0281c4a43b29746933cda1983e9c2cd891fe60d1b2f6f8c3566640e6a7c22922

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 17:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
Size

456KB
MD5

05d48e45f5fb05caf4b2bdebe4f07e50
SHA1

f2ee619ce1a6dfbc73f4689e3dd2fa68ef13a224
SHA256

0281c4a43b29746933cda1983e9c2cd891fe60d1b2f6f8c3566640e6a7c22922
SHA512

81a974392c6b82e58433d3d6c63b38d0875f1d012c071248453f2d0cc8bb059042b8768830ce1edc3fd0c14734444a69fc4c67a0aec6b18f0ac8ef0a65f56d9c
SSDEEP

12288:X6Wq4aaE6KwyF5L0Y2D1PqLb6Wq4aan6Wq4aaE6K+:1thEVaPqLBthFthEG

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svhost.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	svhost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2136-0-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/files/0x000d0000000122b8-4.dat	upx
behavioral1/files/0x0009000000014b6d-65.dat	upx
behavioral1/memory/2136-682-0x0000000000400000-0x0000000000523000-memory.dmp	upx
behavioral1/memory/3016-2582-0x0000000000400000-0x0000000000523000-memory.dmp	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	svhost.exe
File opened (read-only)	\??\u:	svhost.exe
File opened (read-only)	\??\v:	svhost.exe
File opened (read-only)	\??\x:	svhost.exe
File opened (read-only)	\??\k:	svhost.exe
File opened (read-only)	\??\l:	svhost.exe
File opened (read-only)	\??\p:	svhost.exe
File opened (read-only)	\??\q:	svhost.exe
File opened (read-only)	\??\a:	svhost.exe
File opened (read-only)	\??\b:	svhost.exe
File opened (read-only)	\??\e:	svhost.exe
File opened (read-only)	\??\j:	svhost.exe
File opened (read-only)	\??\w:	svhost.exe
File opened (read-only)	\??\m:	svhost.exe
File opened (read-only)	\??\n:	svhost.exe
File opened (read-only)	\??\r:	svhost.exe
File opened (read-only)	\??\t:	svhost.exe
File opened (read-only)	\??\y:	svhost.exe
File opened (read-only)	\??\z:	svhost.exe
File opened (read-only)	\??\g:	svhost.exe
File opened (read-only)	\??\h:	svhost.exe
File opened (read-only)	\??\i:	svhost.exe
File opened (read-only)	\??\s:	svhost.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2136-682-0x0000000000400000-0x0000000000523000-memory.dmp	autoit_exe
behavioral1/memory/3016-2582-0x0000000000400000-0x0000000000523000-memory.dmp	autoit_exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svhost.exe	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
File opened for modification	C:\Windows\Driver.db	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	svhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe
3016	svhost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3016	2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe	28
PID 2136 wrote to memory of 3016	2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe	28
PID 2136 wrote to memory of 3016	2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe	28
PID 2136 wrote to memory of 3016	2136	05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05d48e45f5fb05caf4b2bdebe4f07e50_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\svhost.exe
  C:\Windows\svhost.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings.exe

Filesize
456KB

MD5
481361110db5d37146b048a8faae25b1

SHA1
9de7cd2283094d7ae3d5c59c97b7e543031423f2

SHA256
4cd036e6ada60b2a0dfd46f31983f7ed83d830a28f1609b9170ef59180b0cab6

SHA512
a38d313efdf2c853fde48c9229dc8602ea5e45d5702a10b8b6356965a0a9f98b647c484c194b7179a60fd3f8a6ab2b3ac8165c8d2875077eebb9b44ce8b004f5

Download Submit
C:\Windows\Driver.db

Filesize
82B

MD5
c2d2dc50dca8a2bfdc8e2d59dfa5796d

SHA1
7a6150fc53244e28d1bcea437c0c9d276c41ccad

SHA256
b2d38b3f122cfcf3cecabf0dfe2ab9c4182416d6961ae43f1eebee489cf3c960

SHA512
6cfdd08729de9ee9d1f5d8fcd859144d32ddc0a9e7074202a7d03d3795bdf0027a074a6aa54f451d4166024c134b27c55c7142170e64d979d86c13801f937ce4

Download Submit
C:\Windows\svhost.exe

Filesize
456KB

MD5
362f949187b0197268bde39f8a79358b

SHA1
16f3ac7091c49aeaa12c746e471c5a804e6f52ae

SHA256
305fbb3293e3e87c57342d0befd64a7128d607708444b253bb6230edf8da3f30

SHA512
f4c9c0ecc330dfdda2740f93de4989dcf56803fc9ab936e070711bad789b4fb42e6ee7deb6081ec7c7796f9e2aa701f7b01fd9632b52598570e1358d47f6c30f

Download Submit
memory/2136-0-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2136-682-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/2136-687-0x0000000003AE0000-0x0000000003C03000-memory.dmp

Filesize
1.1MB

Download
memory/3016-2582-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download