Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe
-
Size
72KB
-
MD5
6f2553f210ed8f1197dce823c8fa2610
-
SHA1
dd493659d3c6bd2c3c72425bafe500720459fc14
-
SHA256
a1a8fd4e02e99b90ecba45fb655b97e41f18da54272a9dca8c9252c2862336db
-
SHA512
0d6b2ece364a5685e55b1c9e656cc0bfa7a6550ae4f456016a27e78655a5ebe41f772a9380ccd287cc2589566acda5456cf13c765efde094f453d6248b61d40b
-
SSDEEP
1536:xAyToPledgGkAlSt9yzkwUk6Nr5kEHIwA69:3hgRAlStYzkrJNFkEH99
Malware Config
Signatures
-
Processes:
osridev.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" osridev.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" osridev.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" osridev.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" osridev.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
Processes:
osridev.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41} osridev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" osridev.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\IsInstalled = "1" osridev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5549424E-514e-4d41-5549-424E514E4d41}\StubPath = "C:\\Windows\\system32\\agduream-cooc.exe" osridev.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
Processes:
osridev.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" osridev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eavvoatead.exe" osridev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe osridev.exe -
Executes dropped EXE 2 IoCs
Processes:
osridev.exeosridev.exepid process 2184 osridev.exe 2380 osridev.exe -
Loads dropped DLL 3 IoCs
Processes:
6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exeosridev.exepid process 2432 6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe 2432 6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe 2184 osridev.exe -
Processes:
osridev.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" osridev.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" osridev.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" osridev.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" osridev.exe -
Modifies WinLogon 2 TTPs 5 IoCs
Processes:
osridev.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eahgotem-itac.dll" osridev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" osridev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} osridev.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify osridev.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" osridev.exe -
Drops file in System32 directory 9 IoCs
Processes:
osridev.exe6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exedescription ioc process File opened for modification C:\Windows\SysWOW64\eavvoatead.exe osridev.exe File created C:\Windows\SysWOW64\eavvoatead.exe osridev.exe File opened for modification C:\Windows\SysWOW64\agduream-cooc.exe osridev.exe File created C:\Windows\SysWOW64\eahgotem-itac.dll osridev.exe File opened for modification C:\Windows\SysWOW64\osridev.exe 6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe File created C:\Windows\SysWOW64\osridev.exe 6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe File created C:\Windows\SysWOW64\agduream-cooc.exe osridev.exe File opened for modification C:\Windows\SysWOW64\eahgotem-itac.dll osridev.exe File opened for modification C:\Windows\SysWOW64\osridev.exe osridev.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
osridev.exeosridev.exepid process 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2380 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe 2184 osridev.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
osridev.exedescription pid process Token: SeDebugPrivilege 2184 osridev.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exeosridev.exedescription pid process target process PID 2432 wrote to memory of 2184 2432 6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe osridev.exe PID 2432 wrote to memory of 2184 2432 6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe osridev.exe PID 2432 wrote to memory of 2184 2432 6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe osridev.exe PID 2432 wrote to memory of 2184 2432 6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe osridev.exe PID 2184 wrote to memory of 432 2184 osridev.exe winlogon.exe PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 2380 2184 osridev.exe osridev.exe PID 2184 wrote to memory of 2380 2184 osridev.exe osridev.exe PID 2184 wrote to memory of 2380 2184 osridev.exe osridev.exe PID 2184 wrote to memory of 2380 2184 osridev.exe osridev.exe PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE PID 2184 wrote to memory of 1208 2184 osridev.exe Explorer.EXE
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\6f2553f210ed8f1197dce823c8fa2610_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\osridev.exe"C:\Windows\SysWOW64\osridev.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\osridev.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\agduream-cooc.exeFilesize
72KB
MD52fcf07608d6698a3b20b89ccc4983875
SHA1a24eed1378c89ad74f6058437edd60514dfd8d39
SHA25651ed5f8e3f7d4a71b249f803d0e23f086347a0b87a72f71add98198d86ded5bf
SHA5120a2bcf2e6b9e9678de946c23da0076b58721f6f24b38142fb59a876b7c475298aae11adfa42621a6ff249bc3c22d94d6ee3d28d2a5f64a27a6bc26a179f59faf
-
C:\Windows\SysWOW64\eahgotem-itac.dllFilesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
C:\Windows\SysWOW64\eavvoatead.exeFilesize
73KB
MD562be2825f9b50811b32cf33752888b53
SHA18a8fc6d2aee27766dd04c89692707ee3e17312e4
SHA256f2901cef8547131a9a7b12a4ca4f07fa7295a92e62faf6c84931d6c6aae0371a
SHA5125b2df29c37b221fe6a83320c349d017436f9538ae75d5b88e0261106f2d44f95d64390ca5b259bb31106549c9564a894dc0c336fd6e81164eb9ecc66056ba3dc
-
\Windows\SysWOW64\osridev.exeFilesize
70KB
MD5a6ecfcac40acf05f0792752f5b8ed694
SHA13bd5d0d0d5c92b8cb9f999b1a341005d04cce95c
SHA2563e33dec04c9b7f01b83b1f6e8b19897b9c300db500e88cfad0a19b4ae6aedbb2
SHA51279457cac4bba237cfc796202d4594f84b5e44a3684fd90866a012b79ed07dc0a96f415b696730f24c9e5191e8a39e224f3b924d44c555bfdb4c5fdd5474a4bb7
-
memory/2184-53-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2380-54-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2432-7-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB