378f6ba5d80510262c3483bebe182add567464b0b2c15f9900cc107faddb2467

General

Target

bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
Size

1.3MB
MD5

bd977a9ea6447b09730a65d9934a0b70
SHA1

50c2294f8ebe51b922d038b947e8818b446c758a
SHA256

378f6ba5d80510262c3483bebe182add567464b0b2c15f9900cc107faddb2467
SHA512

b6699e8e11b624faaa2b67d759a9fdcf5730797ef7830f04a1c330cd5b673ae2fdd6d5003079755611a17424d5e7d26fd0bc415a6f6957772a5ed6151ba809a9
SSDEEP

24576:zDvxE0HTog5ujibtFGNF5Ux2evA8xE2rn3TR7iB:S2TogXZa5UvvpxE2b3TR7S

Score

8^/10

persistence upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\i0NbRJkbNM\ImagePath = "\\??\\C:\\Windows\\O4cvpNC0zOJ.sys"	svchost.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023426-66.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2096	svchost.exe

Loads dropped DLL 3 IoCs

pid	Process
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023426-66.dat	upx
behavioral2/memory/2096-72-0x0000000074630000-0x00000000746B7000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hNfyWMEq\svchost.exe	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
File opened for modification	C:\Program Files (x86)\hNfyWMEq\svchost.exe	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\dcsYeKw.dll	svchost.exe
File created	C:\Windows\CmoKJuk\ipOHWCV.dll	svchost.exe
File opened for modification	C:\Windows\CmoKJuk\ipOHWCV.dll	svchost.exe
File opened for modification	C:\Windows\CmoKJuk\KOPopQLe.dll	svchost.exe
File created	C:\Windows\CmoKJuk\hVvMMWxff.tmp	svchost.exe
File created	C:\Windows\O4cvpNC0zOJ.sys	svchost.exe
File created	C:\Windows\eXycRHuc.dll	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
File created	C:\Windows\CLOG.txt	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
File created	C:\Windows\CmoKJuk\yBYPWJPgn.dll	svchost.exe
File created	C:\Windows\CmoKJuk\DWksPUkSD.dll	svchost.exe
File opened for modification	C:\Windows\CLOG.txt	svchost.exe
File created	C:\Windows\CmoKJuk\KOPopQLe.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe
2096	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2096	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	svchost.exe
Token: SeLoadDriverPrivilege	2096	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 2096	4540	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe	83
PID 4540 wrote to memory of 2096	4540	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe	83
PID 4540 wrote to memory of 2096	4540	bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe	83

C:\Users\Admin\AppData\Local\Temp\bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bd977a9ea6447b09730a65d9934a0b70_NeikiAnalytics.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Program Files (x86)\hNfyWMEq\svchost.exe
  "C:\Program Files (x86)\hNfyWMEq\svchost.exe" 2
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\hNfyWMEq\svchost.exe

Filesize
1.3MB

MD5
6c3a8a13edadcb4716abfee078d8e969

SHA1
2e9c2fe9c55c7678764cbba95bc7feac874dbc2b

SHA256
70f809665132e64e7a0aaf0070cde89fff8244fd9d820a17310f08027b0f2b6b

SHA512
c1bd3a4c5c72712b618d1c48c4f2e698361ceb49bfd8b698b5cf3bbc709f1649d8208f83cfbe0e6cb9d4816a8786ccf0a2d5f337d96dd600722a61a71ab026e6

Download Submit
C:\Windows\CLOG.txt

Filesize
163B

MD5
c81ee2fcabbedf8310e0f1f59f06e601

SHA1
bf93783aca5fdef11318c3649114b9caf62a0b9b

SHA256
70b6015ed8a390f3616eeb401f1317b0980418359d1cc1e2a3004ee4a8ea5edd

SHA512
d7ecd8a5d768fbd5d14166d8f9a79f267a8826c7f5b67248ff8bd33c40bcfcf6fa2aeaa5fcd7d53654d6255f476fe447996becb29f177d464a67658f2dfb665e

Download Submit
C:\Windows\CLOG.txt

Filesize
1KB

MD5
26e5a7496e1456b112a5f902b164d0ac

SHA1
18ad3dcc192dafdca4ca9728d8a421c18f8fbcde

SHA256
f1b056c5d49f72ebfe29f71d417687c16a142cce35dba4d28b567ee6f7718761

SHA512
3b26dbbd90f5077f4f6eb3f26798829321bfe655fcf97fc29a32d814ad6a15ebe016d608540f155f7dd176a74ed467d90f4bef9b88eaa0f26af35c32854d1b29

Download Submit
C:\Windows\CmoKJuk\DWksPUkSD.dll

Filesize
471KB

MD5
262a96a6ad4c0122eee1a4d122a3fae0

SHA1
8a12cce0978e21857897289f834171ffab569f2e

SHA256
ab680c884c62b96d3f1fa0cf7e82d1f70d0850ed91a8575eabf2ff56eec35151

SHA512
10723ed98ee65dbb0a78eb4155f0778e59737b9344841b1f672aed4e4169034aadeb321ee4c33386c1e781352dd28196f7db7c9382fd5908adce78a8bc84af7d

Download Submit
C:\Windows\CmoKJuk\KOPopQLe.dll

Filesize
839KB

MD5
7e899378bb1dd7ce9056a4a7f6c5735f

SHA1
4d9f84105db11c47b96579eea321dcfec023be54

SHA256
8de14aa9d532fc9948afb17926f22d24da903b7f4420dca08a2805d41a2db56c

SHA512
af339c35457e14012690900e7ae33373ef68a2f0f19f1fed6cd7e83334d68aeaaf4d82acf4ab20a6d7aed1c4d28e661ff43fcf298a36f786d84308617f9e27bf

Download Submit
memory/2096-12-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2096-15-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2096-47-0x0000000002DD0000-0x0000000002F54000-memory.dmp

Filesize
1.5MB

Download
memory/2096-49-0x00000000025D0000-0x00000000025D3000-memory.dmp

Filesize
12KB

Download
memory/2096-54-0x0000000002DD0000-0x0000000002F54000-memory.dmp

Filesize
1.5MB

Download
memory/2096-71-0x00000000025D0000-0x00000000025D3000-memory.dmp

Filesize
12KB

Download
memory/2096-72-0x0000000074630000-0x00000000746B7000-memory.dmp

Filesize
540KB

Download
memory/4540-0-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/4540-9-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads