Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe
-
Size
1.9MB
-
MD5
0f6bf27f59e1d9644b197a4958b84840
-
SHA1
465c7327357028ef070f7706a370af247db8a788
-
SHA256
2c19fce1d2f4251e8d1371b526ef96938ef99a51742b5d2ebb5125428b16b804
-
SHA512
bb95bbd9ae104fc8196483ba8c2809113ee276125faef17360b00da312c7017ab73079f4680c9e3a2ccc9db4e2c966ee1fca92449b1ebb01382a721143d9289a
-
SSDEEP
24576:G0c5Uj7xttpUz6RLVEuLl4zQsquuP6Kc/4E7CFXNIfu4jPNMRgpLT4kWN3WK4si3:fcoltOc8Z6PjE5fu+NfxpWtWK1e
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 1080 7za.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4488 schtasks.exe -
Kills process with taskkill 1 IoCs
pid Process 3164 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 960 wrote to memory of 3184 960 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe 83 PID 960 wrote to memory of 3184 960 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe 83 PID 960 wrote to memory of 3184 960 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe 83 PID 3184 wrote to memory of 3164 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 87 PID 3184 wrote to memory of 3164 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 87 PID 3184 wrote to memory of 3164 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 87 PID 3184 wrote to memory of 4488 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 97 PID 3184 wrote to memory of 4488 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 97 PID 3184 wrote to memory of 4488 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 97 PID 3184 wrote to memory of 1080 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 100 PID 3184 wrote to memory of 1080 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 100 PID 3184 wrote to memory of 1080 3184 0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\is-7NLPS.tmp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp"C:\Users\Admin\AppData\Local\Temp\is-7NLPS.tmp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.tmp" /SL5="$A0054,1106218,862720,C:\Users\Admin\AppData\Local\Temp\0f6bf27f59e1d9644b197a4958b84840_NeikiAnalytics.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\SysWOW64\taskkill.exe"taskkill" https://setstat.ru/api/savePostback?chid=%s&guid=%s&type=vkdjbin.exe3⤵
- Kills process with taskkill
PID:3164
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN impressive-clever /SC ONLOGON /TR "C:\ProgramData\dormitory-extent\bin.exe /H" /F /DELAY 0001:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4488
-
-
C:\Users\Admin\AppData\Local\Temp\is-GG3M3.tmp\7za.exe"C:\Users\Admin\AppData\Local\Temp\is-GG3M3.tmp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\is-GG3M3.tmp\5.14.zip" -pvkd -y -oC:\ProgramData\dormitory-extent3⤵
- Executes dropped EXE
PID:1080
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5533d56b88cefdb286a63f159b10f6abd
SHA1fd1868d9edae70d66aedd51d6a8d1cb533396517
SHA256cd019578773ab276df704fb4246453c8474b245b2564dcf9c538bf53e9ca3f8d
SHA512b59e02c201a070fea1619dbd4094ea3c8076ffb1872899f6547c1168b702c4db9275709efb538f53732cafbaa33a7da8e72ded5d81913bf9d48181ea728ef712
-
Filesize
5.9MB
MD59910448ffeec9cc75efb5d13ea748eb4
SHA12a3725c95ea04dc64e168e5e2e4ca60ce8f43764
SHA256405c1c78198ad42ca2be86b7ee973ec883f7c3a4a444896439631dbf67fc6210
SHA512dee942daa8d3403ee9168d8914d2f2c93b3d3b011b442cf1d2d34ee73ed40927df660780aaa5fb68ce6c4708eb147d1992b922e65f00cae3f3b70eb6818c93fb
-
Filesize
383KB
MD58ca801d609496516de022c754e117a5f
SHA11d5eebe279163dfd4635418f37ec2fd25dc373ff
SHA256bf85b5a3688ad5e308068802cf89b79a90235bc774541ded956517eb41aa50b8
SHA512036e6d5d1fe630cefc0b273de379069a93eb2b4f989a78be63d2c1aa597fcd038c3a192e49ff013600d02a39a73bfd6de2958d041c25748bb981d4648812397e
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
352KB
MD5aadf4352d33ff9095ca64c25389eb82b
SHA10b1f088ce1c6b341d85cd0bea4c26036da89b26d
SHA2563ada90b21b96154a200878c39da717c397743b07b74e9ae84b591eaf87a29b69
SHA51216ec302bbca191df3e9cf49db109757cd621253b9b1a18a0d9e91566d34c4daf28d3ab99bf925fb56821321a8d3bf49e353bcad04480fce131931a4135fb1d1d