Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 03:41
Static task
static1
Behavioral task
behavioral1
Sample
5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe
-
Size
31KB
-
MD5
5d990147db1016b8a08a535f962af420
-
SHA1
8e78c6b679fb8bb8dea7e0764250e1a36e1296a3
-
SHA256
85c5390c3ef6dba5814f298d4f35ca965c42da3962a6b33ef7ed9081a30bd38e
-
SHA512
3135672228a524f45345ddfdb263b17993bbc28d8e812280e3ffe25b38fc6ce6836af5a23f10872492536e945a546d875ed7b0e06b85c4b52efbb4d4e1a71d64
-
SSDEEP
768:XW5KLZ/vbDEj7RPm2kcW6wVmuHXJHdzTC/Wc8HEzHvc:XW5SZbDEj7R+2kh6wVBpGpRTvc
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Admin.exe -
Executes dropped EXE 1 IoCs
pid Process 2228 Admin.exe -
Loads dropped DLL 2 IoCs
pid Process 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Users\\Admin\\Admin.exe" Admin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 2228 Admin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2228 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 28 PID 2024 wrote to memory of 2228 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 28 PID 2024 wrote to memory of 2228 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 28 PID 2024 wrote to memory of 2228 2024 5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\5d990147db1016b8a08a535f962af420_NeikiAnalytics.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Users\Admin\Admin.exe"C:\Users\Admin\Admin.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD561c55da4cd6574487977257e8b160d35
SHA180b76f2c49df5695cde501125dc16e32534d4b00
SHA2567f7fba60865ae87525161b6f975f2b517703fe43fe4652b12767b80e4a3c1b90
SHA5126fdca15021f3c1a004f3d789c0e678019610cd76fb568f9a5478abe50f8ee76e8156b505133e2f9ace59084f1beb062797f4ac2ac9742362292511c23688fe77