11d1c8debe5780af021f2e446cc3723968ef92424bfe56bedda1067f5956f1fd

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
Size

144KB
MD5

3e76863efc9b779e7d4ff799df65dfc0
SHA1

45dbf8b77811d1c366fe33860fa6e587e1f6b85f
SHA256

11d1c8debe5780af021f2e446cc3723968ef92424bfe56bedda1067f5956f1fd
SHA512

f4b0ea61fe68b6927df14005aaa84184d97465eade929eecb70e0b511b4c3d21029f0d6c6f10b86da1cdde880d6176fd6baf751fe1343c3597a485fed9a62d59
SSDEEP

3072:l5SVkkgUgXC7AdYzrV+Dljy/32ubwZ/qJ:SUFCkdYzrVolu/J0Z/

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

pid	Process
3176	WindowsService.exe
2272	WindowsService.exe
4012	WindowsService.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1464-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1464-6-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1464-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1464-33-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/1464-51-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2272-46-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/2272-52-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sidebar = "C:\\Users\\Admin\\AppData\\Roaming\\SystemWindows\\WindowsService.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4196 set thread context of 1464	4196	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	93
PID 3176 set thread context of 2272	3176	WindowsService.exe	99
PID 3176 set thread context of 4012	3176	WindowsService.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe
Token: SeDebugPrivilege	2272	WindowsService.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4196	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
1464	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
3176	WindowsService.exe
2272	WindowsService.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 1464	4196	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	93
PID 4196 wrote to memory of 1464	4196	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	93
PID 4196 wrote to memory of 1464	4196	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	93
PID 4196 wrote to memory of 1464	4196	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	93
PID 4196 wrote to memory of 1464	4196	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	93
PID 4196 wrote to memory of 1464	4196	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	93
PID 4196 wrote to memory of 1464	4196	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	93
PID 4196 wrote to memory of 1464	4196	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	93
PID 1464 wrote to memory of 4948	1464	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	94
PID 1464 wrote to memory of 4948	1464	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	94
PID 1464 wrote to memory of 4948	1464	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	94
PID 4948 wrote to memory of 336	4948	cmd.exe	97
PID 4948 wrote to memory of 336	4948	cmd.exe	97
PID 4948 wrote to memory of 336	4948	cmd.exe	97
PID 1464 wrote to memory of 3176	1464	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	98
PID 1464 wrote to memory of 3176	1464	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	98
PID 1464 wrote to memory of 3176	1464	3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe	98
PID 3176 wrote to memory of 2272	3176	WindowsService.exe	99
PID 3176 wrote to memory of 2272	3176	WindowsService.exe	99
PID 3176 wrote to memory of 2272	3176	WindowsService.exe	99
PID 3176 wrote to memory of 2272	3176	WindowsService.exe	99
PID 3176 wrote to memory of 2272	3176	WindowsService.exe	99
PID 3176 wrote to memory of 2272	3176	WindowsService.exe	99
PID 3176 wrote to memory of 2272	3176	WindowsService.exe	99
PID 3176 wrote to memory of 2272	3176	WindowsService.exe	99
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100
PID 3176 wrote to memory of 4012	3176	WindowsService.exe	100

C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\3e76863efc9b779e7d4ff799df65dfc0_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WTHTE.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sidebar" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe" /f
      4⤵
      Adds Run key to start application
      PID:336
- - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
    "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3176
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2272
  - - C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe
      "C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe"
      4⤵
      Executes dropped EXE
      PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WTHTE.txt

Filesize
157B

MD5
f6a90c20834f271a907a4e2bc28184c2

SHA1
36c9d1602b74f622346fbb22693597d7889df48d

SHA256
73f29cd953eee40cea4de67842556ffd96efe8094a6a9b70f33a35df2582febd

SHA512
39cabae19fe1faa37455e4bd242c868be60d6252b07f01224b3f7501c3cf734e503300b840d83381a452707cab6df2f95f920655884be56d4024676b26943804

Download Submit
C:\Users\Admin\AppData\Roaming\SystemWindows\WindowsService.exe

Filesize
144KB

MD5
d8c981ad6fd6d450e536960aefbc8b83

SHA1
a0b5f04f84dfa95690510595968a83374a458304

SHA256
7c980e926d011cc83ee854c6447cd7eb6214beff4cd5baeebe0c0dc58dc62518

SHA512
143254016cba398ee799f67f93d8a363fcf2200623c418bb57968e562200f4b8a2399b0014f38337539904e3a6c167235adc3b4bf2fd79b94dd1333825c810a6

Download Submit
memory/1464-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1464-6-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1464-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1464-33-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1464-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2272-52-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2272-46-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3176-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3176-48-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4012-39-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4012-47-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4012-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4012-45-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4012-53-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4196-5-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/4196-3-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads