Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 05:39
Static task
static1
Behavioral task
behavioral1
Sample
46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe
-
Size
82KB
-
MD5
46f7eca5a758e66bfc05492efe2e11c0
-
SHA1
ac83b0b7467b511f451e81feafa40af0a619579f
-
SHA256
c6e0b5361afd7c8f30ae507d6b93beae60b3db62cbf8a2b9fe1be5653461215e
-
SHA512
6365013ba64566137d7da1c4112c1955226ffe1fcad8559cd28fb2f7caa9b5577df8cd4ade562640381e808c9846c91b0d502ebc7e6961e3023fc9264a48028e
-
SSDEEP
1536:Z1Sbpfv5DOWknf7LAQkhB5EQr5+WkukyZVYdzw:6bpfhDOW7hBhrIqJ1
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF Reader Launcher.exe COM7.EXE -
Executes dropped EXE 4 IoCs
pid Process 2768 ashcv.exe 2992 COM7.EXE 2664 ashcv.exe 2452 COM7.EXE -
Loads dropped DLL 8 IoCs
pid Process 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2992 COM7.EXE 2768 ashcv.exe 2768 ashcv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\COM_LOADER = "\\\\.\\F:\\Program Files\\PDF_Reader\\bin\\COM7.EXE" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2748 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2768 ashcv.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2664 ashcv.exe 2452 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 2992 COM7.EXE 2992 COM7.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2768 ashcv.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2940 wrote to memory of 2768 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 28 PID 2940 wrote to memory of 2768 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 28 PID 2940 wrote to memory of 2768 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 28 PID 2940 wrote to memory of 2768 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 28 PID 2940 wrote to memory of 2992 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 29 PID 2940 wrote to memory of 2992 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 29 PID 2940 wrote to memory of 2992 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 29 PID 2940 wrote to memory of 2992 2940 46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe 29 PID 2992 wrote to memory of 2748 2992 COM7.EXE 30 PID 2992 wrote to memory of 2748 2992 COM7.EXE 30 PID 2992 wrote to memory of 2748 2992 COM7.EXE 30 PID 2992 wrote to memory of 2748 2992 COM7.EXE 30 PID 2992 wrote to memory of 2664 2992 COM7.EXE 32 PID 2992 wrote to memory of 2664 2992 COM7.EXE 32 PID 2992 wrote to memory of 2664 2992 COM7.EXE 32 PID 2992 wrote to memory of 2664 2992 COM7.EXE 32 PID 2768 wrote to memory of 2452 2768 ashcv.exe 33 PID 2768 wrote to memory of 2452 2768 ashcv.exe 33 PID 2768 wrote to memory of 2452 2768 ashcv.exe 33 PID 2768 wrote to memory of 2452 2768 ashcv.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\46f7eca5a758e66bfc05492efe2e11c0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2452
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COM_LOADER /d "\\.\F:\Program Files\PDF_Reader\bin\COM7.EXE"3⤵
- Adds Run key to start application
- Modifies registry key
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD58bcaa4846dd3141f1b550ab077be6906
SHA1f06ff60e60dfc24bfad31b0fe70032b93bdcf358
SHA256d58a385300e16966a5452a68d7b3e947dcbd5ef40f0297cde5faf169e67be600
SHA512ebdaccc1d3d98c14200ef8b90ed1a567001abb754f53f6484010771c80441556d9c9f020311178303829410631336c97cd25eff777d2a76e2e1cd092c75dd832
-
Filesize
82KB
MD565cf465c68dc75c010cb026378754d89
SHA104fd471da08a22226f6ddb935b5674bac287a304
SHA2565a7d1817c6539be286adbdd94cfe7e6a204981147d86a253b919515ae46cb84a
SHA51288b5dc31cb5af2930d4133747841e5f5fb171f176639ef35e2852acf34e9d969706d76f6b2486762a2cd26bc327a374c8545af37bb72e49f82dba6f6798ac06c