Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 18:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe
Resource
win7-20240221-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe
-
Size
125KB
-
MD5
cb11a4d0db6796f25267934bdbcc3240
-
SHA1
d924e8d174c1c11da0c797e394f4974a72c094f8
-
SHA256
74510ddc5d4998064b68e55ea2e3099466171612f110b3ff701dcb738954bfcd
-
SHA512
2a31366f9e9342adbb538b70949dfb4b9e9d5916c125341a79eaa729f69608ccb1ed09fc9d868b82b2822b7ee91df7c9c84302dbaa3c5fdd6026b45c0e942b22
-
SSDEEP
3072:2EboFVlGAvwsgbpvYfMTc72L10fPsout:FBzsgbpvnTcyOPsoS
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2536 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 532 KVEIF.jpg -
Loads dropped DLL 4 IoCs
pid Process 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 2536 svchost.exe 532 KVEIF.jpg 5108 svchost.exe -
resource yara_rule behavioral2/memory/2944-13-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-11-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-9-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-7-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-5-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-3-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-2-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-21-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-33-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-32-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-31-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-29-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-27-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-25-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-19-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-17-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-15-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2944-23-0x00000000009B0000-0x0000000000A05000-memory.dmp upx behavioral2/memory/2536-108-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-106-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-114-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-124-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-130-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-128-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-126-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-122-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-118-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-116-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-120-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-112-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-110-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-104-0x00000000024B0000-0x0000000002505000-memory.dmp upx behavioral2/memory/2536-103-0x00000000024B0000-0x0000000002505000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\kernel64.dll cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\kernel64.dll cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2944 set thread context of 2536 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 84 PID 532 set thread context of 5108 532 KVEIF.jpg 89 -
Drops file in Program Files directory 23 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFs5.ini svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIF.jpg cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\1D11D1D123.IMD KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFs1.ini svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\FKC.WYA svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFs5.ini KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\ok.txt cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFss1.ini cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\FKC.WYA cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\$$.tmp svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFmain.ini cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\FKC.WYA svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\1D11D1D123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\1D11D1D123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\FKC.WYA KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFs5.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIF.jpg cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFmain.ini cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\web\606C646364636479.tmp cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe File opened for modification C:\Windows\web\606C646364636479.tmp cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 2536 svchost.exe 532 KVEIF.jpg 532 KVEIF.jpg 532 KVEIF.jpg 532 KVEIF.jpg 532 KVEIF.jpg 532 KVEIF.jpg -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2536 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe Token: SeDebugPrivilege 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe Token: SeDebugPrivilege 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe Token: SeDebugPrivilege 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 532 KVEIF.jpg Token: SeDebugPrivilege 532 KVEIF.jpg Token: SeDebugPrivilege 532 KVEIF.jpg Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 5108 svchost.exe Token: SeDebugPrivilege 2536 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2944 wrote to memory of 2536 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 84 PID 2944 wrote to memory of 2536 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 84 PID 2944 wrote to memory of 2536 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 84 PID 2944 wrote to memory of 2536 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 84 PID 2944 wrote to memory of 2536 2944 cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe 84 PID 2628 wrote to memory of 532 2628 cmd.exe 88 PID 2628 wrote to memory of 532 2628 cmd.exe 88 PID 2628 wrote to memory of 532 2628 cmd.exe 88 PID 532 wrote to memory of 5108 532 KVEIF.jpg 89 PID 532 wrote to memory of 5108 532 KVEIF.jpg 89 PID 532 wrote to memory of 5108 532 KVEIF.jpg 89 PID 532 wrote to memory of 5108 532 KVEIF.jpg 89 PID 532 wrote to memory of 5108 532 KVEIF.jpg 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cb11a4d0db6796f25267934bdbcc3240_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530455D474A422F565840 02⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\system32\cmd.execmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530455D474A422F5658401⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg"C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530455D474A422F5658402⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530455D474A422F565840 03⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
126KB
MD575cca9097d70d81036465a65c336c662
SHA139470eb2a73e2b03e1779cd336b6b7cf222cf832
SHA256c8ce9792dd51f238e6e9c7f9a968b815d8c615cb41d1170fad25923676f7c1c5
SHA512f02317ab787977ae7503f75ac9eeebb4d819a2e69724945fafa124861b983ae8f99cc274bc58a13c10e6224fab16ab59422c9b9d1c2b147dcbb7fc7484049ee8
-
Filesize
22B
MD5453d2fc74da6d001a4fdd6734163c7c7
SHA1ee0df26826350e252bfc43d21041053df079ca10
SHA256f04003dc50539b7d9bbf491ecdab32b96b997377d8928bf4273a584e38eac98c
SHA5126449257622d018a5c964ce4c1a1ead4f03db5bca23d0263aee775f096ef3063bbb61d0b1223c1f956a4de3468d3c55dae781d5851ccebc7c62dfd6e9e3d5a434
-
Filesize
87B
MD5ea27583c4aa4928947abcbefafeeef8f
SHA1199af29b138fbc90db2155b6b69347d300f932ad
SHA256609181fede8399aa1b14ddfdf0e1ee9a7930267f33020bafc75c42ef19eb15cc
SHA51252ca684d4fdcdd342e5f2f4c04e89efce42920a495ea162d6eea61ff9cccd6d05d7066bfdb80da7f5736cbe8fa9cc065bab382db8bda62de8c87865142f3c31e
-
Filesize
125KB
MD5a02eb984221083eeb8db3c64660c4c94
SHA1017f6f66822bc639043c1b83ff67c40757a20a5f
SHA2566d213e6dbcafcf033818159be838488e0894bb35bfb4cc08a960b7c78c1464f7
SHA512604a2a2a0775288786b84f97a43a5891195b37b30ed842a594cc7b0346e5998829f14a32af9a3c61399052ddc8a95aac6094a0340be01ad3b7044ae5a2d5d9a7
-
Filesize
125KB
MD52e4dcbd0b210cd63b779f8efd460bbe2
SHA190c9bbeabef2264dadc5cf0dc4fda0817291edde
SHA2567395b5141bac20939cf5fc83bcef5be35631c1260dc9ee76463fb7fad3438de5
SHA512988c6bc908b5d10a6d88ff7befcc2adcb53516a1fc02e9ff18c9f1aea78480d7fd1bd59539dad636939cfdd9cb53f93fa774db331e040b146c1f6f041c771154
-
Filesize
861B
MD5b9b0457111a9c8c4393d1960ad23b2cc
SHA16f863071abcae1e4ac1abe844f6fd2492de57cc5
SHA256efaa325130da9904ad0aa376a33aa6b7eebad3355f2f5a020ef67a5e7cad99c0
SHA51220934bfc2b4cddfc4da1fe7f75ea01e55d27991be31ceb398edee25136496b5cae01566b769dce074b98c517f170c4d15fa053b0c0e1109c8f6df7f5e76f08ba
-
Filesize
1KB
MD5d39992c3a6e3a7f851f551d0889df630
SHA115a268b65a8cfeac40e11341a6300cfb8f1547f1
SHA256881bb859430a7566b85a191c9cbfa43a248b71978b478451d36fbde7500c1306
SHA5128d30247e0d71d10d2813e974753c6fbb545ebe589ab8ae2db2e80e96a527d13a98b4c6b01f17133525ae4668f5ef8d06a2345cc2e2cad63297a1dd40513b1f8c
-
Filesize
625KB
MD5eccf28d7e5ccec24119b88edd160f8f4
SHA198509587a3d37a20b56b50fd57f823a1691a034c
SHA256820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670
-
Filesize
108KB
MD5f697e0c5c1d34f00d1700d6d549d4811
SHA1f50a99377a7419185fc269bb4d12954ca42b8589
SHA2561eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202
