ab9f34b9265218221d26dfe9a378a486a60d236988c149c1e9f1b648029c24d4

Analysis

max time kernel
148s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 01:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe
Size

282KB
MD5

728a1d70454cf8943c085f5a8c02f5a0
SHA1

e2bfa2f3d4c955e9ba1965261fcc784fb3a86121
SHA256

ab9f34b9265218221d26dfe9a378a486a60d236988c149c1e9f1b648029c24d4
SHA512

d73e0dc9c1217ce7d9bbd719e272159f3e9683f7de11dd3c7832bcd8d060a01baaaeb7d50f31c65b9919a446f488756809581f93a45e36fad72d45e125a192a8
SSDEEP

6144:1LCj4mVF0imsl6POfE1JPZNBlwkDF5N+oS4CJ4:1LquiZyBZN1J5N+oSe

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe:*:Enabled:Windows Messanger"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

pid	Process
2920	Firefox.exe
900	Firefox.exe
4852	Firefox.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1668-0-0x0000000000400000-0x00000000005D9000-memory.dmp	upx
behavioral2/memory/1668-30-0x0000000000400000-0x00000000005D9000-memory.dmp	upx
behavioral2/memory/2920-28-0x0000000000400000-0x00000000005D9000-memory.dmp	upx
behavioral2/files/0x0007000000023414-27.dat	upx
behavioral2/memory/900-37-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/900-36-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/2920-52-0x0000000000400000-0x00000000005D9000-memory.dmp	upx
behavioral2/memory/4852-46-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4852-44-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/4852-41-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/900-33-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/900-53-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/4852-54-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral2/memory/900-55-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/900-57-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/900-77-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater 3 = "C:\\Users\\Admin\\AppData\\Roaming\\Firefox.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 900	2920	Firefox.exe	90
PID 2920 set thread context of 4852	2920	Firefox.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
5008	reg.exe
4416	reg.exe
2228	reg.exe
1604	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	900	Firefox.exe
Token: SeCreateTokenPrivilege	900	Firefox.exe
Token: SeAssignPrimaryTokenPrivilege	900	Firefox.exe
Token: SeLockMemoryPrivilege	900	Firefox.exe
Token: SeIncreaseQuotaPrivilege	900	Firefox.exe
Token: SeMachineAccountPrivilege	900	Firefox.exe
Token: SeTcbPrivilege	900	Firefox.exe
Token: SeSecurityPrivilege	900	Firefox.exe
Token: SeTakeOwnershipPrivilege	900	Firefox.exe
Token: SeLoadDriverPrivilege	900	Firefox.exe
Token: SeSystemProfilePrivilege	900	Firefox.exe
Token: SeSystemtimePrivilege	900	Firefox.exe
Token: SeProfSingleProcessPrivilege	900	Firefox.exe
Token: SeIncBasePriorityPrivilege	900	Firefox.exe
Token: SeCreatePagefilePrivilege	900	Firefox.exe
Token: SeCreatePermanentPrivilege	900	Firefox.exe
Token: SeBackupPrivilege	900	Firefox.exe
Token: SeRestorePrivilege	900	Firefox.exe
Token: SeShutdownPrivilege	900	Firefox.exe
Token: SeDebugPrivilege	900	Firefox.exe
Token: SeAuditPrivilege	900	Firefox.exe
Token: SeSystemEnvironmentPrivilege	900	Firefox.exe
Token: SeChangeNotifyPrivilege	900	Firefox.exe
Token: SeRemoteShutdownPrivilege	900	Firefox.exe
Token: SeUndockPrivilege	900	Firefox.exe
Token: SeSyncAgentPrivilege	900	Firefox.exe
Token: SeEnableDelegationPrivilege	900	Firefox.exe
Token: SeManageVolumePrivilege	900	Firefox.exe
Token: SeImpersonatePrivilege	900	Firefox.exe
Token: SeCreateGlobalPrivilege	900	Firefox.exe
Token: 31	900	Firefox.exe
Token: 32	900	Firefox.exe
Token: 33	900	Firefox.exe
Token: 34	900	Firefox.exe
Token: 35	900	Firefox.exe
Token: SeDebugPrivilege	4852	Firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1668	728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe
2920	Firefox.exe
900	Firefox.exe
900	Firefox.exe
4852	Firefox.exe
900	Firefox.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 5084	1668	728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe	85
PID 1668 wrote to memory of 5084	1668	728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe	85
PID 1668 wrote to memory of 5084	1668	728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe	85
PID 5084 wrote to memory of 4956	5084	cmd.exe	88
PID 5084 wrote to memory of 4956	5084	cmd.exe	88
PID 5084 wrote to memory of 4956	5084	cmd.exe	88
PID 1668 wrote to memory of 2920	1668	728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe	89
PID 1668 wrote to memory of 2920	1668	728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe	89
PID 1668 wrote to memory of 2920	1668	728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe	89
PID 2920 wrote to memory of 900	2920	Firefox.exe	90
PID 2920 wrote to memory of 900	2920	Firefox.exe	90
PID 2920 wrote to memory of 900	2920	Firefox.exe	90
PID 2920 wrote to memory of 900	2920	Firefox.exe	90
PID 2920 wrote to memory of 900	2920	Firefox.exe	90
PID 2920 wrote to memory of 900	2920	Firefox.exe	90
PID 2920 wrote to memory of 900	2920	Firefox.exe	90
PID 2920 wrote to memory of 900	2920	Firefox.exe	90
PID 2920 wrote to memory of 4852	2920	Firefox.exe	91
PID 2920 wrote to memory of 4852	2920	Firefox.exe	91
PID 2920 wrote to memory of 4852	2920	Firefox.exe	91
PID 2920 wrote to memory of 4852	2920	Firefox.exe	91
PID 2920 wrote to memory of 4852	2920	Firefox.exe	91
PID 2920 wrote to memory of 4852	2920	Firefox.exe	91
PID 2920 wrote to memory of 4852	2920	Firefox.exe	91
PID 2920 wrote to memory of 4852	2920	Firefox.exe	91
PID 900 wrote to memory of 924	900	Firefox.exe	92
PID 900 wrote to memory of 924	900	Firefox.exe	92
PID 900 wrote to memory of 924	900	Firefox.exe	92
PID 900 wrote to memory of 4088	900	Firefox.exe	93
PID 900 wrote to memory of 4088	900	Firefox.exe	93
PID 900 wrote to memory of 4088	900	Firefox.exe	93
PID 900 wrote to memory of 5036	900	Firefox.exe	94
PID 900 wrote to memory of 5036	900	Firefox.exe	94
PID 900 wrote to memory of 5036	900	Firefox.exe	94
PID 900 wrote to memory of 1868	900	Firefox.exe	95
PID 900 wrote to memory of 1868	900	Firefox.exe	95
PID 900 wrote to memory of 1868	900	Firefox.exe	95
PID 924 wrote to memory of 2228	924	cmd.exe	100
PID 924 wrote to memory of 2228	924	cmd.exe	100
PID 924 wrote to memory of 2228	924	cmd.exe	100
PID 5036 wrote to memory of 4416	5036	cmd.exe	101
PID 5036 wrote to memory of 4416	5036	cmd.exe	101
PID 5036 wrote to memory of 4416	5036	cmd.exe	101
PID 4088 wrote to memory of 1604	4088	cmd.exe	102
PID 4088 wrote to memory of 1604	4088	cmd.exe	102
PID 4088 wrote to memory of 1604	4088	cmd.exe	102
PID 1868 wrote to memory of 5008	1868	cmd.exe	103
PID 1868 wrote to memory of 5008	1868	cmd.exe	103
PID 1868 wrote to memory of 5008	1868	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\728a1d70454cf8943c085f5a8c02f5a0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eXGsQ.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Java Updater 3" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe" /f
    3⤵
    - Adds Run key to start application
    PID:4956
- C:\Users\Admin\AppData\Roaming\Firefox.exe
  "C:\Users\Admin\AppData\Roaming\Firefox.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Roaming\Firefox.exe
    C:\Users\Admin\AppData\Roaming\Firefox.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:924
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Firefox.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Firefox.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1604
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:5008
- - C:\Users\Admin\AppData\Roaming\Firefox.exe
    C:\Users\Admin\AppData\Roaming\Firefox.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eXGsQ.txt

