Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 15:20
Static task
static1
Behavioral task
behavioral1
Sample
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe
-
Size
336KB
-
MD5
1abb16b7c5ee027bdbe4146ea7afe3a0
-
SHA1
4d1cdf16ff56ebea28faf8c5b5adf9da03c98d48
-
SHA256
d24df945a8c781573c1a1172241ae9fc8fd8a8cca1e599754bac66b9a590ee0a
-
SHA512
558ac04dcfb2f69a4ed7d61b6ea180f33c9b976569f2e51a79f866099376bcac41c9f6a7c7fccaa1607a5d5b7370e8f29f73aa3f5f7f7070614992b75237a4d0
-
SSDEEP
6144:+FN336YMFYfVcT7/9ju3iuUtZhckmEAhzNKGQXHJxb780y2LFkN:q5n9W7/1tZhcIAhZKGQXHJxf8wLSN
Malware Config
Extracted
C:\PerfLogs\Recovery+asmal.txt
http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/143076EF8371183B
http://b4youfred5485jgsa3453f.italazudda.com/143076EF8371183B
http://5rport45vcdef345adfkksawe.bematvocal.at/143076EF8371183B
http://fwgrhsao3aoml7ej.onion/143076EF8371183B
http://fwgrhsao3aoml7ej.ONION/143076EF8371183B
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (873) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exefdrlbupjwprf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation fdrlbupjwprf.exe -
Drops startup file 6 IoCs
Processes:
fdrlbupjwprf.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+asmal.png fdrlbupjwprf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+asmal.png fdrlbupjwprf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Recovery+asmal.html fdrlbupjwprf.exe -
Executes dropped EXE 1 IoCs
Processes:
fdrlbupjwprf.exepid process 3912 fdrlbupjwprf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fdrlbupjwprf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qubppadoanft = "C:\\Windows\\system32\\cmd.exe /c start \"\" \"C:\\Windows\\fdrlbupjwprf.exe\"" fdrlbupjwprf.exe -
Drops file in Program Files directory 64 IoCs
Processes:
fdrlbupjwprf.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_122.0.2365.52_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailMediumTile.scale-100.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hu-HU\View3d\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\MarkAsReadToastQuickAction.scale-80.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\8px.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-100.png fdrlbupjwprf.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Views\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-125_contrast-white.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\4px.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\View3d\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\Recovery+asmal.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxWideTile.scale-125.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-100_contrast-white.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\Recovery+asmal.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render_smallest.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\StoreLogo.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-100.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-64.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-white.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-36_altform-unplated.png fdrlbupjwprf.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200_contrast-white.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-32_contrast-black.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-150.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Generic-Dark.scale-100.png fdrlbupjwprf.exe File opened for modification C:\Program Files\Common Files\System\es-ES\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\Recovery+asmal.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-129.png fdrlbupjwprf.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\Recovery+asmal.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.scale-125.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-200.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Retail\NinjaCatOnDragon.scale-100.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-200.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\Recovery+asmal.txt fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png fdrlbupjwprf.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileSmallSquare.scale-200.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireMedTile.scale-100.jpg fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\ThumbRoad.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Dark\MilitaryLeft.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Tented\TentMobile_24x20.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\moe_default_icon.png fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\fonts\Recovery+asmal.html fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunCalendarBlurred.layoutdir-RTL.jpg fdrlbupjwprf.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-36_altform-unplated.png fdrlbupjwprf.exe -
Drops file in Windows directory 2 IoCs
Processes:
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exedescription ioc process File created C:\Windows\fdrlbupjwprf.exe 1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe File opened for modification C:\Windows\fdrlbupjwprf.exe 1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
fdrlbupjwprf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings fdrlbupjwprf.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4780 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fdrlbupjwprf.exepid process 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe 3912 fdrlbupjwprf.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exefdrlbupjwprf.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2240 1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe Token: SeDebugPrivilege 3912 fdrlbupjwprf.exe Token: SeIncreaseQuotaPrivilege 4740 WMIC.exe Token: SeSecurityPrivilege 4740 WMIC.exe Token: SeTakeOwnershipPrivilege 4740 WMIC.exe Token: SeLoadDriverPrivilege 4740 WMIC.exe Token: SeSystemProfilePrivilege 4740 WMIC.exe Token: SeSystemtimePrivilege 4740 WMIC.exe Token: SeProfSingleProcessPrivilege 4740 WMIC.exe Token: SeIncBasePriorityPrivilege 4740 WMIC.exe Token: SeCreatePagefilePrivilege 4740 WMIC.exe Token: SeBackupPrivilege 4740 WMIC.exe Token: SeRestorePrivilege 4740 WMIC.exe Token: SeShutdownPrivilege 4740 WMIC.exe Token: SeDebugPrivilege 4740 WMIC.exe Token: SeSystemEnvironmentPrivilege 4740 WMIC.exe Token: SeRemoteShutdownPrivilege 4740 WMIC.exe Token: SeUndockPrivilege 4740 WMIC.exe Token: SeManageVolumePrivilege 4740 WMIC.exe Token: 33 4740 WMIC.exe Token: 34 4740 WMIC.exe Token: 35 4740 WMIC.exe Token: 36 4740 WMIC.exe Token: SeIncreaseQuotaPrivilege 4740 WMIC.exe Token: SeSecurityPrivilege 4740 WMIC.exe Token: SeTakeOwnershipPrivilege 4740 WMIC.exe Token: SeLoadDriverPrivilege 4740 WMIC.exe Token: SeSystemProfilePrivilege 4740 WMIC.exe Token: SeSystemtimePrivilege 4740 WMIC.exe Token: SeProfSingleProcessPrivilege 4740 WMIC.exe Token: SeIncBasePriorityPrivilege 4740 WMIC.exe Token: SeCreatePagefilePrivilege 4740 WMIC.exe Token: SeBackupPrivilege 4740 WMIC.exe Token: SeRestorePrivilege 4740 WMIC.exe Token: SeShutdownPrivilege 4740 WMIC.exe Token: SeDebugPrivilege 4740 WMIC.exe Token: SeSystemEnvironmentPrivilege 4740 WMIC.exe Token: SeRemoteShutdownPrivilege 4740 WMIC.exe Token: SeUndockPrivilege 4740 WMIC.exe Token: SeManageVolumePrivilege 4740 WMIC.exe Token: 33 4740 WMIC.exe Token: 34 4740 WMIC.exe Token: 35 4740 WMIC.exe Token: 36 4740 WMIC.exe Token: SeBackupPrivilege 3132 vssvc.exe Token: SeRestorePrivilege 3132 vssvc.exe Token: SeAuditPrivilege 3132 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exefdrlbupjwprf.exedescription pid process target process PID 2240 wrote to memory of 3912 2240 1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe fdrlbupjwprf.exe PID 2240 wrote to memory of 3912 2240 1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe fdrlbupjwprf.exe PID 2240 wrote to memory of 3912 2240 1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe fdrlbupjwprf.exe PID 3912 wrote to memory of 4740 3912 fdrlbupjwprf.exe WMIC.exe PID 3912 wrote to memory of 4740 3912 fdrlbupjwprf.exe WMIC.exe PID 2240 wrote to memory of 2352 2240 1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe cmd.exe PID 2240 wrote to memory of 2352 2240 1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe cmd.exe PID 2240 wrote to memory of 2352 2240 1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe cmd.exe PID 3912 wrote to memory of 4780 3912 fdrlbupjwprf.exe NOTEPAD.EXE PID 3912 wrote to memory of 4780 3912 fdrlbupjwprf.exe NOTEPAD.EXE PID 3912 wrote to memory of 4780 3912 fdrlbupjwprf.exe NOTEPAD.EXE PID 3912 wrote to memory of 2660 3912 fdrlbupjwprf.exe msedge.exe PID 3912 wrote to memory of 2660 3912 fdrlbupjwprf.exe msedge.exe PID 3912 wrote to memory of 2144 3912 fdrlbupjwprf.exe cmd.exe PID 3912 wrote to memory of 2144 3912 fdrlbupjwprf.exe cmd.exe PID 3912 wrote to memory of 2144 3912 fdrlbupjwprf.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
fdrlbupjwprf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fdrlbupjwprf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" fdrlbupjwprf.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1abb16b7c5ee027bdbe4146ea7afe3a0_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\fdrlbupjwprf.exeC:\Windows\fdrlbupjwprf.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3912 -
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4740 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT3⤵
- Opens file in notepad (likely ransom note)
PID:4780 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RECOVERY.HTM3⤵PID:2660
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\FDRLBU~1.EXE3⤵PID:2144
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\1ABB16~1.EXE2⤵PID:2352
