c4351cd85df8b0a4a65ec8fe72dcbc38176f9ab8668635f74f48130dc36a6202

General

Target

a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
Size

53KB
MD5

a62e706774bb13312f2aae9931c02700
SHA1

567b2bcecbfb6542d0e7986afeea818d686220d1
SHA256

c4351cd85df8b0a4a65ec8fe72dcbc38176f9ab8668635f74f48130dc36a6202
SHA512

6948261aa7b0e5856c5cd60d553fb337f4a868188c2a51a11862fba73bd74450944925110743a2dac81d7d4d5b792ab273aa56aebf73a2d9b5451ab43088864b
SSDEEP

1536:vNug8r8Q9FKu97Kp3StjEMjmLM3ztDJWZsXy4JzxPMk:UFKMJJjmLM3zRJWZsXy4JN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

rbweox.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rbweox.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

rbweox.exe

pid process

4376 rbweox.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rbweox.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbweox = "C:\\Users\\Admin\\rbweox.exe"	rbweox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rbweox.exe

pid	process
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe
4376	rbweox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exerbweox.exe

pid process

2552 a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
4376 rbweox.exe

pid	process
2552	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
4376	rbweox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exerbweox.exe

description	pid	process	target process
PID 2552 wrote to memory of 4376	2552	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe	rbweox.exe
PID 2552 wrote to memory of 4376	2552	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe	rbweox.exe
PID 2552 wrote to memory of 4376	2552	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe	rbweox.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
PID 4376 wrote to memory of 2552	4376	rbweox.exe	a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a62e706774bb13312f2aae9931c02700_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\rbweox.exe
"C:\Users\Admin\rbweox.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\rbweox.exe
Filesize
53KB

MD5
f2cea000a96024320584dcac01cd8ac0

SHA1
8bfd7f13453d992be0393264fbecb585fb0937de

SHA256
fed87accc16b30369a1e57f4490a32d3f71b3d7b7de7fbd1defffac23ac5c1b6

SHA512
5c059dc27e968bb28b96a4997ac6e7107a43453b08f43fcd68da3083d242aa5823fa7d89b225f2bd2becfcaeae3132adb6e72bea5e439e77103a3cdf52941956

Download Submit
memory/2552-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4376-34-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads