Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 16:20
Behavioral task
behavioral1
Sample
54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exe
-
Size
45KB
-
MD5
54f6b2f397c096924ff59d0677845110
-
SHA1
5d4c37f137efcc519add6e1c476f14c260ee6fac
-
SHA256
ee44d58b968af90d3640cc802ef1084b2d4c5b4da2edcb37243e05fa36ff4f01
-
SHA512
5d7ecd8cd1a79ef0ee2c340b0f002196aa6516e895ec598cec9d90c0399c2682d4e1a4c324d1080be95d5581f9dc2449035de430b4c5925bb652a6308cda548b
-
SSDEEP
768:nhP0kDE9N5dCA8J7VHXdrIniQaBTT+QQ+r1n4K8+C9TtIuCjaqUODvJVQ2f:hsWE9N5dFu53dsniQaB/xZ14n7zIF+qr
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1884-0-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\73EE1716 = "C:\\Users\\Admin\\AppData\\Roaming\\73EE1716\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe 2744 winver.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 2744 winver.exe 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exewinver.exedescription pid process target process PID 1884 wrote to memory of 2744 1884 54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exe winver.exe PID 1884 wrote to memory of 2744 1884 54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exe winver.exe PID 1884 wrote to memory of 2744 1884 54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exe winver.exe PID 1884 wrote to memory of 2744 1884 54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exe winver.exe PID 1884 wrote to memory of 2744 1884 54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exe winver.exe PID 2744 wrote to memory of 1400 2744 winver.exe Explorer.EXE PID 2744 wrote to memory of 1296 2744 winver.exe taskhost.exe PID 2744 wrote to memory of 1356 2744 winver.exe Dwm.exe PID 2744 wrote to memory of 1400 2744 winver.exe Explorer.EXE
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\54f6b2f397c096924ff59d0677845110_NeikiAnalytics.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1296-24-0x00000000770C1000-0x00000000770C2000-memory.dmpFilesize
4KB
-
memory/1296-23-0x0000000000210000-0x0000000000216000-memory.dmpFilesize
24KB
-
memory/1356-20-0x00000000001B0000-0x00000000001B6000-memory.dmpFilesize
24KB
-
memory/1356-26-0x00000000001B0000-0x00000000001B6000-memory.dmpFilesize
24KB
-
memory/1400-4-0x0000000002E80000-0x0000000002E86000-memory.dmpFilesize
24KB
-
memory/1400-3-0x0000000002E80000-0x0000000002E86000-memory.dmpFilesize
24KB
-
memory/1400-2-0x0000000002E80000-0x0000000002E86000-memory.dmpFilesize
24KB
-
memory/1400-25-0x0000000002E30000-0x0000000002E36000-memory.dmpFilesize
24KB
-
memory/1400-10-0x00000000770C1000-0x00000000770C2000-memory.dmpFilesize
4KB
-
memory/1400-22-0x0000000002E30000-0x0000000002E36000-memory.dmpFilesize
24KB
-
memory/1884-5-0x0000000001DB0000-0x00000000027B0000-memory.dmpFilesize
10.0MB
-
memory/1884-12-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1884-13-0x0000000001DB0000-0x00000000027B0000-memory.dmpFilesize
10.0MB
-
memory/1884-0-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1884-1-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2744-6-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB
-
memory/2744-7-0x0000000077270000-0x0000000077271000-memory.dmpFilesize
4KB
-
memory/2744-8-0x000000007726F000-0x0000000077270000-memory.dmpFilesize
4KB
-
memory/2744-9-0x000000007726F000-0x0000000077271000-memory.dmpFilesize
8KB
-
memory/2744-11-0x0000000077070000-0x0000000077219000-memory.dmpFilesize
1.7MB
-
memory/2744-30-0x0000000000160000-0x0000000000166000-memory.dmpFilesize
24KB