a74ac0c7d7fb6cd65da9ac876b069734e92d72d4f89c86b4d861249e7420d9b6

General

Target

7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe
Size

35KB
MD5

7e10d13974d9c5f68d5cb197235336e0
SHA1

22c96dcd039358dc03e540158caf208374bebd22
SHA256

a74ac0c7d7fb6cd65da9ac876b069734e92d72d4f89c86b4d861249e7420d9b6
SHA512

1168549a3fae6473780e346e98ac6e9fcec4a4367c2a1d2137b81069efc2c0227a03bd7a8b830e3d37e537850468aec1cd706fb67e9ecd9c1d8c334770ccfbce
SSDEEP

768:M3EVdV0YXY/nckNsWheCNSdd57Do5utsp1TOIIIwjkkvvv7:lVdm5/nprh3Ny57guSTOjvvvv7

Score

8^/10

evasion upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2976	attrib.exe

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	iuyhost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-0-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/files/0x000d000000012324-3.dat	upx
behavioral1/memory/3060-5-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/2940-6-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/3060-7-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/3060-13-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/3060-16-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral1/memory/3060-19-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Debug\iuyhost.exe	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Debug\iuyhost.exe	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\Debug\iuyhost.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	iuyhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	iuyhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2940	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2976	2940	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 2976	2940	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 2976	2940	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 2976	2940	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe	28
PID 2940 wrote to memory of 3024	2940	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe	31
PID 2940 wrote to memory of 3024	2940	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe	31
PID 2940 wrote to memory of 3024	2940	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe	31
PID 2940 wrote to memory of 3024	2940	7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe	31

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2976	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7e10d13974d9c5f68d5cb197235336e0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\attrib.exe
  attrib +a +s +h +r C:\Windows\Debug\iuyhost.exe
  2⤵
  - Sets file to hidden
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7E10D1~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3024

C:\Windows\Debug\iuyhost.exe
C:\Windows\Debug\iuyhost.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Debug\iuyhost.exe

Filesize
35KB

MD5
145b4e42210dabbd40196176624fccd3

SHA1
3e552045ff0a1c1766ba6f9902bb394a3733602d

SHA256
d13372619516cbe5389c983061ff2b4f4adf593cf8ded8e7b8dad99c52523219

SHA512
7d6763782d32d68745676bb1c60a6978b6b10f3b07b78b58e615996b5c2a04c28f3d994aa89f158e036f0cf972a2d197d2b17c64a8403b3317bd5cafe3672ffc

Download Submit
memory/2940-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2940-6-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-5-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-13-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-16-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads