74c34db23b9043d62022ca9725e641c655e19f2dccbdfdcebb3c242ea6e13162

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe
Size

383KB
MD5

0625209d9c999daa22861f91f5c6f810
SHA1

0439137d3dc9ad4f9f03fddac315ec5d69039e0a
SHA256

74c34db23b9043d62022ca9725e641c655e19f2dccbdfdcebb3c242ea6e13162
SHA512

c4cb56ad588cdfc06075ca21fbe470ae792f37a909fdb7b4c1ff2aac114a5e37398eb23272dbff6be014558e9c1b281fb3ee013d92ba84a9a26b48ebb0104a1c
SSDEEP

6144:Cd5afqlpDHA9NtTV3okaEXnMhr1gg5YdEV1l6RXMAcfBOWq3oXY/LBFV7UMXKb3w:Cd5acTP+n25J1sJWWLBF2MXKb5Ol7

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2456	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2132-0-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/2132-1-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/files/0x000b00000001ea83-11.dat	upx
behavioral2/memory/2456-12-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/2132-14-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral2/memory/2456-22-0x0000000000400000-0x000000000049D000-memory.dmp	upx

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\26f99099 = "C:\\Windows\\apppatch\\svchost.exe"	0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1864	2456	WerFault.exe	91

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2456	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2132	0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2132	0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe
Token: SeSecurityPrivilege	2132	0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe
Token: SeSecurityPrivilege	2456	svchost.exe
Token: SeSecurityPrivilege	2456	svchost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2456	2132	0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe	91
PID 2132 wrote to memory of 2456	2132	0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe	91
PID 2132 wrote to memory of 2456	2132	0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe	91

C:\Users\Admin\AppData\Local\Temp\0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0625209d9c999daa22861f91f5c6f810_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 700
    3⤵
    - Program crash
    PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2456 -ip 2456
1⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\apppatch\svchost.exe

Filesize
383KB

MD5
2a4907891782b293001123017b95592c

SHA1
326f04edfd0195d9150ea26e800e3ff8502e42b3

SHA256
7410d295758e79b064c4aefd7ea3bc34ecb10e3e4f973c6eb878b0154cc63d7c

SHA512
8770152583b5c82c28db93735eabccf28931f0a9164192ec623e6954c026fd174cffd29c6927a70a5d830f8f6ceb762c8e5c4cff49744b380108530968839a12

Download Submit
memory/2132-0-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2132-1-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2132-14-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2456-12-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2456-15-0x0000000002A00000-0x0000000002AAA000-memory.dmp

Filesize
680KB

Download
memory/2456-16-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-18-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-21-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-22-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2456-29-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-31-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-76-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-77-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-75-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-74-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-72-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-156-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-71-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-70-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-69-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-68-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-66-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-65-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-64-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-63-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-62-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-73-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-67-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-60-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-59-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-57-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-56-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-55-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-53-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-52-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-51-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-49-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-48-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-47-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-46-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-45-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-44-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-43-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-42-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-41-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-40-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-39-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-38-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-37-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-36-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-35-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-34-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-33-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-32-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-30-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-28-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-27-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-26-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-61-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-58-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-54-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-25-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-50-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-24-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download
memory/2456-23-0x0000000002BB0000-0x0000000002C67000-memory.dmp

Filesize
732KB

Download