9487d6e4ca1690ae94ba1bbd16418bfc8739acdb04bd6d6455b4a1d6df70c286

General

Target

14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe
Size

48KB
MD5

14f0f3ec3bd115027d442d88ad6e9510
SHA1

70a3e065d7c749f348593c61c471107912a2429a
SHA256

9487d6e4ca1690ae94ba1bbd16418bfc8739acdb04bd6d6455b4a1d6df70c286
SHA512

f0381bb947d9b5afdabf0365efd6db7db5732236d10d54fd5cfc4a873d5bdf9d1021d89bd308d583f0ea4f216441244b2cad5de6df3b106e36ec901fcc0bea9c
SSDEEP

1536:yoMuwospyudrnMjVhDIP4ka3q3oaQOF4nouy8Br:DMcsEknMLDIFEOKoutBr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2728	services.exe
2588	services.exe

Loads dropped DLL 5 IoCs

pid	Process
1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe
1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe
1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe
1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe
1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1796-0-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x0038000000013a6e-27.dat	upx
behavioral1/memory/1796-30-0x00000000024C0000-0x000000000250B000-memory.dmp	upx
behavioral1/memory/2728-46-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1796-49-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2588-54-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-51-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2728-56-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2588-57-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-58-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-59-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-62-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-67-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-70-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-71-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-73-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-77-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-80-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-83-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-85-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-89-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-92-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-94-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-97-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-101-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-104-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/2588-106-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\services.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	services.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2588	2728	services.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe
2728	services.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2968	1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe	28
PID 1796 wrote to memory of 2968	1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe	28
PID 1796 wrote to memory of 2968	1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe	28
PID 1796 wrote to memory of 2968	1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe	28
PID 2968 wrote to memory of 2600	2968	cmd.exe	30
PID 2968 wrote to memory of 2600	2968	cmd.exe	30
PID 2968 wrote to memory of 2600	2968	cmd.exe	30
PID 2968 wrote to memory of 2600	2968	cmd.exe	30
PID 1796 wrote to memory of 2728	1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe	31
PID 1796 wrote to memory of 2728	1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe	31
PID 1796 wrote to memory of 2728	1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe	31
PID 1796 wrote to memory of 2728	1796	14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe	31
PID 2728 wrote to memory of 2588	2728	services.exe	32
PID 2728 wrote to memory of 2588	2728	services.exe	32
PID 2728 wrote to memory of 2588	2728	services.exe	32
PID 2728 wrote to memory of 2588	2728	services.exe	32
PID 2728 wrote to memory of 2588	2728	services.exe	32
PID 2728 wrote to memory of 2588	2728	services.exe	32
PID 2728 wrote to memory of 2588	2728	services.exe	32
PID 2728 wrote to memory of 2588	2728	services.exe	32
PID 2728 wrote to memory of 2588	2728	services.exe	32

C:\Users\Admin\AppData\Local\Temp\14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\14f0f3ec3bd115027d442d88ad6e9510_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\OIdQJ.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Essentials" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\services.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2600
- C:\Users\Admin\AppData\Roaming\services.exe
  "C:\Users\Admin\AppData\Roaming\services.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Roaming\services.exe
    C:\Users\Admin\AppData\Roaming\services.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OIdQJ.bat

Filesize
150B

MD5
30158d29e765707d6c1f38d4ea60f91b

SHA1
e02d5cc507e7f77c0a7f879e3596bd279ddf1f97

SHA256
c64a62b30b3ef9c2bb43438659cbbe1d57c1c762d4d58ebf9d188d409421e6f9

SHA512
2e72f9529063d74530cc29d04b92837496983d9417c91890ce8a616076889a13f0b1cd7954390b83a3e2e946696e4b7bbb4605b145ad5aa7904f051068ff5ff1

Download Submit
C:\Users\Admin\AppData\Roaming\services.exe

Filesize
48KB

MD5
3c34ce4e995f8f572ac28d6089feb390

SHA1
2721bf77bfc4ed1c22f50f12a01813dd50f2feaa

SHA256
786b099965cf5129ef9a9635a0c6885519ce23aa928d941c69d0e8cc00bf55fd

SHA512
495b05856169b7b6fb6ae6910483655a4c7e04da2b23d0d4fb0a971cba6a1485575b5ee82455521a22881e0c48bdf0c66470ed2541637644ec6b44f6bedda4e7

Download Submit
memory/1796-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1796-30-0x00000000024C0000-0x000000000250B000-memory.dmp

Filesize
300KB

Download
memory/1796-44-0x00000000024D0000-0x000000000251B000-memory.dmp

Filesize
300KB

Download
memory/1796-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2588-67-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-73-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-51-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-106-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-58-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-104-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-70-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-71-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-54-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-77-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-80-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-83-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-85-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-89-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-92-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-94-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-97-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2588-101-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2728-46-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2728-56-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads