237348ca313f2d6fc8c8cb314a2723c39fd3c11cc02404a0972f2cfdaa374ed8

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 05:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe
Size

237KB
MD5

79e974dbc6672bdd5166fd0cdce372c0
SHA1

b42851f07ec0d593a49355b15191339b88891460
SHA256

237348ca313f2d6fc8c8cb314a2723c39fd3c11cc02404a0972f2cfdaa374ed8
SHA512

1f34b77f0d5f8fadb6c464905c228dbcaf303379daeb60d67279c7b2eb4b80b873a92b49768e09d474bd363e22b023a1da9ba9f6f4d9e34f89b142989f94e3b8
SSDEEP

6144:4D8okEvTyoZVOgd2QZiw5NLclL5orfQH:KsjCF2QZiOU+4

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\apppatch\\svchost.exe,"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe
1728	79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\da02a59d = "C:\\Windows\\apppatch\\svchost.exe"	79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\da02a59d = "C:\\Windows\\apppatch\\svchost.exe"	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\svchost.exe	79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\apppatch\svchost.exe	79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2012	svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1728	79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2012	1728	79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2012	1728	79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2012	1728	79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe	28
PID 1728 wrote to memory of 2012	1728	79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\79e974dbc6672bdd5166fd0cdce372c0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Modifies WinLogon
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\apppatch\svchost.exe
  "C:\Windows\apppatch\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\AppPatch\svchost.exe

Filesize
237KB

MD5
24c559deb4dcaae5922d9ccaf1327599

SHA1
89681206d1973e0b06e5bb81490cbf6308e9ebd6

SHA256
9a88720cc533c67ffb1156f0539ac951d86b294ab75555440f1d5f44c6c0c9b1

SHA512
f93ac21272b8c10a56063ee95cf4f7ab64e3809248c2b1cc4b8b95c0e430846f0638916abf75303b36cb0bc24582ab449833e85ae76368a74e598282c68f9e2a

Download Submit
memory/1728-0-0x0000000000290000-0x00000000002F5000-memory.dmp

Filesize
404KB

Download
memory/1728-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1728-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1728-16-0x0000000000290000-0x00000000002F5000-memory.dmp

Filesize
404KB

Download
memory/2012-78-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/2012-71-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/2012-25-0x00000000022C0000-0x000000000234C000-memory.dmp

Filesize
560KB

Download
memory/2012-30-0x00000000022C0000-0x000000000234C000-memory.dmp

Filesize
560KB

Download
memory/2012-28-0x00000000022C0000-0x000000000234C000-memory.dmp

Filesize
560KB

Download
memory/2012-26-0x00000000022C0000-0x000000000234C000-memory.dmp

Filesize
560KB

Download
memory/2012-22-0x00000000022C0000-0x000000000234C000-memory.dmp

Filesize
560KB

Download
memory/2012-20-0x00000000022C0000-0x000000000234C000-memory.dmp

Filesize
560KB

Download
memory/2012-31-0x0000000002690000-0x000000000272B000-memory.dmp

Filesize
620KB

Download
memory/2012-33-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2012-36-0x0000000002690000-0x000000000272B000-memory.dmp

Filesize
620KB

Download
memory/2012-34-0x0000000002690000-0x000000000272B000-memory.dmp

Filesize
620KB

Download
memory/2012-82-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/2012-81-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/2012-79-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/2012-18-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2012-75-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/2012-74-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/2012-72-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/2012-19-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2012-68-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/2012-67-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/2012-65-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2012-64-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/2012-60-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/2012-58-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/2012-57-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/2012-54-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/2012-53-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/2012-51-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2012-50-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2012-47-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2012-46-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2012-44-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2012-43-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2012-42-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2012-40-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download