eb3fed4907ab931d7b7e767c050619f57796c595e4708193b7ea6d192df36d03

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 19:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
Size

102KB
MD5

1149ba2f4ab7b17b8baee8f4c9a5cb50
SHA1

b1b34e010dfaf2b5eae2ab15c48de1766ffa70c7
SHA256

eb3fed4907ab931d7b7e767c050619f57796c595e4708193b7ea6d192df36d03
SHA512

5115b2762fdeda7e045030af11079c6cc94e17d3f5af17ac48180bedd687d7def87cfbdd3acbab16243564c807360cabfba8601aa1c9f16ebdb6db01847d54fd
SSDEEP

3072:xFphTfm1UC7AdYzrV+Dljy/32ubwZZqJ:FhTfmuCkdYzrVolu/J0ZZ

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2484	WindowsService.exe
2656	WindowsService.exe
2056	WindowsService.exe

Loads dropped DLL 5 IoCs

pid	Process
2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2128-0-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2128-31-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2128-126-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2128-161-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2128-82-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2128-79-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2128-452-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2588-448-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2128-447-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/files/0x0037000000015653-477.dat	upx
behavioral1/memory/2484-494-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2588-484-0x0000000003360000-0x000000000339B000-memory.dmp	upx
behavioral1/memory/2656-1041-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2484-1045-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral1/memory/2588-1048-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2656-1053-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2588	2128	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	28
PID 2484 set thread context of 2656	2484	WindowsService.exe	33
PID 2484 set thread context of 2056	2484	WindowsService.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe
Token: SeDebugPrivilege	2656	WindowsService.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2128	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
2484	WindowsService.exe
2656	WindowsService.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2588	2128	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2588	2128	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2588	2128	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2588	2128	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2588	2128	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2588	2128	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2588	2128	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 2588	2128	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	28
PID 2588 wrote to memory of 2488	2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	29
PID 2588 wrote to memory of 2488	2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	29
PID 2588 wrote to memory of 2488	2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	29
PID 2588 wrote to memory of 2488	2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	29
PID 2488 wrote to memory of 2516	2488	cmd.exe	31
PID 2488 wrote to memory of 2516	2488	cmd.exe	31
PID 2488 wrote to memory of 2516	2488	cmd.exe	31
PID 2488 wrote to memory of 2516	2488	cmd.exe	31
PID 2588 wrote to memory of 2484	2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	32
PID 2588 wrote to memory of 2484	2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	32
PID 2588 wrote to memory of 2484	2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	32
PID 2588 wrote to memory of 2484	2588	1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe	32
PID 2484 wrote to memory of 2656	2484	WindowsService.exe	33
PID 2484 wrote to memory of 2656	2484	WindowsService.exe	33
PID 2484 wrote to memory of 2656	2484	WindowsService.exe	33
PID 2484 wrote to memory of 2656	2484	WindowsService.exe	33
PID 2484 wrote to memory of 2656	2484	WindowsService.exe	33
PID 2484 wrote to memory of 2656	2484	WindowsService.exe	33
PID 2484 wrote to memory of 2656	2484	WindowsService.exe	33
PID 2484 wrote to memory of 2656	2484	WindowsService.exe	33
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34
PID 2484 wrote to memory of 2056	2484	WindowsService.exe	34

C:\Users\Admin\AppData\Local\Temp\1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\1149ba2f4ab7b17b8baee8f4c9a5cb50_NeikiAnalytics.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\BGVUI.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
      4⤵
      Adds Run key to start application
      PID:2516
- - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2656
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BGVUI.bat

Filesize
157B

MD5
f6a90c20834f271a907a4e2bc28184c2

SHA1
36c9d1602b74f622346fbb22693597d7889df48d

SHA256
73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

SHA512
39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

Download Submit
\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Filesize
102KB

MD5
a122ac356ae49f2a385a6d233dfd6014

SHA1
0e006f642d2729f6edd1c325dd6fa0300e54eab1

SHA256
8ea8cb7b2c18891607b596e51fa18eba5370b3cf88f341fa14d92e077c55607d

SHA512
c1729e25670742f818cc9119551bc92d36f35e52a6be46715345863a81b4705e3f61727b6f55ea3a13cc0805c8a4835d650ba90f8c3466ea089afc4294c61978

Download Submit
memory/2128-447-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2128-446-0x0000000002AB0000-0x0000000002AEB000-memory.dmp

Filesize
236KB

Download
memory/2128-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2128-82-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2128-79-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2128-64-0x0000000000408000-0x0000000000409000-memory.dmp

Filesize
4KB

Download
memory/2128-452-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2128-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2128-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2128-126-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2128-31-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2484-494-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2484-1045-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2588-448-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2588-493-0x0000000003360000-0x000000000339B000-memory.dmp

Filesize
236KB

Download
memory/2588-484-0x0000000003360000-0x000000000339B000-memory.dmp

Filesize
236KB

Download
memory/2588-1048-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-1041-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2656-1053-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads