Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 21:18
Behavioral task
behavioral1
Sample
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
-
Size
504KB
-
MD5
8be482bcf68d63264a05be9609c947d0
-
SHA1
f77f6a0bca5cc8ca6dc61b2879c0206223218d6e
-
SHA256
aa59eb46bae7e3596d4077f90d0e761347f231483a381b12c63e81a54381eef5
-
SHA512
482e93c2fd1fe301b2d3a74ae069be0916aae96010cc99e8ec82f7fc60a485eb25e860dd22d1039bab928d05e12785c39d9288cf64c1a07be18fc1e0f3bf0f51
-
SSDEEP
12288:tPmTkT0+nXTv1d5Jo/H4a6ZeUOHFVS9Qg:Vmo4IXhd81rS
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Explorrer.exeExplorrer.exeExplorrer.exepid process 2752 Explorrer.exe 2576 Explorrer.exe 1700 Explorrer.exe -
Loads dropped DLL 4 IoCs
Processes:
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exeregsvr32.exeregsvr32.exepid process 2584 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 2584 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 2172 regsvr32.exe 1916 regsvr32.exe -
Processes:
resource yara_rule behavioral1/memory/1860-0-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/1860-3-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/1860-4-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/1860-25-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/1860-26-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2752-37-0x0000000000400000-0x000000000049C000-memory.dmp upx C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe upx behavioral1/memory/2752-41-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2752-83-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2752-95-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral1/memory/2752-67-0x0000000000400000-0x000000000049C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorrer = "C:\\Users\\Admin\\AppData\\Roaming\\AppsData\\Explorrer.exe -notray" reg.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" regsvr32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exeExplorrer.exedescription pid process target process PID 1860 set thread context of 2584 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 2752 set thread context of 2576 2752 Explorrer.exe Explorrer.exe PID 2752 set thread context of 1700 2752 Explorrer.exe Explorrer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1588 ipconfig.exe -
Processes:
Explorrer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Approved Extensions Explorrer.exe Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f Explorrer.exe -
Modifies registry class 5 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exeExplorrer.exeExplorrer.exepid process 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 2584 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 2752 Explorrer.exe 2576 Explorrer.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exeExplorrer.exeExplorrer.exeipconfig.execmd.exeExplorrer.exedescription pid process target process PID 1860 wrote to memory of 2584 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 1860 wrote to memory of 2584 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 1860 wrote to memory of 2584 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 1860 wrote to memory of 2584 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 1860 wrote to memory of 2584 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 1860 wrote to memory of 2584 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 1860 wrote to memory of 2584 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 1860 wrote to memory of 2584 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 1860 wrote to memory of 2584 1860 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 2584 wrote to memory of 2752 2584 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe Explorrer.exe PID 2584 wrote to memory of 2752 2584 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe Explorrer.exe PID 2584 wrote to memory of 2752 2584 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe Explorrer.exe PID 2584 wrote to memory of 2752 2584 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe Explorrer.exe PID 2752 wrote to memory of 2576 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 2576 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 2576 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 2576 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 2576 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 2576 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 2576 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 2576 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 2576 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2752 wrote to memory of 1700 2752 Explorrer.exe Explorrer.exe PID 2576 wrote to memory of 1588 2576 Explorrer.exe ipconfig.exe PID 2576 wrote to memory of 1588 2576 Explorrer.exe ipconfig.exe PID 2576 wrote to memory of 1588 2576 Explorrer.exe ipconfig.exe PID 2576 wrote to memory of 1588 2576 Explorrer.exe ipconfig.exe PID 2576 wrote to memory of 1588 2576 Explorrer.exe ipconfig.exe PID 2576 wrote to memory of 1588 2576 Explorrer.exe ipconfig.exe PID 1588 wrote to memory of 1216 1588 ipconfig.exe cmd.exe PID 1588 wrote to memory of 1216 1588 ipconfig.exe cmd.exe PID 1588 wrote to memory of 1216 1588 ipconfig.exe cmd.exe PID 1588 wrote to memory of 1216 1588 ipconfig.exe cmd.exe PID 1216 wrote to memory of 1604 1216 cmd.exe reg.exe PID 1216 wrote to memory of 1604 1216 cmd.exe reg.exe PID 1216 wrote to memory of 1604 1216 cmd.exe reg.exe PID 1216 wrote to memory of 1604 1216 cmd.exe reg.exe PID 1700 wrote to memory of 2172 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 2172 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 2172 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 2172 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 2172 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 2172 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 2172 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 1916 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 1916 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 1916 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 1916 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 1916 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 1916 1700 Explorrer.exe regsvr32.exe PID 1700 wrote to memory of 1916 1700 Explorrer.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exeC:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GUQSWUXI.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Explorrer /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray" /f7⤵
- Adds Run key to start application
- Modifies registry key
PID:1604 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD502cbdd547ced25f8f7dc814d9169d567
SHA1fc9697d828dcda615f6edd3e49a55b9307dbd311
SHA256ec250cdf89523b18688d45fdc11bc93e46547a574ef59e03426c098f6b887c07
SHA512cec1b6c5d843408e3cb6345a3430d8469a07c09677e1bd4c522c41ee29dbd941236a8dd9963410c69a165f3913c30aa22cfd206e51a59b9ffd160c38e70cfe3f
-
Filesize
504KB
MD5d4fc158b6bf8f9dc66e0a347f686f673
SHA1fc86b99a7ee6c58a2afce37f586328473793ad4f
SHA256f42452f214339c8dcaf7070d83d3139598d12dc262625b200c788c317e51b13c
SHA5122c096ff5967b403a3f1159a050b87de5c226d81929864dff15c0f75c336f5df45c9d9fd127b96d33686a59b8bce60e717e0ba43489e132266d7fb973b5f13631
-
Filesize
87KB
MD549a92a33d1775b45b3bd45f8bec24585
SHA1ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA5127d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f