Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01/06/2024, 02:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe
Resource
win7-20231129-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe
-
Size
133KB
-
MD5
8a300ad8ad1175b7e601cbaf6264ff30
-
SHA1
bb9ac3a2d989cf596b927c654030f3d27bb2150a
-
SHA256
c49aa53a966c73fcae68739539a1c64af55a495599aab4786dcda9d4254b4217
-
SHA512
d0ffb5528bab85a60d00a5d629f4a71a9d2f751fcd6e4a26e300fb68cea6eb9d6c23c4635173ac49e20c0a8fe6583894fb9055b995eda1e453a8c63ac1f18a8f
-
SSDEEP
3072:1EboFVlGAvwsgbpvYfMTc72L10fPsout6nnn:qBzsgbpvnTcyOPsoS6nnn
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 756 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 4884 KVEIF.jpg -
Loads dropped DLL 4 IoCs
pid Process 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 756 svchost.exe 4884 KVEIF.jpg 2108 svchost.exe -
resource yara_rule behavioral2/memory/4444-11-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-13-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-9-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-25-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-33-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-32-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-31-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-29-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-27-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-23-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-21-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-19-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-17-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-15-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-5-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-2-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-3-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/4444-7-0x0000000002140000-0x0000000002195000-memory.dmp upx behavioral2/memory/756-108-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-112-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-114-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-110-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-106-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-104-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-103-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-118-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-122-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-131-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-128-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-124-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-120-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-126-0x0000000000520000-0x0000000000575000-memory.dmp upx behavioral2/memory/756-116-0x0000000000520000-0x0000000000575000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\kernel64.dll 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\kernel64.dll 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4444 set thread context of 756 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 84 PID 4884 set thread context of 2108 4884 KVEIF.jpg 91 -
Drops file in Program Files directory 23 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFs5.ini svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFs5.ini KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIF.jpg 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFmain.ini 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\FKC.WYA svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\$$.tmp svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\FKC.WYA svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFmain.ini 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\FKC.WYA 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\1D11D1D123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\FKC.WYA KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\1D11D1D123.IMD KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFs5.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\ok.txt 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\1D11D1D123.IMD svchost.exe File created C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIF.jpg svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFss1.ini 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIF.jpg 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1D\KVEIFs1.ini svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\web\606C646364636479.tmp 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe File opened for modification C:\Windows\web\606C646364636479.tmp 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 756 svchost.exe 4884 KVEIF.jpg 4884 KVEIF.jpg 4884 KVEIF.jpg 4884 KVEIF.jpg 4884 KVEIF.jpg 4884 KVEIF.jpg -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 756 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe Token: SeDebugPrivilege 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe Token: SeDebugPrivilege 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe Token: SeDebugPrivilege 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 4884 KVEIF.jpg Token: SeDebugPrivilege 4884 KVEIF.jpg Token: SeDebugPrivilege 4884 KVEIF.jpg Token: SeDebugPrivilege 4884 KVEIF.jpg Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 756 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe Token: SeDebugPrivilege 2108 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4444 wrote to memory of 756 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 84 PID 4444 wrote to memory of 756 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 84 PID 4444 wrote to memory of 756 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 84 PID 4444 wrote to memory of 756 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 84 PID 4444 wrote to memory of 756 4444 8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe 84 PID 3828 wrote to memory of 4884 3828 cmd.exe 88 PID 3828 wrote to memory of 4884 3828 cmd.exe 88 PID 3828 wrote to memory of 4884 3828 cmd.exe 88 PID 4884 wrote to memory of 2108 4884 KVEIF.jpg 91 PID 4884 wrote to memory of 2108 4884 KVEIF.jpg 91 PID 4884 wrote to memory of 2108 4884 KVEIF.jpg 91 PID 4884 wrote to memory of 2108 4884 KVEIF.jpg 91 PID 4884 wrote to memory of 2108 4884 KVEIF.jpg 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8a300ad8ad1175b7e601cbaf6264ff30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530455D474A422F565840 02⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
C:\Windows\system32\cmd.execmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530455D474A422F5658401⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg"C:\Program Files\Common Files\Microsoft\1D11D1D\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530455D474A422F5658402⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530455D474A422F565840 03⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134KB
MD5b3b28b016ec2b0cbb03b0ebe1069c6b6
SHA10aec383e263549032b66552da39f1495f23296dd
SHA25697a1ce39518b7499f0693afab8b18df651e83fb3e580f4524169f53a3303de2b
SHA512b31abf73cc9d4673a5ece63dfe4f39ce9ad9d878bbde60164d12fb43454191178cc759dc80783beeb1739e62a2bf643ca05f883bdb4a2f6ecefc6b9dab42408e
-
Filesize
22B
MD5930acf89790980bda3854f8bd8dc44d6
SHA14033478772bd5b31cdbf85187ad30eb03a560f33
SHA25634158e7ba9674f6eb03866767791fb29663241342a304cbc1286bdaf049269a6
SHA51287752859deee77287cf49d0f54f92dee94f49b2ef3c4fd76ee0b573f1cd73b3b9b472ce4f83e8ae11a8b71aa1c0a802c72b87f7fd940a6b3ddce4d85ab68b7b8
-
Filesize
87B
MD52125986a3e351d08aa61b227fbcf9629
SHA1ab29381236914f1aa06e7741c8f1288eff6853d8
SHA256ff19e1a82752cc0cea5e949c60b741ddc1f1897fb30637a7b29debdd6f766b24
SHA5124ab7a5110bdecdc1cca03442e53d37fcf5d0782cbda81e49d9a63f99197b7cc6fa8cd786bd458f7e3c0b85d36b45248bae4e45e41143ce26f454597f4f70527b
-
Filesize
133KB
MD571a1418561095b719d8df6031582fbe6
SHA10976bcdaa02904e7cef7ac763e2a4bae990737e1
SHA256d3b2f121a91fe2a714dea61c6a91245fbb9e0a6209a0ccd471db63b210de227d
SHA51208c90c9b8f3477ebe98f2c7a46b31912d4d2a34b5a0a535845ac4ac7c7f276ec02f939e856e09aa7df3b1af427233e159429632729765aaf0f85ab73d84e8d29
-
Filesize
133KB
MD552f2559f9d326e62e58d6db533ae4ce8
SHA1ff4bcae93f4d396da6e7511cc7f2f581b98f0a13
SHA2567b99ce7101c406a6cb5dd41c85f1ad309974915fd2e32d0acc4a79c4ae64627d
SHA512d705d1a6b5b5c6425dd40052e7f02542342d4bc143d29be17f8ed33c98ac951a43e5d4c170f5e740285aa2422e4ff7cc1d283c58a983450833643b51cd9f34cd
-
Filesize
1KB
MD525a84868daf2df3944f8c92922d5074c
SHA1f3280d13b526c4629e30ba3434bdae98539a9800
SHA2568874c533c214488d9ba9cb4febb4139d94cfee1c93a840890feda9d7713f9e3c
SHA512d2ada7a60f2896109d0e464c590a0197f463c9b954a4d3735f83035e798b6d2cf2dd3dfcbf013df9baadb09ef28123d46363f88f865b75217ecdb0426f2f50d3
-
Filesize
625KB
MD5eccf28d7e5ccec24119b88edd160f8f4
SHA198509587a3d37a20b56b50fd57f823a1691a034c
SHA256820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670
-
Filesize
108KB
MD5f697e0c5c1d34f00d1700d6d549d4811
SHA1f50a99377a7419185fc269bb4d12954ca42b8589
SHA2561eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202
