Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 17:50
Behavioral task
behavioral1
Sample
f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
Resource
win7-20240221-en
General
-
Target
f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe
-
Size
504KB
-
MD5
f1f0bc22079b5b2b33ec560b0a64c330
-
SHA1
216fe91a2916660d82ce58357f40ef05992b5d1e
-
SHA256
ebb8f40ced7bc2272ef320188049ca5e08e33ef6d9847185d784a27b3846d70e
-
SHA512
8c6b35a5292f79d234e873fb2514254ee881471058db4910cd51dd2696d2ab61f71110118cd2f192512ec06f25d58ac641418608212ed26f50e26ca1913b4e48
-
SSDEEP
12288:tPmTkT0+nXTv1d5Jo/H4a6ZeUOHFVS9Qg:Vmo4IXhd81rS
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Explorrer.exeExplorrer.exeExplorrer.exepid process 3552 Explorrer.exe 4380 Explorrer.exe 2220 Explorrer.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 5080 regsvr32.exe 1996 regsvr32.exe -
Processes:
resource yara_rule behavioral2/memory/5040-0-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/5040-3-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/5040-14-0x0000000000400000-0x000000000049C000-memory.dmp upx C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe upx behavioral2/memory/3552-20-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/3552-26-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/3552-28-0x0000000000400000-0x000000000049C000-memory.dmp upx behavioral2/memory/3552-42-0x0000000000400000-0x000000000049C000-memory.dmp upx -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\NoExplorer = "1" regsvr32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exeExplorrer.exedescription pid process target process PID 5040 set thread context of 2796 5040 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe PID 3552 set thread context of 4380 3552 Explorrer.exe Explorrer.exe PID 3552 set thread context of 2220 3552 Explorrer.exe Explorrer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4280 3620 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3620 ipconfig.exe -
Processes:
Explorrer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Approved Extensions Explorrer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Approved Extensions\{3543619C-D563-43f7-95EA-4DA7E1CC396A} = 51667a6c4c1d3b1b003ad2d87fc9ac0780c431c2a3933e7f Explorrer.exe -
Modifies registry class 5 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\ = "IE MANAGER" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\IE\\bho.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE274C2C-2133-4B4B-93B3-8F21486DABC0}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exef1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exeExplorrer.exeExplorrer.exepid process 5040 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe 2796 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe 3552 Explorrer.exe 4380 Explorrer.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exef1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exeExplorrer.exeExplorrer.exeExplorrer.exedescription pid process target process PID 5040 wrote to memory of 2796 5040 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe PID 5040 wrote to memory of 2796 5040 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe PID 5040 wrote to memory of 2796 5040 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe PID 5040 wrote to memory of 2796 5040 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe PID 5040 wrote to memory of 2796 5040 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe PID 5040 wrote to memory of 2796 5040 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe PID 5040 wrote to memory of 2796 5040 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe PID 5040 wrote to memory of 2796 5040 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe PID 2796 wrote to memory of 3552 2796 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe Explorrer.exe PID 2796 wrote to memory of 3552 2796 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe Explorrer.exe PID 2796 wrote to memory of 3552 2796 f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe Explorrer.exe PID 3552 wrote to memory of 4380 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 4380 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 4380 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 4380 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 4380 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 4380 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 4380 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 4380 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 3552 wrote to memory of 2220 3552 Explorrer.exe Explorrer.exe PID 4380 wrote to memory of 3620 4380 Explorrer.exe ipconfig.exe PID 4380 wrote to memory of 3620 4380 Explorrer.exe ipconfig.exe PID 4380 wrote to memory of 3620 4380 Explorrer.exe ipconfig.exe PID 4380 wrote to memory of 3620 4380 Explorrer.exe ipconfig.exe PID 4380 wrote to memory of 3620 4380 Explorrer.exe ipconfig.exe PID 2220 wrote to memory of 5080 2220 Explorrer.exe regsvr32.exe PID 2220 wrote to memory of 5080 2220 Explorrer.exe regsvr32.exe PID 2220 wrote to memory of 5080 2220 Explorrer.exe regsvr32.exe PID 2220 wrote to memory of 1996 2220 Explorrer.exe regsvr32.exe PID 2220 wrote to memory of 1996 2220 Explorrer.exe regsvr32.exe PID 2220 wrote to memory of 1996 2220 Explorrer.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\f1f0bc22079b5b2b33ec560b0a64c330_NeikiAnalytics.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exeC:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
PID:3620 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 2726⤵
- Program crash
PID:4280 -
C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"C:\Users\Admin\AppData\Roaming\AppsData\Explorrer.exe"4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /u /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
PID:5080 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Users\Admin\AppData\Roaming\IE\bho.dll"5⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:1864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3620 -ip 36201⤵PID:4916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
504KB
MD5196d813dcd973d8c67226f6bc536269b
SHA1dcf076ee2b0222754d52b3457f856d365cb8ca02
SHA256a94fd1ea0cbf62f791ca06d5f76b7bf87bafcc03ae66aed3fff4a6c3e1428a6e
SHA512682e283c267bb80a43e7816aef568927a811f890b677cbb56bf86139303abf5bb98b27aa997e561aa9287e982340e457194ca4b6bededfa52b0dd314e195290f
-
Filesize
87KB
MD549a92a33d1775b45b3bd45f8bec24585
SHA1ea404af50bbdad5cbc9f95f4068bdc30c9fceff6
SHA256976540cf1b4d04d80be1f1af8ea0f050c3f03a0a8c4e339589b7bb9180fc07f5
SHA5127d5c4ea5c6f950a41bff386289df88b3f6d78444d7eeaa8a426569ce7698c2dfa916ae02d321af2be839c20e53b2ba9b3bb6a1573cad3b578733b082f0dc292f