Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 22:10
Static task
static1
Behavioral task
behavioral1
Sample
27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe
-
Size
53KB
-
MD5
27f7cacd5988bfbc08cfdf11f9a30cd0
-
SHA1
bb50d8f49e88eeaf34db2aa15fcaa5e08866be6f
-
SHA256
5664067697ffb038fb997f5dc88a4378eb1f5c7ec2c9329657529c0ed9801fb3
-
SHA512
c35c126c451af47404f9bf28426e7e29ec74ab4345976f2397f268ce2455a8461d044d3fc478e26137bd6f4d8c3d97dd22cd76706cfb33846d2d2e36a5634445
-
SSDEEP
1536:vN+g8r8Q6VcLX17Kp3StjEMjmLM3ztDJWZsXy4JzxPME:TVcZJJjmLM3zRJWZsXy4Jt
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" pinod.exe -
Executes dropped EXE 1 IoCs
pid Process 2636 pinod.exe -
Loads dropped DLL 2 IoCs
pid Process 2980 27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe 2980 27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\pinod = "C:\\Users\\Admin\\pinod.exe" pinod.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe 2636 pinod.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2980 27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe 2636 pinod.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2636 2980 27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2636 2980 27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2636 2980 27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe 28 PID 2980 wrote to memory of 2636 2980 27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe 28 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27 PID 2636 wrote to memory of 2980 2636 pinod.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\27f7cacd5988bfbc08cfdf11f9a30cd0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\pinod.exe"C:\Users\Admin\pinod.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5e366214fe704794ba4783a07762796a6
SHA1b4650c25885862ade73353e9f7a314eaf9e4dd02
SHA256763323aa1896ede0495db668f71f06e00b94350243c68111be6b9eed26c69429
SHA512e056122b280005bb7b71e4a6a1421a04e0b94661399dac5e6d08002f8bff3e53094bc600a6a4f2633a5c7d218a5abc38503fa1d3fd6f8484bd475829c64280ce