191f6053a78bb7af69a99aae5b9d5a9783ffaaf0f843a82c0472e344726ca31b

General

Target

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
Size

120KB
MD5

76b7e3f0f938c907c53f48929977c4f0
SHA1

4e95cfeaabd7cde4d19f36bc4455f04cdee25859
SHA256

191f6053a78bb7af69a99aae5b9d5a9783ffaaf0f843a82c0472e344726ca31b
SHA512

03523e04beb5d616fcbd49166c5b9a72180af2bacd209d39ac99b571523d35386162c76202c93ead05d9f3babf38fd964ea9a887588907ef874f3d4cb097c72e
SSDEEP

1536:tGGoyZeUJ1REmoiHl7gRNq27ddDhJmRjfFp6jhQh8bA0zb69ZeqpZj2jMhuysesJ:tG8l1mmvFKnAjfFQLA0zbPq36jRNEa

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exepoeera.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	poeera.exe

Executes dropped EXE 1 IoCs

Processes:

poeera.exe

pid process

1328 poeera.exe
Loads dropped DLL 2 IoCs

Processes:

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe

pid process

2020 76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
2020 76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe

pid	process
1328	poeera.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

poeera.exe76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /G"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /r"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /Z"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /Y"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /e"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /w"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /u"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /j"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /y"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /X"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /q"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /W"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /v"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /b"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /S"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /i"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /E"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /O"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /d"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /Q"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /H"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /K"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /x"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /t"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /P"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /I"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /p"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /F"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /g"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /N"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /L"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /C"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /N"	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /M"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /D"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /f"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /k"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /A"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /o"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /z"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /T"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /R"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /V"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /J"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /l"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /a"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /n"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /m"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /h"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /s"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /c"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /U"	poeera.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\poeera = "C:\\Users\\Admin\\poeera.exe /B"	poeera.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exepoeera.exe

pid	process
2020	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe
1328	poeera.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exepoeera.exe

pid process

2020 76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
1328 poeera.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe

description	pid	process	target process
PID 2020 wrote to memory of 1328	2020	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe	poeera.exe
PID 2020 wrote to memory of 1328	2020	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe	poeera.exe
PID 2020 wrote to memory of 1328	2020	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe	poeera.exe
PID 2020 wrote to memory of 1328	2020	76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe	poeera.exe

C:\Users\Admin\AppData\Local\Temp\76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\76b7e3f0f938c907c53f48929977c4f0_NeikiAnalytics.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\poeera.exe
"C:\Users\Admin\poeera.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\poeera.exe
Filesize
120KB

MD5
dc375674739effe8758c0f671c21e837

SHA1
8529a90810cc0c0a19c9da3df28e4dc62d2421b3

SHA256
6c3a790801f4b60537a3344620aa81226b996b817d62e570effe6cfdd56e61c5

SHA512
2bb1d3f2080a0dee3bdac379fdbcb554716ff8d29a3b9738ada91ad72215996d1c0eebbbcba642a4a97e993d095fcd603eff2f3eaf1e295917d6b450243f569b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads