c4351cd85df8b0a4a65ec8fe72dcbc38176f9ab8668635f74f48130dc36a6202

General

Target

a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
Size

53KB
MD5

a62e706774bb13312f2aae9931c02700
SHA1

567b2bcecbfb6542d0e7986afeea818d686220d1
SHA256

c4351cd85df8b0a4a65ec8fe72dcbc38176f9ab8668635f74f48130dc36a6202
SHA512

6948261aa7b0e5856c5cd60d553fb337f4a868188c2a51a11862fba73bd74450944925110743a2dac81d7d4d5b792ab273aa56aebf73a2d9b5451ab43088864b
SSDEEP

1536:vNug8r8Q9FKu97Kp3StjEMjmLM3ztDJWZsXy4JzxPMk:UFKMJJjmLM3zRJWZsXy4JN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

vtgub.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vtgub.exe

Executes dropped EXE 1 IoCs

Processes:

vtgub.exe

pid process

2332 vtgub.exe
Loads dropped DLL 2 IoCs

Processes:

a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe

pid process

2436 a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
2436 a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe

pid	process
2436	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
2436	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vtgub.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\vtgub = "C:\\Users\\Admin\\vtgub.exe"	vtgub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vtgub.exe

pid	process
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe
2332	vtgub.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exevtgub.exe

pid process

2436 a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
2332 vtgub.exe

pid	process
2436	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
2332	vtgub.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exevtgub.exe

description	pid	process	target process
PID 2436 wrote to memory of 2332	2436	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe	vtgub.exe
PID 2436 wrote to memory of 2332	2436	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe	vtgub.exe
PID 2436 wrote to memory of 2332	2436	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe	vtgub.exe
PID 2436 wrote to memory of 2332	2436	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe	vtgub.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 2332 wrote to memory of 2436	2332	vtgub.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\vtgub.exe
"C:\Users\Admin\vtgub.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\vtgub.exe
Filesize
53KB

MD5
e69bcb3beadc5ac212dabadb3fa7b9ca

SHA1
ca80e78687638d752657becf5c96ca1bdf567699

SHA256
31a5a0e93aa7f73dd7fc073df1700ad607a46463c937b4592695c33185b1d965

SHA512
b705e3708c2118026b907552d70f0b1da7a1143c3c4ae6271c8035abe04806608c0533e55e839097199336f3d48c68c49db2046e6667a604371ca3f05d04b4d3

Download Submit
memory/2332-19-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2436-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2436-8-0x00000000038C0000-0x00000000038D2000-memory.dmp

Filesize
72KB

Download
memory/2436-14-0x00000000038C0000-0x00000000038D2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads