d31e3b3941bb7517ec684f45babc3ecfb38ac0a14787b60f99d0bdf233261b01

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 14:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe
Size

172KB
MD5

6c8be8830966ad135041b6e5237224e0
SHA1

faa89240dfcb39211b096c74d1a8006da0906341
SHA256

d31e3b3941bb7517ec684f45babc3ecfb38ac0a14787b60f99d0bdf233261b01
SHA512

d5d507a9e97b09214c530b3a9da3ed93b3a3631a858ff1aabdecb442f7ad70a4354a31966d04a8715ce6f211fe280979df51a6c7194e3b6565e30e8b4051c3e9
SSDEEP

3072:fftffjmNtAHaqQzTh+Ej7EZnD3XpTeCZbZvk+46eyemcr3i:HVfjmNtihQzTwcYHdeC0qef7y

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1396	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2716	Logo1_.exe
2676	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe

Loads dropped DLL 1 IoCs

pid	Process
1396	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\applet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe
File created	C:\Windows\Logo1_.exe	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2716	Logo1_.exe
2716	Logo1_.exe
2716	Logo1_.exe
2716	Logo1_.exe
2716	Logo1_.exe
2716	Logo1_.exe
2716	Logo1_.exe
2716	Logo1_.exe
2716	Logo1_.exe
2716	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1396	1908	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe	28
PID 1908 wrote to memory of 1396	1908	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe	28
PID 1908 wrote to memory of 1396	1908	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe	28
PID 1908 wrote to memory of 1396	1908	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe	28
PID 1908 wrote to memory of 2716	1908	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe	30
PID 1908 wrote to memory of 2716	1908	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe	30
PID 1908 wrote to memory of 2716	1908	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe	30
PID 1908 wrote to memory of 2716	1908	6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe	30
PID 2716 wrote to memory of 2612	2716	Logo1_.exe	31
PID 2716 wrote to memory of 2612	2716	Logo1_.exe	31
PID 2716 wrote to memory of 2612	2716	Logo1_.exe	31
PID 2716 wrote to memory of 2612	2716	Logo1_.exe	31
PID 1396 wrote to memory of 2676	1396	cmd.exe	32
PID 1396 wrote to memory of 2676	1396	cmd.exe	32
PID 1396 wrote to memory of 2676	1396	cmd.exe	32
PID 1396 wrote to memory of 2676	1396	cmd.exe	32
PID 2612 wrote to memory of 2400	2612	net.exe	34
PID 2612 wrote to memory of 2400	2612	net.exe	34
PID 2612 wrote to memory of 2400	2612	net.exe	34
PID 2612 wrote to memory of 2400	2612	net.exe	34
PID 2716 wrote to memory of 1192	2716	Logo1_.exe	21
PID 2716 wrote to memory of 1192	2716	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9B94.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe
      "C:\Users\Admin\AppData\Local\Temp\6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe"
      4⤵
      Executes dropped EXE
      PID:2676
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
640a7933af7ba39d654ad8be8b43269e

SHA1
a0788b12626cabbf2f4b4726af11b6ac9ac16a0f

SHA256
fdb71acbe94240590a3ff8f725613b389b8874bd68fea6159e2a1a80082f8353

SHA512
847f35685d3df6d04aa03b9e4fe48030ef3090c125545ff547c41de428c8f5d532ef8940f73a970007d9ef7c50fd08d49d7b19c2f2b1d306eb60ef1480a71909

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9B94.bat

Filesize
620B

MD5
e20df8ed3f70bbb2b3873f9d9a05a073

SHA1
9a501d36f562b833adff31f074928213eb313752

SHA256
74ade2da0933b17799e0f767d4ff3a24270c61660e54ce9f19ede9209a644dbe

SHA512
3139b0295af6d807268b1520747f1d6e3f25bd82e6fb5fe341dc54d7f3fcd50fb911969cbc697661683ee5c704729a199bf2550ebf3e333b4bab92c82e9d8f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c8be8830966ad135041b6e5237224e0_NeikiAnalytics.exe

Filesize
145KB

MD5
eed45384624068b3148b734ac7052841

SHA1
16845a02fd0f03d25b5efd681a5813d59583f924

SHA256
1896678fb890edac0c6a497fe615a57d0daa699241eadc2cf65c48128139979f

SHA512
b6bbb19d639bb487b651cfb554c6a7319b502900ad46acac8fd5c351b4c0590c39c89482895619f1309ed635841e9f8e0103988873bc4d844e35326574d04de6

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
1a34f24f661fa1745e297f00c89dbb19

SHA1
262809877ac31e89ccb31c2fdba17c30e1aaef8f

SHA256
2ec086f3891231854ef46d63527d58b497437ad351f218a34a51b9aa2a4fd76f

SHA512
47b926076e501ac9ff880681d8e90c89a12cc2af3a99389ffe297de08358038de190c4e3aea4aad97e026b3bad7afe4d6257a841bf49ef9eaad3def314a87f26

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

Filesize
9B

MD5
304501c003da3bc5756aa53a757c30cc

SHA1
94dfcea0ef17f89b3a60a85a07edb4c00170cc1c

SHA256
9f4b03cbd52378f329bfc7088f8242bbc1a0a2754bc2f8a40e3b74e0dedecd6e

SHA512
78cd3c2cb4cb66e41d8947e1231256c2043d71c77f97e92915e938a6c1d9a8c003512027d98bc71bf582875d269e5fbe6e134f57b25f5f79fe16f9a412387dc8

Download Submit
memory/1192-30-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1908-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-12-0x00000000001C0000-0x00000000001F4000-memory.dmp

Filesize
208KB

Download
memory/1908-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2716-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download