d385e990e80adb62f3580d183db78829e95b9adc4a64fda799c835284ee32bcc

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 04:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe
Size

209KB
MD5

657557b9fa0e98499b4f5ec103102300
SHA1

bc8a79f628d137c7c36a46c41ed057e7d530be8d
SHA256

d385e990e80adb62f3580d183db78829e95b9adc4a64fda799c835284ee32bcc
SHA512

c4f448bae115a89c065e5179a7edc93b8a819163ede0e032a18dbb8df999cd3d7e0729703a4adee158dba3e4e712f7723e64b735ec8d6d6bfe4cd80a53b98b9e
SSDEEP

3072:IQcjk9tVRNIcjb4Ryfjijjx14hdeCXHKPJFo9zpE7Di0X0JuLL+o7BlpF9e:IQh9tVRm2kh34hdeCkcG7DEALLlnN

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
2208	657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe
2208	657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2208-1-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2208-17-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2900-31-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2900-19-0x0000000000400000-0x0000000000469000-memory.dmp	upx

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3086e6a0 = "C:\\Windows\\apppatch\\svchost.exe"	657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\3086e6a0 = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe
2900	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2208	657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2900	2208	657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2900	2208	657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2900	2208	657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe	28
PID 2208 wrote to memory of 2900	2208	657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\657557b9fa0e98499b4f5ec103102300_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\AppPatch\svchost.exe

Filesize
209KB

MD5
bddcc0a1445ad4309b635c4b5ac57cb5

SHA1
19608028507e0b049b42f3b73da5449c05a879eb

SHA256
abe2048fa32f6d2282bc315d8f0bf204dde46c0ff207d53bd19d3d994bbea593

SHA512
2324ae8fb837c124ccb968a1917f044737b8fe968bc0eefc0f42a625cd294f684f7cf2360eb73f9e856f758c7a1c9cd5e3689ea7cc0c59bc2e3c9db2d521abc7

Download Submit
memory/2208-0-0x00000000002C0000-0x0000000000318000-memory.dmp

Filesize
352KB

Download
memory/2208-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2208-17-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2208-16-0x00000000002C0000-0x0000000000318000-memory.dmp

Filesize
352KB

Download
memory/2900-30-0x0000000002550000-0x00000000025DA000-memory.dmp

Filesize
552KB

Download
memory/2900-31-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2900-24-0x0000000002550000-0x00000000025DA000-memory.dmp

Filesize
552KB

Download
memory/2900-18-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2900-28-0x0000000002550000-0x00000000025DA000-memory.dmp

Filesize
552KB

Download
memory/2900-26-0x0000000002550000-0x00000000025DA000-memory.dmp

Filesize
552KB

Download
memory/2900-20-0x0000000002550000-0x00000000025DA000-memory.dmp

Filesize
552KB

Download
memory/2900-22-0x0000000002550000-0x00000000025DA000-memory.dmp

Filesize
552KB

Download
memory/2900-19-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2900-32-0x0000000002770000-0x0000000002809000-memory.dmp

Filesize
612KB

Download
memory/2900-34-0x0000000002770000-0x0000000002809000-memory.dmp

Filesize
612KB

Download
memory/2900-37-0x0000000002770000-0x0000000002809000-memory.dmp

Filesize
612KB

Download
memory/2900-36-0x0000000002770000-0x0000000002809000-memory.dmp

Filesize
612KB

Download
memory/2900-40-0x0000000002770000-0x0000000002809000-memory.dmp

Filesize
612KB

Download