d95e270db4833f40d324312d8156fa9c4fc136f502bca517cc72d49575b0cd9f

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Size

29KB
MD5

c1c6bb66f20a943050af9f7afd0955c0
SHA1

f9a79b776f276f349db633a6d4a87a4d28dd0b4b
SHA256

d95e270db4833f40d324312d8156fa9c4fc136f502bca517cc72d49575b0cd9f
SHA512

e61752312324e5fdfe4fa67b06d2484cf2fcfddbe0aa2d5fa43cda68eb4051425cb0d3d04f3e93129ae83126899b63ce12620b06ca145bcd4616768d32ba0785
SSDEEP

768:plsh/EIjPBW7LmLq0bv7rox9vXy7xj7R7R7R7P:pr6P8uLq0bvuR+l

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5096	rundll32.exe
1632	DMe.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\¢«.exe	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\¢«.exe	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\notepad¢¬.exe	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\DMe.exe	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\DMe.exe	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system\rundll32.exe	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\system\rundll32.exe	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1716803386"	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1716803386"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "510"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
1632	DMe.exe
1632	DMe.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe
5096	rundll32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
5096	rundll32.exe
1632	DMe.exe
5096	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 5096	4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe	94
PID 4732 wrote to memory of 5096	4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe	94
PID 4732 wrote to memory of 5096	4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe	94
PID 4732 wrote to memory of 1632	4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe	104
PID 4732 wrote to memory of 1632	4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe	104
PID 4732 wrote to memory of 1632	4732	c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe	104

C:\Users\Admin\AppData\Local\Temp\c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\system\rundll32.exe
  C:\Windows\system\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5096
- C:\Windows\SysWOW64\DMe.exe
  "C:\Windows\system32\DMe.exe" C:\Users\Admin\AppData\Local\Temp\c1c6bb66f20a943050af9f7afd0955c0_NeikiAnalytics.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1392,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=3964 /prefetch:8
1⤵
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DMe.exe

Filesize
29KB

MD5
c1c6bb66f20a943050af9f7afd0955c0

SHA1
f9a79b776f276f349db633a6d4a87a4d28dd0b4b

SHA256
d95e270db4833f40d324312d8156fa9c4fc136f502bca517cc72d49575b0cd9f

SHA512
e61752312324e5fdfe4fa67b06d2484cf2fcfddbe0aa2d5fa43cda68eb4051425cb0d3d04f3e93129ae83126899b63ce12620b06ca145bcd4616768d32ba0785

Download Submit
C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
30KB

MD5
7943389257116165f279c2f58697756b

SHA1
9a51216e5fa06fd8d653d715bd540d18cd7a08b6

SHA256
7ca017175dab7265bb3c3fa0875158a392fd071b3aca9270bf7ccf80804e060c

SHA512
c97523c592efcff83489d596819a405f68bf9fb70f58087d12ec5d88e7effd231a059fde395c93df8406a279fb9adfeb52972a9304f847052e13e5badb6e1fe4

Download Submit
memory/1632-21-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4732-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4732-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-26-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-30-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-25-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-23-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-27-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-28-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-29-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-24-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-31-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-32-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-33-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-34-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-35-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5096-36-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download