efbb1646395087d8b9f5ae733d46b28dd3d52d924c83e43bad1a0687af8ee498

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe
Size

169KB
MD5

4603037222e759fad531bc533fa715a0
SHA1

5ed0b37845d7b077262495d0b7d537f4e078fbcf
SHA256

efbb1646395087d8b9f5ae733d46b28dd3d52d924c83e43bad1a0687af8ee498
SHA512

cbf3a465bdc9ff37f382f92536b13f2b730fe6d6c8b0aab58d532c0ddf3d8a65b001ec3ad590472df427e30ee8c44fcb57948d9b9fa440c888da768fd892a658
SSDEEP

3072:J14mOxrKFNZYhrgtRFuV2DDbuiTf3hPsOraS87FYqjTZbn4TGh:JnYWYhrgtRo6DSiTf3hPswa1TZjxh

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5 = "rundll32.exe shell32.dll, ShellExec_RunDLL C:\\PROGRA~3\\DBDDJD~1.EXE"	icardagt.exe

Checks for any installed AV software in registry 1 TTPs 3 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avira	icardagt.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast	icardagt.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Eset\Nod	icardagt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe
1036	icardagt.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe
Token: SeBackupPrivilege	3016	vssvc.exe
Token: SeRestorePrivilege	3016	vssvc.exe
Token: SeAuditPrivilege	3016	vssvc.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1036	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 2812	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 2812	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 2812	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 2812	2924	4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe	29
PID 2812 wrote to memory of 880	2812	cmd.exe	31
PID 2812 wrote to memory of 880	2812	cmd.exe	31
PID 2812 wrote to memory of 880	2812	cmd.exe	31
PID 2812 wrote to memory of 880	2812	cmd.exe	31
PID 1036 wrote to memory of 2812	1036	icardagt.exe	29
PID 1036 wrote to memory of 2812	1036	icardagt.exe	29
PID 1036 wrote to memory of 2812	1036	icardagt.exe	29
PID 1036 wrote to memory of 2812	1036	icardagt.exe	29
PID 1036 wrote to memory of 2812	1036	icardagt.exe	29
PID 1036 wrote to memory of 2812	1036	icardagt.exe	29
PID 1036 wrote to memory of 2812	1036	icardagt.exe	29
PID 1036 wrote to memory of 880	1036	icardagt.exe	31
PID 1036 wrote to memory of 880	1036	icardagt.exe	31
PID 1036 wrote to memory of 880	1036	icardagt.exe	31
PID 1036 wrote to memory of 880	1036	icardagt.exe	31
PID 1036 wrote to memory of 880	1036	icardagt.exe	31
PID 1036 wrote to memory of 880	1036	icardagt.exe	31
PID 1036 wrote to memory of 880	1036	icardagt.exe	31

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
880	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\syswow64\icardagt.exe
  "icardagt.exe"
  2⤵
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\ectE04C.tmp.bat" "C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4603037222e759fad531bc533fa715a0_NeikiAnalytics.exe"
    3⤵
    - Views/modifies file attributes
    PID:880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dbddjdfd4j.exe

Filesize
169KB

MD5
cba5202fab7a41d389cabd50e501d5eb

SHA1
b084e2924e76597840444282b8f26b3e3690ef02

SHA256
c759f7456e9f1c7488c51638a825c5a35ade9053e5739791d4d8f9ef0805548e

SHA512
d6bc4d390f232c2361a19f964014a823733c9a992de194075e0724b0782a505fc18eae32ca879cb3d86200d3921b0526d2f9aa870ef3599baaad581cab482cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d43514e66e9c0a80acb4

Filesize
29B

MD5
6ba563f9c7f63c2976607b114e5680f8

SHA1
ee72feddf8db3c3cdecba656a1f6a2b860d3914d

SHA256
3f18edc9aaf696bb06ffeae4d74dc8467cdbe723903def8a0b30434a8f8a708d

SHA512
66296672c3c379533c384f54123b9e69788906e8cefb0f0014daa0aeda646249b3fe5ac385c83ead06a4cdb9ec828e1633f41d2c3b16edd88c8e51f421b77423

Download Submit
C:\Users\Admin\AppData\Roaming\ectE04C.tmp.bat

Filesize
57B

MD5
6dd274c5a9c3eeeac667b72467def1ab

SHA1
e9af8525f18e086eda72043bedd54a1587457021

SHA256
5b8a5feebcfc47df2feb29d794ad727d1da036687460a8096490755ec3f70b4d

SHA512
54bff4a190521bfd280a897d82bb1f9f0153454dbb3af6437e791990031a04efd898674f2250e11bafabc65b91bfe430316d3f4826c15b755e36a05e56c87f09

Download Submit
memory/1036-324-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-316-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1036-297-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-23-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-21-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-19-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-17-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-15-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-314-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-320-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-322-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-13-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1036-27-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-25-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-315-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1036-26-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-11-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1036-338-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-343-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-361-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-714-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1036-713-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1036-700-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/1036-699-0x00000000001B0000-0x0000000000227000-memory.dmp

Filesize
476KB

Download
memory/2812-683-0x00000000003E0000-0x0000000000457000-memory.dmp

Filesize
476KB

Download
memory/2812-681-0x00000000003E0000-0x0000000000457000-memory.dmp

Filesize
476KB

Download
memory/2812-674-0x00000000003E0000-0x0000000000457000-memory.dmp

Filesize
476KB

Download