Filesize
143B

MD5
962bc493b87f298696ad6e3eed7c7937

SHA1
985cc0c7e37e2465c4349abd528e120663ebd205

SHA256
c167e2faa5307ac291ff833b8a1f5f802eaa028d1aba8d1ad342ca84c07bdb01

SHA512
9dd2b755a404b74206b713ab17d2ddedacc48910e942dab71cf7e98d8d25322c24e32648f0881136e5425134aaccfbfd9bdc52ceb4519bd07e97c5564116f173

Download Submit
C:\Users\Admin\AppData\Roaming\Firefox.exe

Filesize
282KB

MD5
d53b7bc9f70587433e1552d906206862

SHA1
b188fe42daa15ffb018531bbd1d9ebc24ddfe9ea

SHA256
baacdf2383aec38a84e94f286bdc58cbf9eae55cb02064a8bf835134f9a9d69e

SHA512
0347b58e6b64c1e26e14407185d090c111fdcc1fca121ea294c5e3a2282d142b852c81d1f805dac9804e337189f043a27aeb76795dc1b75b83dc7b989c30d252

Download Submit
memory/900-53-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/900-33-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/900-77-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/900-37-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/900-36-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/900-57-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/900-55-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1668-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/1668-30-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2920-28-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/2920-52-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/4852-41-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4852-44-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4852-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4852-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads