Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
29/05/2024, 06:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe
-
Size
53KB
-
MD5
4903da44715125341c8e6be31c26f790
-
SHA1
8bc128586e5388c3d50deb0284c0f2e8ee7dcc89
-
SHA256
31d09fe960c020e90e67f1b035ed60731da93ce6f7fd120101058c6b379b11eb
-
SHA512
e93e7e7917282da3a941072aa934964f43b16ed557c2f99578fdea809b2d535a667ccc058682909a802bcf4fb3e73784782c1f22df52a792647aad4837167902
-
SSDEEP
1536:vNng8r8QI678Ki7Kp3StjEMjmLM3ztDJWZsXy4JzxPME:e6785JJjmLM3zRJWZsXy4Jt
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" dfziam.exe -
Executes dropped EXE 1 IoCs
pid Process 1968 dfziam.exe -
Loads dropped DLL 2 IoCs
pid Process 2132 4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe 2132 4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfziam = "C:\\Users\\Admin\\dfziam.exe" dfziam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe 1968 dfziam.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2132 4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe 1968 dfziam.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 1968 2132 4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe 28 PID 2132 wrote to memory of 1968 2132 4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe 28 PID 2132 wrote to memory of 1968 2132 4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe 28 PID 2132 wrote to memory of 1968 2132 4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe 28 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27 PID 1968 wrote to memory of 2132 1968 dfziam.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4903da44715125341c8e6be31c26f790_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\dfziam.exe"C:\Users\Admin\dfziam.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD54836bab108fe66c7a8ca04082142e635
SHA17ba6598280badc001f021164b21af8c591f90900
SHA2562a96e822488b5d6f309b74571aaeb8fdf683333819ce39f5e34f56115f34a612
SHA51226f33d6c0699c54f6d3d9eb64740d76c429ebbee5f86b899cc57b45573a60989b824bbd03364bc94b453c1698ead0985fa2cbaeb72f269142601bcb383fd3e59