2f2b8a9d7ddb5e0359795b58d1fdb90210014c36e73b4cf81dfbe505ae706d3a

General

Target

a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe
Size

980KB
MD5

a7ddef8e86cbeb4abf075993d29dc720
SHA1

c29df781901dfb92217cc929c6123c58d977cf65
SHA256

2f2b8a9d7ddb5e0359795b58d1fdb90210014c36e73b4cf81dfbe505ae706d3a
SHA512

48f492edf94937b28dfb6a8a9f3233c6fe04f20e31a78b87a97a98458a4e609d07eeb6e3f99c5755d75ec0a6c42a524c3aa093de774addf5f384bcdace2a6830
SSDEEP

24576:qp1Xxj4znVE7jKtEefA88gAAlGpi5YoMbSmn9NmmFVH6rEH7I:ytAVhtEF88gAXp9oK9Nmqa

Score

9^/10

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000015cf5-31.dat	Nirsoft

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000c00000001227b-2.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2652	EcMenu_x64.exe

Loads dropped DLL 3 IoCs

pid	Process
2236	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe
2772	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe
2772	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/files/0x000c00000001227b-2.dat	upx
behavioral1/memory/2236-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2772-29-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2772-28-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2236-25-0x00000000003C0000-0x00000000003FD000-memory.dmp	upx
behavioral1/memory/2236-44-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2772-47-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2772-46-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2236-45-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2236-50-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2236-52-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2236-59-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2236-65-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2236-73-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2236-77-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Desktop.ini	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Desktop.ini	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\system\symsrv.dll.000	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2236	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe
2652	EcMenu_x64.exe
2236	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe
2236	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2652	EcMenu_x64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe
Token: SeDebugPrivilege	2772	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	EcMenu_x64.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2772	2236	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2772	2236	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2772	2236	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2772	2236	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe	28
PID 2772 wrote to memory of 2652	2772	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe	29
PID 2772 wrote to memory of 2652	2772	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe	29
PID 2772 wrote to memory of 2652	2772	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe	29
PID 2772 wrote to memory of 2652	2772	a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\a7ddef8e86cbeb4abf075993d29dc720_NeikiAnalytics.exe" -sfxwaitall:0 "EcMenu_x64.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EcMenu_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EcMenu_x64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\EcMenu_x64.exe

Filesize
1.1MB

MD5
d4cae9981946b6e2fb1cf52eedd10261

SHA1
721e03a68539a11c72a0be3849dbb34a4989e3fa

SHA256
4fc2ccf80f1da2b3db3f1e03a343865e255a176637fbb39b4dfe790692c7e250

SHA512
9e87da78766b2f362961fd6218b453155fa8690c0640165752c5b7951767e7c24b0e4828799ffa44ac7fd1623290ef4c65e4c591b767e2f558d23c04046b65d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Files\EcMenu.ini

Filesize
213KB

MD5
761c24bb9b9da8597342f49356495c72

SHA1
5f8ebf7aa3062734a2f6dab0e40894d35fd68e86

SHA256
d855ed5beb485d8e3f85647fce31a1cb8723ee5b43251934ffd2d5bbf08cf83a

SHA512
cd6f8adea9b02711e1849f4a88328a0fb6a14e2fea5408bcaedd42b275cb46b8ebeea4b847eac61bcaddf625d7dcfb06b05a7be45853902d5b6460b1bfc49ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Files\Items.ini

Filesize
35KB

MD5
6ac639c667167896a2b6843033fb1db8

SHA1
62dcf7d6ec6fea4613bd7b047fece12344d38409

SHA256
30e068db1cd1599663704b2e51033ed37b7a8af03ab3180ff7a2dfa749ba59f0

SHA512
2bdae15e72f1e9791a5cf1790f525ce1cec784aeb73cbd96448a3ca0e9f0e6b159d4001351451fae2081aa4878e1ccbe73b7453c023661d0b7983bf48c818e4b

Download Submit
\??\c:\users\admin\appdata\local\temp\7zipsfx.000\Files\nircmd\nircmd_x64.exe

Filesize
113KB

MD5
80cce4afc880cde9f75dc4e8b497da80

SHA1
466cf02efdd7c1e6086c95ab4b792cd444024da3

SHA256
14801ff8d189dcd12374101754d0212be499fcea3cd2b967d1ae21e8bd6201e0

SHA512
ffebaa94c54d1f029a7ca6193d1d6558a56e384f4e926917b3cec29fe540f3fb958ba3cce9dbe9a54b2b1128babac9ad933fe6100cdddc5ab6a81583b3dc425b

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/2236-44-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2236-45-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2236-77-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2236-73-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2236-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2236-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2236-65-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2236-25-0x00000000003C0000-0x00000000003FD000-memory.dmp

Filesize
244KB

Download
memory/2236-50-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2236-52-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2236-55-0x00000000003C0000-0x00000000003FD000-memory.dmp

Filesize
244KB

Download
memory/2236-59-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2772-46-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2772-47-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2772-29-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2772-28-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing