aaf001a1e51a8f39e920cd96926c3d9c42561b4547a462a76c844dac852891b5

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe
Size

844KB
MD5

79cce33937522a29a950fa6d84473070
SHA1

ba9713d2c11ebdf3542a1294c629a16d188915b6
SHA256

aaf001a1e51a8f39e920cd96926c3d9c42561b4547a462a76c844dac852891b5
SHA512

3f76d59c4b08cac0f29d7d3243c7e4fe98d6fe50c76925291bb6b77eec9d43722baee75f9c98c7b8472675649a1608ed9f3bd70bd3c6aa3d4b519acd1ad758d8
SSDEEP

24576:p/2zEYytjjqNSlhvpfQiIhKPtehfQwr9qySkbged:p/PtjtQiIhUyQy1SkFd

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe fsb.exe"	tmp259396247.exe

Executes dropped EXE 2 IoCs

pid	Process
2232	tmp259396247.exe
2576	tmp259396262.exe

Loads dropped DLL 3 IoCs

pid	Process
2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe
2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe
2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-7-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2216-16-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0002000000011c9b-27.dat	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsb.stb	tmp259396247.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp259396247.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp259396247.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe-	tmp259396247.exe
File created	C:\Program Files\VideoLAN\VLC\vlc.exe	tmp259396247.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	tmp259396247.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	tmp259396247.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Adobe PCD\pcd.db	tmp259396262.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe-	tmp259396247.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe	tmp259396247.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	tmp259396247.exe
File created	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe-	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	tmp259396247.exe
File created	C:\Program Files (x86)\Internet Explorer\ieinstal.exe-	tmp259396247.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jre7\bin\java-rmi.exe-	tmp259396247.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe-	tmp259396247.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE-	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE-	tmp259396247.exe
File created	C:\Program Files\Mozilla Firefox\plugin-container.exe-	tmp259396247.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE-	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	tmp259396247.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe-	tmp259396247.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE-	tmp259396247.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe-	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE-	tmp259396247.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	tmp259396247.exe
File created	C:\Program Files\Java\jre7\bin\rmiregistry.exe	tmp259396247.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe-	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	tmp259396247.exe
File created	C:\Program Files\Java\jre7\bin\keytool.exe	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe-	tmp259396247.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	tmp259396247.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	tmp259396247.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe-	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE-	tmp259396247.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	tmp259396247.exe
File created	C:\Program Files\Java\jre7\bin\javacpl.exe-	tmp259396247.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe-	tmp259396247.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	tmp259396247.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe-	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	tmp259396247.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe-	tmp259396247.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE-	tmp259396247.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	tmp259396247.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2232	2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2232	2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2232	2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2232	2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe	28
PID 2216 wrote to memory of 2576	2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe	29
PID 2216 wrote to memory of 2576	2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe	29
PID 2216 wrote to memory of 2576	2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe	29
PID 2216 wrote to memory of 2576	2216	79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\79cce33937522a29a950fa6d84473070_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\tmp259396247.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259396247.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\tmp259396262.exe
  C:\Users\Admin\AppData\Local\Temp\tmp259396262.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
607KB

MD5
d0c2c59a5b02444aaead0e16b5a288ad

SHA1
abb316e505814f510eb0f3f013fe8eae0b81667f

SHA256
405df7845d4f9899525cfe42e34a0c382e4526221aab120059407dbcae2b6c57

SHA512
c49dc48201a2972980fa0df688d3117de730965aaab3ab1b4e14b0d526ced9aee37ca98debb074f4432181b07d811e57398e424c7d85fa5c4135fad4a0a5fcb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp259396262.exe

Filesize
781KB

MD5
c9f853de1e78fc0dedfed88e35f127f8

SHA1
36da03865c8337aab2f4bfac4b2195554e84a0e4

SHA256
2ad0dedcda48a899960f06b90b0fb9d08c83fef416f616ce359340fce4886eb4

SHA512
c1ace7f8e72af4929d4e1804882889b4e6e8cc60b616680412695ef259bc2ccd61d6040d92ef31f3a8a214e55ca66c0468823074b330fd1dd32428e0a5eb71f9

Download Submit
\Users\Admin\AppData\Local\Temp\tmp259396247.exe

Filesize
53KB

MD5
435d370a1ae5da4f852b16c0c8578c4b

SHA1
2f9c070bd6a08f5205596a9d3c6df4cc3714288f

SHA256
d285baf7d537234a32f7e7253a0bb7444c1efb29337c44e6801ee90a6b0440fd

SHA512
62e1ec3c49c3a6ac6234c2855d6f8c41aeabba0796bee5c28a36c1bc96ea6d5d7042b2da9a96d2115afdede34a2ef5bbdb4702fed13031819d44e25a7978bbfa

Download Submit
memory/2216-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2216-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2232-1654-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-1653-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-1657-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-1659-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-1661-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-1663-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-1665-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2232-1666-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads