Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 14:18
Static task
static1
Behavioral task
behavioral1
Sample
080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe
-
Size
25KB
-
MD5
080d6cb9a1b7d17f5047d64a739a4670
-
SHA1
ec817d6a722ed59c550b16b7099f46174352982f
-
SHA256
600b6df1fa279556cb7bfcbba34a3fc80c04e85f0b1923de0318b06b5f1ca955
-
SHA512
614bedc411f76d5c6f472f9627c5dd525a144235949488214ba37975f8aa4f8c06814bc4684bd4d726834d26eabf2fabada12b1c110f2b1faac3c14b6cbf5121
-
SSDEEP
768:UBFE+nTSdCrp9GcTkGggzc+CMw1MJt/D:A7nTSQwcTAgQrMw1MHD
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4040 wuaucldt.exe 4608 wuaucldt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\windows\\system32\\wuaucldt.exe" wuaucldt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuaucldt = "c:\\users\\admin\\wuaucldt.exe" wuaucldt.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\windows\SysWOW64\wuaucldt.exe 080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe File created \??\c:\windows\SysWOW64\wuaucldt.exe wuaucldt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4608 set thread context of 2348 4608 wuaucldt.exe 84 -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4888 wrote to memory of 4040 4888 080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe 82 PID 4888 wrote to memory of 4040 4888 080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe 82 PID 4888 wrote to memory of 4040 4888 080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe 82 PID 4040 wrote to memory of 4608 4040 wuaucldt.exe 83 PID 4040 wrote to memory of 4608 4040 wuaucldt.exe 83 PID 4040 wrote to memory of 4608 4040 wuaucldt.exe 83 PID 4608 wrote to memory of 2348 4608 wuaucldt.exe 84 PID 4608 wrote to memory of 2348 4608 wuaucldt.exe 84 PID 4608 wrote to memory of 2348 4608 wuaucldt.exe 84 PID 4608 wrote to memory of 2348 4608 wuaucldt.exe 84 PID 4608 wrote to memory of 2348 4608 wuaucldt.exe 84 PID 4888 wrote to memory of 3588 4888 080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe 88 PID 4888 wrote to memory of 3588 4888 080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe 88 PID 4888 wrote to memory of 3588 4888 080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe 88 PID 4040 wrote to memory of 4416 4040 wuaucldt.exe 90 PID 4040 wrote to memory of 4416 4040 wuaucldt.exe 90 PID 4040 wrote to memory of 4416 4040 wuaucldt.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\080d6cb9a1b7d17f5047d64a739a4670_NeikiAnalytics.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4888 -
\??\c:\windows\SysWOW64\wuaucldt.exec:\windows\system32\wuaucldt.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4040 -
\??\c:\users\admin\wuaucldt.exec:\users\admin\wuaucldt.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
- Writes to the Master Boot Record (MBR)
PID:2348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del c:\windows\syswow64\wuaucldt.exe3⤵PID:4416
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del c:\users\admin\appdata\local\temp\080D6C~1.EXE2⤵PID:3588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD5080d6cb9a1b7d17f5047d64a739a4670
SHA1ec817d6a722ed59c550b16b7099f46174352982f
SHA256600b6df1fa279556cb7bfcbba34a3fc80c04e85f0b1923de0318b06b5f1ca955
SHA512614bedc411f76d5c6f472f9627c5dd525a144235949488214ba37975f8aa4f8c06814bc4684bd4d726834d26eabf2fabada12b1c110f2b1faac3c14b6cbf5121