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:1596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3984 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵PID:2216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4676 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵PID:5108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4620 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵PID:2840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=560 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:11⤵PID:416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\Recovery+asmal.htmlFilesize
8KB
MD5e05ca72ef5164a35dd2258edfd30b5ff
SHA12c28c0582636fc7dc9126e07407a0deffbdb59b0
SHA2564fc7a1caf4eedb5509c786af88a6537766556ceb3719fe2fb77c5d5408e6bc38
SHA5120a7e820f5ea9f7616e3fea498f2bedf77d674b3e17d92c0540cb83a3216f4abb8b046b76d88ee2dc573afcb956d9a7429371fc6067c0d6672514180a798af0db
-
C:\PerfLogs\Recovery+asmal.pngFilesize
68KB
MD54e75b9c90a9d8b0b0f62924f4dec4c20
SHA11645d5a1efe59e2919b2dd0d89bfb121edb5c3c4
SHA2568153d65563a2e5de0f9094c908750c97f9ef1daf94e464eb6b68dac36464b24c
SHA5121bccc69d82187bb2b8c2e51b60746aac4e628929912ea58f6277a3a79f8761729b09fffcf086d385573c3d6ab96b351d7f2bff6c4922b0276b6b89c0e7fe9e36
-
C:\PerfLogs\Recovery+asmal.txtFilesize
2KB
MD5d8dc197bbb316c2362f8efd466665d21
SHA1c4763ec6cc348c80d5fc52cd469d9a48210671a9
SHA256e5249c203a02f4513ca95d9166378f4767d0b87b8a2095dac0e2d15ade106cd4
SHA512189c992d71e54289d1a8196de41f72aca5395e83bc8d2c9f83546ae77ca1c0ce22066e4a7212f37140dec6ffbc1a0129a345eaa8ff31b523f5ec4dc886b1fca5
-
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txtFilesize
560B
MD5027313945ef2af7cde26c2fbd6ec6fdd
SHA1c9176de8908140ffb2573706be94271534e8911b
SHA2563eca44c87442e7956347b0175b9e3d42505762eb06eddec25f2399ad8f831dda
SHA5124c2f2d9d7ab7f48342cf61657170365d19ec5766ff1b1eb153a695a44b47c9ad2d8c311432533d57fe1bc73c1847182bcefbecf2c69124d6b9cbcbaa6033a73d
-
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txtFilesize
560B
MD5fe989831b1af95f0b18c2ebef59b7213
SHA1616c62e595d7d92d56013dc6c54f5a9d0a575ecc
SHA256ef5cce7962ef6b2ce8b6cc4037a92fa330ecf9c6bda5b2aab83471730937f203
SHA512f5e0623434a7c40e2fda5f29f6dc25628aa34aa7c9db733a6df8266a2bbe2c0636f51a44a92d907d75260e7480d88d80b733aef4a56168159f7843f24dcaa7ba
-
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txtFilesize
416B
MD5bde84bc2add9a08ccea3bbaf3ed9d8e6
SHA1c22b741c48db0b391f44d39c2d4a51d2c8d7c171
SHA2560e65b16d74a1faa0ddfb9e84975cc71b542ce58c4a001673690a704408c393a8
SHA512652acf7c0c0e1796b488eb347c095170a2fab8023d2afca73cdda7864b2596aeae18667b9b61dd82acc9646d0e324b93a88d94b31cdb31c09c20d21620e55e0c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534305838784240.txtFilesize
77KB
MD51503226a45da9919707585c977ea4b7e
SHA1308183adf2d9a84d02cbb0cb5944b9c041ed0291
SHA256d7339897014e9eb7bffec1e484a7d5ce30ca4c9b15a4ca1a42036f7824abd48a
SHA512e7376dcca4cd9d524149fa8dfbb82f32eba45ae56d3ed09f4b0c36147d3089221d8aafb548f8148274c4f669f78c5599be8795f5eee640181cd28bac5ebc37b2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133534325129811261.txtFilesize
74KB
MD5731770ff3b019b625193fc25c260fd8d
SHA1936eaf57c579c3f4626086f778433a9d4e1b2c32
SHA256395f716dcfd608804d7bb6d63c19186716531b4ff8c4a3f796e97c89a1a736ab
SHA512c81143d5a41ef49d7b4632b9322083668e158dd7117654dd7b94e87db7118fadb8ed5cdd93db827f4623299d175e7bdbccba18495820d5519edb4e7ecd2c601b
-
C:\Windows\fdrlbupjwprf.exeFilesize
336KB
MD51abb16b7c5ee027bdbe4146ea7afe3a0
SHA14d1cdf16ff56ebea28faf8c5b5adf9da03c98d48
SHA256d24df945a8c781573c1a1172241ae9fc8fd8a8cca1e599754bac66b9a590ee0a
SHA512558ac04dcfb2f69a4ed7d61b6ea180f33c9b976569f2e51a79f866099376bcac41c9f6a7c7fccaa1607a5d5b7370e8f29f73aa3f5f7f7070614992b75237a4d0
-
memory/2240-1-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2240-14-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/2240-15-0x0000000000B20000-0x0000000000BA5000-memory.dmpFilesize
532KB
-
memory/2240-0-0x0000000000B20000-0x0000000000BA5000-memory.dmpFilesize
532KB
-
memory/3912-2224-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-5796-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-1217-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-645-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-3228-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-3774-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-4667-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-785-0x0000000000A40000-0x0000000000AC5000-memory.dmpFilesize
532KB
-
memory/3912-7089-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-599-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-9-0x0000000000A40000-0x0000000000AC5000-memory.dmpFilesize
532KB
-
memory/3912-8270-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-9242-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-10369-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/3912-10377-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB