Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2024, 04:28
Static task
static1
Behavioral task
behavioral1
Sample
3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
-
Size
144KB
-
MD5
3e76863efc9b779e7d4ff799df65dfc0
-
SHA1
45dbf8b77811d1c366fe33860fa6e587e1f6b85f
-
SHA256
11d1c8debe5780af021f2e446cc3723968ef92424bfe56bedda1067f5956f1fd
-
SHA512
f4b0ea61fe68b6927df14005aaa84184d97465eade929eecb70e0b511b4c3d21029f0d6c6f10b86da1cdde880d6176fd6baf751fe1343c3597a485fed9a62d59
-
SSDEEP
3072:l5SVkkgUgXC7AdYzrV+Dljy/32ubwZ/qJ:SUFCkdYzrVolu/J0Z/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe -
Executes dropped EXE 3 IoCs
pid Process 3176 WindowsService.exe 2272 WindowsService.exe 4012 WindowsService.exe -
resource yara_rule behavioral2/memory/1464-2-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1464-6-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1464-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1464-33-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1464-51-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2272-46-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2272-52-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4196 set thread context of 1464 4196 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 93 PID 3176 set thread context of 2272 3176 WindowsService.exe 99 PID 3176 set thread context of 4012 3176 WindowsService.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe Token: SeDebugPrivilege 2272 WindowsService.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4196 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 1464 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 3176 WindowsService.exe 2272 WindowsService.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4196 wrote to memory of 1464 4196 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 93 PID 4196 wrote to memory of 1464 4196 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 93 PID 4196 wrote to memory of 1464 4196 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 93 PID 4196 wrote to memory of 1464 4196 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 93 PID 4196 wrote to memory of 1464 4196 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 93 PID 4196 wrote to memory of 1464 4196 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 93 PID 4196 wrote to memory of 1464 4196 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 93 PID 4196 wrote to memory of 1464 4196 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 93 PID 1464 wrote to memory of 4948 1464 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 94 PID 1464 wrote to memory of 4948 1464 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 94 PID 1464 wrote to memory of 4948 1464 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 94 PID 4948 wrote to memory of 336 4948 cmd.exe 97 PID 4948 wrote to memory of 336 4948 cmd.exe 97 PID 4948 wrote to memory of 336 4948 cmd.exe 97 PID 1464 wrote to memory of 3176 1464 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 98 PID 1464 wrote to memory of 3176 1464 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 98 PID 1464 wrote to memory of 3176 1464 3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe 98 PID 3176 wrote to memory of 2272 3176 WindowsService.exe 99 PID 3176 wrote to memory of 2272 3176 WindowsService.exe 99 PID 3176 wrote to memory of 2272 3176 WindowsService.exe 99 PID 3176 wrote to memory of 2272 3176 WindowsService.exe 99 PID 3176 wrote to memory of 2272 3176 WindowsService.exe 99 PID 3176 wrote to memory of 2272 3176 WindowsService.exe 99 PID 3176 wrote to memory of 2272 3176 WindowsService.exe 99 PID 3176 wrote to memory of 2272 3176 WindowsService.exe 99 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100 PID 3176 wrote to memory of 4012 3176 WindowsService.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WTHTE.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f4⤵
- Adds Run key to start application
PID:336
-
-
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2272
-
-
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"4⤵
- Executes dropped EXE
PID:4012
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157B
MD5f6a90c20834f271a907a4e2bc28184c2
SHA136c9d1602b74f622346fbb22693597d7889df48d
SHA25673f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd
SHA51239cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804
-
Filesize
144KB
MD5d8c981ad6fd6d450e536960aefbc8b83
SHA1a0b5f04f84dfa95690510595968a83374a458304
SHA2567c980e926d011cc83ee854c6447cd7eb6214beff4cd5baeebe0c0dc58dc62518
SHA512143254016cba398ee799f67f93d8a363fcf2200623c418bb57968e562200f4b8a2399b0014f38337539904e3a6c167235adc3b4bf2fd79b94dd1333825c810a6