ffb375afca402076edd2ac48d39f014c47534ac39028d636dc4781db327e7610

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe
Size

215KB
MD5

a579c32b527899088bc7e8c014809270
SHA1

90d9897aca200ad69eb22bc8162e39992cdc02f9
SHA256

ffb375afca402076edd2ac48d39f014c47534ac39028d636dc4781db327e7610
SHA512

7744b6b69f6721ff9850c23ea49d20cf2fe3bba39ced74ce3c476e47dc4dc4bc4b80b1e50563121ed0e3e14b403880653fc76c21df5c99f3f8c0cb6fef3d5269
SSDEEP

6144:4JcxlKhSGoqTecGy9+hAu7//QnSrMhcZEp:4S8hbTiyqA4QnSQhcZ8

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3676	svchost.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\2a772840 = "C:\\Windows\\apppatch\\svchost.exe"	a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\vocyzit.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gatyfus.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupycag.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyfuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lyxynyx.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\symbols\dll\wntdll.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\wntdll.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\dll\wrpcrt4.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\dll\winsta.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\wkernel32.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\symbols\dll\wkernelbase.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\symbols\dll\wrpcrt4.pdb	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\pupydeq.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galynuh.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\wkernelbase.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\symbols\dll\WinSCard.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\DLL\wkernel32.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\symbols\DLL\wkernel32.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\wrpcrt4.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\WinSCard.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\dll\WinSCard.pdb	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qegyval.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\dll\wkernelbase.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\symbols\dll\winsta.pdb	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\dll\wntdll.pdb	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vonypom.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\galyqaz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gadyciz.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lymyxid.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\lygyvuj.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\gahyhiz.com	svchost.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\winsta.pdb	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qexyhuv.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\vofycot.com	svchost.exe
File created	C:\Program Files (x86)\Windows Defender\qetyhyg.com	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe
3676	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1488	a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1488	a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe
Token: SeSecurityPrivilege	1488	a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe
Token: SeSecurityPrivilege	3676	svchost.exe
Token: SeSecurityPrivilege	3676	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3676	1488	a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe	83
PID 1488 wrote to memory of 3676	1488	a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe	83
PID 1488 wrote to memory of 3676	1488	a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a579c32b527899088bc7e8c014809270_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\BHBL2VZ2\login[1].htm

Filesize
168B

MD5
d57e3a550060f85d44a175139ea23021

SHA1
2c5cb3428a322c9709a34d04dd86fe7628f8f0a6

SHA256
43edf068d34276e8ade4113d4d7207de19fc98a2ae1c07298e593edae2a8774c

SHA512
0364fe6a010fce7a3f4a6344c84468c64b20fd131f3160fc649db78f1075ba52d8a1c4496e50dbe27c357e01ee52e94cdcda8f7927cba28d5f2f45b9da690063

Download Submit
C:\Windows\apppatch\svchost.exe

Filesize
215KB

MD5
98efe848b1c6abba7c9dff0197afbed0

SHA1
fa34c5ea9423c565b4d1fd4582eb3302326aa999

SHA256
61beacb0272adf9c91d8c8cb86503ff9fd466f2d8272b9e592e4dd48a923a301

SHA512
3eee1a991c2914a56de036791113250fc8fa5630b3e14d92d363603c764f7013bb32bb56cef8d7fade901f918368348a1646b118dd3e7bcd6021f0f53cd08c67

Download Submit
memory/1488-0-0x0000000000620000-0x0000000000623000-memory.dmp

Filesize
12KB

Download
memory/1488-1-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1488-12-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1488-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1488-14-0x0000000000620000-0x0000000000623000-memory.dmp

Filesize
12KB

Download
memory/3676-16-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3676-17-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3676-18-0x0000000002A00000-0x0000000002AAA000-memory.dmp

Filesize
680KB

Download
memory/3676-19-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3676-20-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-24-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-22-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-25-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-76-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-82-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-81-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-80-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-79-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-78-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-77-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-75-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-74-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-72-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-71-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-70-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-69-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-68-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-67-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-66-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-65-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-64-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-63-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-62-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-61-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-60-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-59-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-57-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-56-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-55-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-53-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-52-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-51-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-50-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-48-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-47-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-46-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-45-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-44-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-43-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-42-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-41-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-40-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-39-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-38-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-37-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-36-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-35-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-33-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-32-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-31-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-29-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-26-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-27-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-73-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-58-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-54-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-49-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-34-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/3676-28-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download