23c737d0795cc4b929720ba54e9906819301f33c9a8a00292a4c019d5928b0ab

General

Target

fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
Size

156KB
MD5

fe0354cca32b8dd29358acc6f94c4300
SHA1

a89fc308dcc6476abc2beca8616fc85171b3bcb3
SHA256

23c737d0795cc4b929720ba54e9906819301f33c9a8a00292a4c019d5928b0ab
SHA512

f5c50f46efe42783623c014fd259605889dfe352c5b44e053baf6296766e1364b54d6d2d01235a9b77e0bc9088eca8991bea91242e86b6246c3d5b6d7ae42f65
SSDEEP

3072:QJ8CRzqUp49aFi3h1zaqi3uO/hQJ7P2HN7/sU:9Cxq9U03hxNkuEhQJ7+x/s

Score

9^/10

cryptone packer persistence

Malware Config

Signatures

CryptOne packer 9 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
behavioral2/memory/3572-0-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone
behavioral2/memory/868-2-0x0000000000EC0000-0x0000000000EE9000-memory.dmp	cryptone
behavioral2/memory/2476-8-0x0000000000880000-0x00000000008A9000-memory.dmp	cryptone
behavioral2/memory/868-7-0x0000000000EC0000-0x0000000000EE9000-memory.dmp	cryptone
behavioral2/memory/2476-10-0x0000000000880000-0x00000000008A9000-memory.dmp	cryptone
behavioral2/memory/2476-9-0x0000000000880000-0x00000000008A9000-memory.dmp	cryptone
behavioral2/memory/2476-11-0x0000000000880000-0x00000000008A9000-memory.dmp	cryptone
behavioral2/memory/868-14-0x0000000000EC0000-0x0000000000EE9000-memory.dmp	cryptone
behavioral2/memory/3572-18-0x0000000000400000-0x0000000000429000-memory.dmp	cryptone

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exemspaint.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe System Incorporated = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\Reader_sl.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kbpbpl = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\Kbpbpl.exe"	mspaint.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exemspaint.exe

description	ioc	process
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\D:	mspaint.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\F:	mspaint.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe

description	pid	process	target process
PID 3572 set thread context of 4032	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

svchost.exefe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe

pid	process
868	svchost.exe
868	svchost.exe
4032	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
4032	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
4032	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe

pid process

3572 fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe

pid	process
3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.execalc.exemspaint.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4032	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
Token: SeDebugPrivilege	3600	calc.exe
Token: SeDebugPrivilege	2476	mspaint.exe
Token: SeDebugPrivilege	868	svchost.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exesvchost.exefe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe

description	pid	process	target process
PID 3572 wrote to memory of 868	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	svchost.exe
PID 3572 wrote to memory of 868	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	svchost.exe
PID 3572 wrote to memory of 868	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	svchost.exe
PID 3572 wrote to memory of 868	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	svchost.exe
PID 3572 wrote to memory of 3600	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	calc.exe
PID 3572 wrote to memory of 3600	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	calc.exe
PID 3572 wrote to memory of 3600	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	calc.exe
PID 3572 wrote to memory of 3600	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	calc.exe
PID 3572 wrote to memory of 3600	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	calc.exe
PID 868 wrote to memory of 2476	868	svchost.exe	mspaint.exe
PID 868 wrote to memory of 2476	868	svchost.exe	mspaint.exe
PID 868 wrote to memory of 2476	868	svchost.exe	mspaint.exe
PID 868 wrote to memory of 2476	868	svchost.exe	mspaint.exe
PID 3572 wrote to memory of 4032	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
PID 3572 wrote to memory of 4032	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
PID 3572 wrote to memory of 4032	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
PID 3572 wrote to memory of 4032	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
PID 3572 wrote to memory of 4032	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
PID 3572 wrote to memory of 4032	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
PID 3572 wrote to memory of 4032	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
PID 3572 wrote to memory of 4032	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
PID 3572 wrote to memory of 4032	3572	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
PID 4032 wrote to memory of 868	4032	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	svchost.exe
PID 4032 wrote to memory of 868	4032	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	svchost.exe
PID 4032 wrote to memory of 3600	4032	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	calc.exe
PID 4032 wrote to memory of 3600	4032	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	calc.exe
PID 4032 wrote to memory of 2476	4032	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	mspaint.exe
PID 4032 wrote to memory of 2476	4032	fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe	mspaint.exe

C:\Users\Admin\AppData\Local\Temp\fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\SysWOW64\mspaint.exe"
3⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\calc.exe
"C:\Windows\SysWOW64\calc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Users\Admin\AppData\Local\Temp\fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\fe0354cca32b8dd29358acc6f94c4300_NeikiAnalytics.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/868-14-0x0000000000EC0000-0x0000000000EE9000-memory.dmp

Filesize
164KB

Download
memory/868-2-0x0000000000EC0000-0x0000000000EE9000-memory.dmp

Filesize
164KB

Download
memory/868-30-0x0000000000F00000-0x0000000000F4E000-memory.dmp

Filesize
312KB

Download
memory/868-20-0x0000000000F00000-0x0000000000F4E000-memory.dmp

Filesize
312KB

Download
memory/868-7-0x0000000000EC0000-0x0000000000EE9000-memory.dmp

Filesize
164KB

Download
memory/2476-33-0x00000000008C0000-0x000000000090E000-memory.dmp

Filesize
312KB

Download
memory/2476-10-0x0000000000880000-0x00000000008A9000-memory.dmp

Filesize
164KB

Download
memory/2476-13-0x0000000000880000-0x00000000008A9000-memory.dmp

Filesize
164KB

Download
memory/2476-9-0x0000000000880000-0x00000000008A9000-memory.dmp

Filesize
164KB

Download
memory/2476-11-0x0000000000880000-0x00000000008A9000-memory.dmp

Filesize
164KB

Download
memory/2476-12-0x0000000000880000-0x00000000008A9000-memory.dmp

Filesize
164KB

Download
memory/2476-39-0x0000000000880000-0x00000000008A9000-memory.dmp

Filesize
164KB

Download
memory/2476-31-0x00000000008C0000-0x000000000090E000-memory.dmp

Filesize
312KB

Download
memory/2476-38-0x00000000757E0000-0x0000000075871000-memory.dmp

Filesize
580KB

Download
memory/2476-37-0x0000000075836000-0x0000000075837000-memory.dmp

Filesize
4KB

Download
memory/2476-8-0x0000000000880000-0x00000000008A9000-memory.dmp

Filesize
164KB

Download
memory/2476-34-0x00000000008C0000-0x000000000090E000-memory.dmp

Filesize
312KB

Download
memory/2476-28-0x00000000008C0000-0x000000000090E000-memory.dmp

Filesize
312KB

Download
memory/2476-22-0x00000000008C0000-0x000000000090E000-memory.dmp

Filesize
312KB

Download
memory/3572-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3572-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3600-21-0x0000000000810000-0x000000000085E000-memory.dmp

Filesize
312KB

Download
memory/3600-3-0x0000000000350000-0x0000000000352000-memory.dmp

Filesize
8KB

Download
memory/3600-27-0x0000000000810000-0x000000000085E000-memory.dmp

Filesize
312KB

Download
memory/3600-41-0x0000000000350000-0x0000000000352000-memory.dmp

Filesize
8KB

Download
memory/4032-23-0x0000000002170000-0x00000000021BE000-memory.dmp

Filesize
312KB

Download
memory/4032-24-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4032-19-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4032-17-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4032-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads