee7141a452f93204613932a7e0a59bf07ce9fc343cf32baa2c3484d76ac8106d02ff9faa49d7e37b72ee07f365d546e5de6c
SSDEEP

6144:weQ1WRHtMJrCBC0MpUYlxbwa+S3SIYtCHOEvY6:w0HtlCDpJLD+SCvtCu0Y6

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

colosort.exe~1F53.tmpprineown.exe

pid process

2676 colosort.exe
2548 ~1F53.tmp
2500 prineown.exe
Loads dropped DLL 3 IoCs

Processes:

5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.execolosort.exe

pid process

2016 5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe
2016 5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe
2676 colosort.exe

pid	process
2016	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe
2016	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe
2676	colosort.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmdlPlay = "C:\\Users\\Admin\\AppData\\Roaming\\Dispnger\\colosort.exe"	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe

Drops file in System32 directory 1 IoCs

Processes:

5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe

description ioc process

File created C:\Windows\SysWOW64\prineown.exe 5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2492 2016 WerFault.exe 5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\prineown.exe	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe

pid	pid_target	process	target process
2492	2016	WerFault.exe	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

colosort.exeExplorer.EXEprineown.exe

pid	process
2676	colosort.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE
2500	prineown.exe
1196	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

colosort.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 2676 colosort.exe
Token: SeShutdownPrivilege 1196 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2676	colosort.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.execolosort.exe~1F53.tmp

description	pid	process	target process
PID 2016 wrote to memory of 2676	2016	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe	colosort.exe
PID 2016 wrote to memory of 2676	2016	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe	colosort.exe
PID 2016 wrote to memory of 2676	2016	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe	colosort.exe
PID 2016 wrote to memory of 2676	2016	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe	colosort.exe
PID 2676 wrote to memory of 2548	2676	colosort.exe	~1F53.tmp
PID 2676 wrote to memory of 2548	2676	colosort.exe	~1F53.tmp
PID 2676 wrote to memory of 2548	2676	colosort.exe	~1F53.tmp
PID 2676 wrote to memory of 2548	2676	colosort.exe	~1F53.tmp
PID 2548 wrote to memory of 1196	2548	~1F53.tmp	Explorer.EXE
PID 2016 wrote to memory of 2492	2016	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe	WerFault.exe
PID 2016 wrote to memory of 2492	2016	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe	WerFault.exe
PID 2016 wrote to memory of 2492	2016	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe	WerFault.exe
PID 2016 wrote to memory of 2492	2016	5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe	WerFault.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Users\Admin\AppData\Local\Temp\5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5ee65e499276e5d1a8421c67f7505180_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Roaming\Dispnger\colosort.exe
"C:\Users\Admin\AppData\Roaming\Dispnger"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\~1F53.tmp
1196 254472 2676 1
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 252
3⤵
- Program crash
PID:2492

C:\Windows\SysWOW64\prineown.exe
C:\Windows\SysWOW64\prineown.exe -s
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\~1F53.tmp

Filesize
8KB

MD5
aac3165ece2959f39ff98334618d10d9

SHA1
020a191bfdc70c1fbd3bf74cd7479258bd197f51

SHA256
96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974

SHA512
9eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf

Download Submit
\Users\Admin\AppData\Roaming\Dispnger\colosort.exe

Filesize
248KB

MD5
2fcef6e5c86b0b89d741c126522338e1

SHA1
7f77a09065a5d1be26262bc73c626c31d3b7b202

SHA256
e7309c72fab04b59b680e82f3ebc0a5d600817b9ee73cb114e259e0c1b640455

SHA512
69650371a79a60bc88d8a15c7484908f81525d4ee83b2252f98f2a3cdaa7b6daadc7ff8a3d708ea690f6bdebe628a619c4263f52ebf98a9ff3e5103ffcbc99c3

Download Submit
memory/1196-21-0x0000000002950000-0x000000000299E000-memory.dmp

Filesize
312KB

Download
memory/1196-28-0x0000000002E50000-0x0000000002E5D000-memory.dmp

Filesize
52KB

Download
memory/1196-26-0x0000000002950000-0x000000000299E000-memory.dmp

Filesize
312KB

Download
memory/1196-27-0x0000000002A50000-0x0000000002A56000-memory.dmp

Filesize
24KB

Download
memory/1196-20-0x0000000002950000-0x000000000299E000-memory.dmp

Filesize
312KB

Download
memory/2016-10-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2016-40-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2016-41-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2016-9-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2016-39-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/2016-38-0x0000000000940000-0x0000000000982000-memory.dmp

Filesize
264KB

Download
memory/2016-1-0x0000000000230000-0x0000000000278000-memory.dmp

Filesize
288KB

Download
memory/2016-0-0x0000000000940000-0x0000000000982000-memory.dmp

Filesize
264KB

Download
memory/2500-37-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/2500-33-0x0000000000D90000-0x0000000000DD2000-memory.dmp

Filesize
264KB

Download
memory/2500-34-0x0000000000140000-0x0000000000188000-memory.dmp

Filesize
288KB

Download
memory/2500-35-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/2500-36-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/2500-42-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/2676-25-0x0000000001320000-0x0000000001362000-memory.dmp

Filesize
264KB

Download
memory/2676-14-0x00000000000E0000-0x0000000000128000-memory.dmp

Filesize
288KB

Download
memory/2676-15-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads