Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 04:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f7487bdebd83d45e1430c6b48b31250_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
1f7487bdebd83d45e1430c6b48b31250_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
1f7487bdebd83d45e1430c6b48b31250_NeikiAnalytics.exe
-
Size
72KB
-
MD5
1f7487bdebd83d45e1430c6b48b31250
-
SHA1
b70e0271b69ea0a1647a6eea1c696f44d0a3d258
-
SHA256
ab874beb65d3b8e73738b800c00c8095bc1cc85f08697f08390632c27500f3dd
-
SHA512
c4393c5185e189221b8b23cecfa6e4f913d8a1f36a0f499c82dace29c95edbf9d972da936ce649915d0388a62458f1057d3fccce3d1de698fa7ad4e1ade7f57d
-
SSDEEP
768:x/nEuhThEUAvMgvvd9WhTOng8X6m2AYS1rg1YJZLIgwRdPxCdYLndQxzGp5hhJy+:xs0evMm+tgg1XS181xbGgdjhh9ZoPbK
Score
10/10
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" outkumoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" outkumoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" outkumoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" outkumoov.exe -
Modifies Installed Components in the registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465A4258-4458-5541-465A-425844585541} outkumoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465A4258-4458-5541-465A-425844585541}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" outkumoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465A4258-4458-5541-465A-425844585541}\IsInstalled = "1" outkumoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{465A4258-4458-5541-465A-425844585541}\StubPath = "C:\\Windows\\system32\\inrooved.exe" outkumoov.exe -
Sets file execution options in registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe outkumoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" outkumoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\eadgooxot-icum.exe" outkumoov.exe -
Executes dropped EXE 2 IoCs
pid Process 5116 outkumoov.exe 4652 outkumoov.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "25600" outkumoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600" outkumoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600" outkumoov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600" outkumoov.exe -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} outkumoov.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify outkumoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" outkumoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\otlixog.dll" outkumoov.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" outkumoov.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\otlixog.dll outkumoov.exe File created C:\Windows\SysWOW64\otlixog.dll outkumoov.exe File opened for modification C:\Windows\SysWOW64\outkumoov.exe 1f7487bdebd83d45e1430c6b48b31250_NeikiAnalytics.exe File created C:\Windows\SysWOW64\outkumoov.exe 1f7487bdebd83d45e1430c6b48b31250_NeikiAnalytics.exe File created C:\Windows\SysWOW64\eadgooxot-icum.exe outkumoov.exe File opened for modification C:\Windows\SysWOW64\outkumoov.exe outkumoov.exe File opened for modification C:\Windows\SysWOW64\eadgooxot-icum.exe outkumoov.exe File opened for modification C:\Windows\SysWOW64\inrooved.exe outkumoov.exe File created C:\Windows\SysWOW64\inrooved.exe outkumoov.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 4652 outkumoov.exe 4652 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe 5116 outkumoov.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5116 outkumoov.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1496 wrote to memory of 5116 1496 1f7487bdebd83d45e1430c6b48b31250_NeikiAnalytics.exe 82 PID 1496 wrote to memory of 5116 1496 1f7487bdebd83d45e1430c6b48b31250_NeikiAnalytics.exe 82 PID 1496 wrote to memory of 5116 1496 1f7487bdebd83d45e1430c6b48b31250_NeikiAnalytics.exe 82 PID 5116 wrote to memory of 4652 5116 outkumoov.exe 83 PID 5116 wrote to memory of 4652 5116 outkumoov.exe 83 PID 5116 wrote to memory of 4652 5116 outkumoov.exe 83 PID 5116 wrote to memory of 612 5116 outkumoov.exe 5 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56 PID 5116 wrote to memory of 3436 5116 outkumoov.exe 56
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:612
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\1f7487bdebd83d45e1430c6b48b31250_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1f7487bdebd83d45e1430c6b48b31250_NeikiAnalytics.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\outkumoov.exe"C:\Windows\SysWOW64\outkumoov.exe"3⤵
- Windows security bypass
- Modifies Installed Components in the registry
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\outkumoov.exe--k33p4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5df4d89b8ab92ff29741d6b14b2baf211
SHA16c51eede3d2c11df375ed0eb1af7f5b0f448087d
SHA2568f50504d07d289933d7043ca422f95d2b3d7f08b9396abbd8a1395934f1a00af
SHA512cb223499eaadcc4657cef5b3faacb1dc2a9c893beb5543a9b05886c8ecd40000ba88d18402e1bdded35c92cdea4cb729259be4ee4dc9d6be780c254cea5bc271
-
Filesize
72KB
MD5bbcac2edbfd207dbfb292b7aa32025d1
SHA123cbf4f18ed795a9bffce9dfa90b10c4f1ebd7b7
SHA256100117cd72a1b188bc1e7334397d2d91b5f8d87388a24f157e800262d53595c7
SHA5128e64e6f92b07398be0254f34c140f6935d5ff41d147699673d3ac5543db28cefb4796b11000e8c18b7ce30290766783516ebef84bbba4733709c14fa6b107d24
-
Filesize
5KB
MD5f37b21c00fd81bd93c89ce741a88f183
SHA1b2796500597c68e2f5638e1101b46eaf32676c1c
SHA25676cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0
SHA512252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4
-
Filesize
70KB
MD5e3f06eadd61cb0a8dd94d4862c57524e
SHA19c90cefecf253d903084b088cc5f05e71c8b3c68
SHA2565dca1946cd4deee3537037520772fe3fb482ffdea11f50283c1d0b67806aaf2e
SHA5121860352518fb77922ca138655e3cfa0db8febf84a7b70de297e255f9a13f5fec46c83cb64c5f5c85403bf9674a7dc80430a1569fb005cece119996dd018c3fab