89fdd5776b9f12d824f5d85beaefa86c0b04f867e6f6762ee777c4a03ded0f5d

General

Target

682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
Size

97KB
MD5

682f9775d4b35e1d1ffd5fa44d01ad50
SHA1

78661c6ae0aa7d768b2992c03d3438ce06c29254
SHA256

89fdd5776b9f12d824f5d85beaefa86c0b04f867e6f6762ee777c4a03ded0f5d
SHA512

6a2010055020dae7178acc4d15e632d5595d9ce693e2ee570f016eb965e7a790d7224be09898ceea5b6e17e264b44bee41935eb97b0c03594c4c678ce4e8d4c8
SSDEEP

3072:W6Ccn27mUC7AdYzrV+Dljy/32ubwZZqJ:W6Ccn2xCkdYzrVolu/J0ZZ

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

WindowsService.exeWindowsService.exeWindowsService.exe

pid process

2528 WindowsService.exe
2952 WindowsService.exe
112 WindowsService.exe

pid	process
2528	WindowsService.exe
2952	WindowsService.exe
112	WindowsService.exe

Loads dropped DLL 5 IoCs

Processes:

682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe

pid	process
2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2852-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2852-286-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2680-448-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2852-447-0x0000000000400000-0x000000000043B000-memory.dmp	upx
\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe	upx
behavioral1/memory/2528-489-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2952-1038-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2528-1040-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2680-1043-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2952-1048-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exeWindowsService.exe

description	pid	process	target process
PID 2852 set thread context of 2680	2852	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
PID 2528 set thread context of 2952	2528	WindowsService.exe	WindowsService.exe
PID 2528 set thread context of 112	2528	WindowsService.exe	WindowsService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WindowsService.exe

description	pid	process
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe
Token: SeDebugPrivilege	2952	WindowsService.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exeWindowsService.exeWindowsService.exe

pid	process
2852	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
2528	WindowsService.exe
2952	WindowsService.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.execmd.exeWindowsService.exe

description	pid	process	target process
PID 2852 wrote to memory of 2680	2852	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
PID 2852 wrote to memory of 2680	2852	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
PID 2852 wrote to memory of 2680	2852	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
PID 2852 wrote to memory of 2680	2852	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
PID 2852 wrote to memory of 2680	2852	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
PID 2852 wrote to memory of 2680	2852	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
PID 2852 wrote to memory of 2680	2852	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
PID 2852 wrote to memory of 2680	2852	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
PID 2680 wrote to memory of 2580	2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	cmd.exe
PID 2680 wrote to memory of 2580	2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	cmd.exe
PID 2680 wrote to memory of 2580	2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	cmd.exe
PID 2680 wrote to memory of 2580	2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	cmd.exe
PID 2580 wrote to memory of 2540	2580	cmd.exe	reg.exe
PID 2580 wrote to memory of 2540	2580	cmd.exe	reg.exe
PID 2580 wrote to memory of 2540	2580	cmd.exe	reg.exe
PID 2580 wrote to memory of 2540	2580	cmd.exe	reg.exe
PID 2680 wrote to memory of 2528	2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	WindowsService.exe
PID 2680 wrote to memory of 2528	2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	WindowsService.exe
PID 2680 wrote to memory of 2528	2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	WindowsService.exe
PID 2680 wrote to memory of 2528	2680	682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe	WindowsService.exe
PID 2528 wrote to memory of 2952	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 2952	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 2952	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 2952	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 2952	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 2952	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 2952	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 2952	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe
PID 2528 wrote to memory of 112	2528	WindowsService.exe	WindowsService.exe

C:\Users\Admin\AppData\Local\Temp\682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\682f9775d4b35e1d1ffd5fa44d01ad50_NeikiAnalytics.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KXENX.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
4⤵
- Adds Run key to start application
PID:2540

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
4⤵
- Executes dropped EXE
PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KXENX.bat

Filesize
157B

MD5
f6a90c20834f271a907a4e2bc28184c2

SHA1
36c9d1602b74f622346fbb22693597d7889df48d

SHA256
73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

SHA512
39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

Download Submit
\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Filesize
97KB

MD5
5df3f4f4083d46f9268737e30317deaa

SHA1
6cc3672c0f8df72a3b79cc9ed5f091d957f08ec0

SHA256
d83bf972d0840cf3f495945cb58610a0893d64dd2bfebe9a775e5db30d0cee9e

SHA512
7a9df6019190ecdcaef2c5f864fe1c1fb97e27ca2bed05e30512839bee69231f7bfa5ce53b27cf7a6dc8034d921ea4c975854eebcd05aa4007ce1649d6b94fe8

Download Submit
memory/2528-1040-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2528-489-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2680-1043-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2680-488-0x00000000034D0000-0x000000000350B000-memory.dmp

Filesize
236KB

Download
memory/2680-448-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2852-285-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/2852-447-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2852-430-0x0000000002AB0000-0x0000000002AEB000-memory.dmp

Filesize
236KB

Download
memory/2852-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2852-286-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2852-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2952-1038-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2952-1048-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads