fdb1e6c9bccc61b9e3bab5c1abd52c1040a03af9b8e3a04f74b2bc5b26f59cda

General

Target

6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
Size

28KB
MD5

6948989065a91523bb1aef817fa944d0
SHA1

40ea2b260d7b250e23939e38fc19449f79138a17
SHA256

fdb1e6c9bccc61b9e3bab5c1abd52c1040a03af9b8e3a04f74b2bc5b26f59cda
SHA512

724fcaea3e1b2a19072c74e1330351ca04afd1f8efdca6ad00cbd24316866e660555bb9f31c4f4b3b97b5fe99b727583f8fbd1b1c4d912697b7ee4e9bec542ee
SSDEEP

768:PVEHJqjHyGvwFylDpulVSQJrE/2QmlCYZUNZ2G:PH2nylslwHCCLZ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

rundll32.exe

pid process

2692 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe

pid process

2196 6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196 6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe

pid	process
2692	rundll32.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe

Drops file in System32 directory 4 IoCs

Processes:

6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\¢«.exe	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\¢«.exe	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\notepad¢¬.exe	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

Processes:

6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Windows\system\rundll32.exe	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
File created	C:\Windows\system\rundll32.exe	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

Processes:

6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1716426464"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1716426464"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe

pid	process
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

rundll32.exe

pid process

2692 rundll32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exerundll32.exe

pid process

2196 6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
2692 rundll32.exe
2692 rundll32.exe

pid	process
2692	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe

description	pid	process	target process
PID 2196 wrote to memory of 2692	2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe	rundll32.exe
PID 2196 wrote to memory of 2692	2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe	rundll32.exe
PID 2196 wrote to memory of 2692	2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe	rundll32.exe
PID 2196 wrote to memory of 2692	2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe	rundll32.exe
PID 2196 wrote to memory of 2692	2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe	rundll32.exe
PID 2196 wrote to memory of 2692	2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe	rundll32.exe
PID 2196 wrote to memory of 2692	2196	6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6948989065a91523bb1aef817fa944d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\system\rundll32.exe
C:\Windows\system\rundll32.exe
2⤵
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
28KB

MD5
8655cf6e883854932a86a148695407c6

SHA1
b1fd498c95fc42bdd37f4b2c86828b3be6d146e2

SHA256
bb252bdb53428eedb04a70dd6b81e911bb5de1589b007332b86c87132741f5d7

SHA512
c2b735c9c7039e4f355839e550c195c3a7f4e55e7ce669fd81ace54a56167315dac87967f3ffe828cd489aa9f15aa46ce38a826e87a995b88e250fe3a3550520

Download Submit
\Windows\system\rundll32.exe

Filesize
31KB

MD5
9930c20949f2e2f91cd92cdc036b3915

SHA1
0ab1e915e8f2505a5e0b71a0c595b475edb24c0c

SHA256
e364eb052bfbf42434f309ffe1c6aed5cd70b20e9d4e7cee5f377948cb67802a

SHA512
e92707d4376cdddf9335470c843985eb41a68402d7b4130df70ec688c5ca2b7a59919fdfa3b84f336a0e0e392cd657a85ab7b2359ab1150e6d43306fcabcf8cd

Download Submit
memory/2196-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2196-16-0x0000000000350000-0x0000000000365000-memory.dmp

Filesize
84KB

Download
memory/2196-14-0x0000000000350000-0x0000000000365000-memory.dmp

Filesize
84KB

Download
memory/2196-21-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2196-20-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-26-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-24-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-25-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-27-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-28-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-29-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-30-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-31-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-32-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-33-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-34-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2692-35-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads