Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 02:35
Static task
static1
Behavioral task
behavioral1
Sample
8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exe
-
Size
100KB
-
MD5
8a3c907c04a3d997dd7a5a20e8884ba0
-
SHA1
2a88e939370caa09bafbc8f9a3f8f563e5cfad12
-
SHA256
034128a5ed4fae9549e86f7263a90e046e50e8b4a28a877042d23d3d0bf52649
-
SHA512
97f9d6777f882e583bcd674718996f41556399d8de208b73923c536255aafc682e7adc7d8455cd8ad2d7e6c27280f1e68a9666ec47d257bc167491ef81307308
-
SSDEEP
1536:jE9QaVQ8v9/ui73aOtH0nrFgUhRwqjhurmKFctV:xaV1/uMKacdhTjAqGctV
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\08CB9C5F = "C:\\Users\\Admin\\AppData\\Roaming\\08CB9C5F\\bin.exe" winver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe 2144 winver.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 2144 winver.exe 1072 Explorer.EXE 1072 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1072 Explorer.EXE 1072 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exewinver.exedescription pid process target process PID 1728 wrote to memory of 2144 1728 8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exe winver.exe PID 1728 wrote to memory of 2144 1728 8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exe winver.exe PID 1728 wrote to memory of 2144 1728 8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exe winver.exe PID 1728 wrote to memory of 2144 1728 8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exe winver.exe PID 1728 wrote to memory of 2144 1728 8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exe winver.exe PID 2144 wrote to memory of 1072 2144 winver.exe Explorer.EXE PID 2144 wrote to memory of 1044 2144 winver.exe Dwm.exe PID 2144 wrote to memory of 1072 2144 winver.exe Explorer.EXE PID 2144 wrote to memory of 1100 2144 winver.exe taskhost.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\8a3c907c04a3d997dd7a5a20e8884ba0_NeikiAnalytics.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winver.exewinver3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-25-0x0000000077351000-0x0000000077352000-memory.dmpFilesize
4KB
-
memory/1044-24-0x00000000001C0000-0x00000000001C6000-memory.dmpFilesize
24KB
-
memory/1072-20-0x0000000002D70000-0x0000000002D76000-memory.dmpFilesize
24KB
-
memory/1072-3-0x0000000002DC0000-0x0000000002DC6000-memory.dmpFilesize
24KB
-
memory/1072-4-0x0000000002DC0000-0x0000000002DC6000-memory.dmpFilesize
24KB
-
memory/1072-2-0x0000000002DC0000-0x0000000002DC6000-memory.dmpFilesize
24KB
-
memory/1072-27-0x0000000002D70000-0x0000000002D76000-memory.dmpFilesize
24KB
-
memory/1072-10-0x0000000077351000-0x0000000077352000-memory.dmpFilesize
4KB
-
memory/1100-26-0x0000000000190000-0x0000000000196000-memory.dmpFilesize
24KB
-
memory/1100-23-0x0000000000190000-0x0000000000196000-memory.dmpFilesize
24KB
-
memory/1728-5-0x0000000001C20000-0x0000000002620000-memory.dmpFilesize
10.0MB
-
memory/1728-12-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1728-13-0x0000000001C20000-0x0000000002620000-memory.dmpFilesize
10.0MB
-
memory/1728-0-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1728-1-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/2144-6-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB
-
memory/2144-7-0x0000000077500000-0x0000000077501000-memory.dmpFilesize
4KB
-
memory/2144-8-0x00000000774FF000-0x0000000077500000-memory.dmpFilesize
4KB
-
memory/2144-9-0x00000000774FF000-0x0000000077501000-memory.dmpFilesize
8KB
-
memory/2144-11-0x0000000077300000-0x00000000774A9000-memory.dmpFilesize
1.7MB
-
memory/2144-31-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2144-32-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB