Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 21:18
Behavioral task
behavioral1
Sample
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
Resource
win7-20240419-en
General
-
Target
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe
-
Size
504KB
-
MD5
8be482bcf68d63264a05be9609c947d0
-
SHA1
f77f6a0bca5cc8ca6dc61b2879c0206223218d6e
-
SHA256
aa59eb46bae7e3596d4077f90d0e761347f231483a381b12c63e81a54381eef5
-
SHA512
482e93c2fd1fe301b2d3a74ae069be0916aae96010cc99e8ec82f7fc60a485eb25e860dd22d1039bab928d05e12785c39d9288cf64c1a07be18fc1e0f3bf0f51
-
SSDEEP
12288:tPmTkT0+nXTv1d5Jo/H4a6ZeUOHFVS9Qg:Vmo4IXhd81rS
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Explorrer.exeExplorrer.exeExplorrer.exepid process 4600 Explorrer.exe 4088 Explorrer.exe 4544 Explorrer.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 220 regsvr32.exe 112 regsvr32.exe -
Processes:
resource yara_rule behavioral2/memory/460-0-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/460-3-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/460-13-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/4600-21-0x0000000000400000-0x000000000049C000-memory.dmp upx C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe upx behavioral2/memory/4600-27-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/4600-33-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/4600-49-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/4600-38-0x0000000000400000-0x000000000049C000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" regsvr32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exeExplorrer.exedescription pid process target process PID 460 set thread context of 2796 460 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 4600 set thread context of 4088 4600 Explorrer.exe Explorrer.exe PID 4600 set thread context of 4544 4600 Explorrer.exe Explorrer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 716 1996 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1996 ipconfig.exe -
Processes:
Explorrer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Approved Extensions Explorrer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f Explorrer.exe -
Modifies registry class 5 IoCs
Processes:
regsvr32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 regsvr32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exeExplorrer.exeExplorrer.exepid process 460 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 2796 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 4600 Explorrer.exe 4088 Explorrer.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exeExplorrer.exeExplorrer.exeExplorrer.exedescription pid process target process PID 460 wrote to memory of 2796 460 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 460 wrote to memory of 2796 460 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 460 wrote to memory of 2796 460 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 460 wrote to memory of 2796 460 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 460 wrote to memory of 2796 460 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 460 wrote to memory of 2796 460 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 460 wrote to memory of 2796 460 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 460 wrote to memory of 2796 460 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe PID 2796 wrote to memory of 4600 2796 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe Explorrer.exe PID 2796 wrote to memory of 4600 2796 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe Explorrer.exe PID 2796 wrote to memory of 4600 2796 8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe Explorrer.exe PID 4600 wrote to memory of 4088 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4088 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4088 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4088 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4088 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4088 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4088 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4088 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4600 wrote to memory of 4544 4600 Explorrer.exe Explorrer.exe PID 4088 wrote to memory of 1996 4088 Explorrer.exe ipconfig.exe PID 4088 wrote to memory of 1996 4088 Explorrer.exe ipconfig.exe PID 4088 wrote to memory of 1996 4088 Explorrer.exe ipconfig.exe PID 4088 wrote to memory of 1996 4088 Explorrer.exe ipconfig.exe PID 4088 wrote to memory of 1996 4088 Explorrer.exe ipconfig.exe PID 4544 wrote to memory of 220 4544 Explorrer.exe regsvr32.exe PID 4544 wrote to memory of 220 4544 Explorrer.exe regsvr32.exe PID 4544 wrote to memory of 220 4544 Explorrer.exe regsvr32.exe PID 4544 wrote to memory of 112 4544 Explorrer.exe regsvr32.exe PID 4544 wrote to memory of 112 4544 Explorrer.exe regsvr32.exe PID 4544 wrote to memory of 112 4544 Explorrer.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8be482bcf68d63264a05be9609c947d0_NeikiAnalytics.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exeC:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
PID:1996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 2726⤵
- Program crash
PID:716 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
PID:220 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 19961⤵PID:4940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
504KB
MD552655b32ac350f61e86e26ded74dafcf
SHA1cd0473d1b6241cf6e87369edfc7c46f34878f7d2
SHA256c3a6e70a31781036b668c693f124e8b134edb7de5c3819764375b501440b1cbc
SHA512c2271ef44b46924492cff6482915cb63bf0d71d770f99ff23beb7bcc86343ba73746d3a0c5438ee721541d2e48dfc17ecf21ffc6dbe19d5369e9c028806e93e6
-
Filesize
87KB
MD549a92a33d1775b45b3bd45f8bec24585
SHA1ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA5127d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f