3b7c8c7761d7470e3030a83893acbf0aa5461919ef8422e590ac6f1cd99b602b

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe
Size

73KB
MD5

8f15d7c2b1018580fbaa2ab0c8709b40
SHA1

a224a3ba3618e7f5bc71b49c03e9507d2002ac58
SHA256

3b7c8c7761d7470e3030a83893acbf0aa5461919ef8422e590ac6f1cd99b602b
SHA512

2cc8636879e3a53ae2290a2f6edd5112ebe421a81a3e2a1f54aae6346c20b37ca546f94f2b62e0fc2c0a1967c9d4ae3aa2aa0a773e918ea612d366f5809920ab
SSDEEP

1536:xJrcZa4V5fH01ZJdlUOIV3js6/XyMgjm6Ul0sYnLwDAc:j6RRH0IVweitm7lXYnEDAc

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	anputen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	anputen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	anputen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	anputen.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}	anputen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a"	anputen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\IsInstalled = "1"	anputen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B584950-5043-4b46-4B58-495050434b46}\StubPath = "C:\\Windows\\system32\\umboaroad-ucid.exe"	anputen.exe

Sets file execution options in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a"	anputen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\udvugom-exum.exe"	anputen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	anputen.exe

Executes dropped EXE 2 IoCs

pid	Process
1624	anputen.exe
2884	anputen.exe

Loads dropped DLL 3 IoCs

pid	Process
2460	8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe
2460	8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe
1624	anputen.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "25600"	anputen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "25600"	anputen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "25600"	anputen.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "25600"	anputen.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}	anputen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	anputen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a"	anputen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\eacmoacop-atum.dll"	anputen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup"	anputen.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\umboaroad-ucid.exe	anputen.exe
File created	C:\Windows\SysWOW64\eacmoacop-atum.dll	anputen.exe
File opened for modification	C:\Windows\SysWOW64\anputen.exe	anputen.exe
File opened for modification	C:\Windows\SysWOW64\umboaroad-ucid.exe	anputen.exe
File created	C:\Windows\SysWOW64\anputen.exe	8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\udvugom-exum.exe	anputen.exe
File created	C:\Windows\SysWOW64\udvugom-exum.exe	anputen.exe
File opened for modification	C:\Windows\SysWOW64\eacmoacop-atum.dll	anputen.exe
File opened for modification	C:\Windows\SysWOW64\anputen.exe	8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
2884	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe
1624	anputen.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	anputen.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1624	2460	8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 1624	2460	8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 1624	2460	8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 1624	2460	8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe	28
PID 1624 wrote to memory of 424	1624	anputen.exe	5
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 2884	1624	anputen.exe	29
PID 1624 wrote to memory of 2884	1624	anputen.exe	29
PID 1624 wrote to memory of 2884	1624	anputen.exe	29
PID 1624 wrote to memory of 2884	1624	anputen.exe	29
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21
PID 1624 wrote to memory of 1204	1624	anputen.exe	21

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\8f15d7c2b1018580fbaa2ab0c8709b40_NeikiAnalytics.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\anputen.exe
    "C:\Windows\SysWOW64\anputen.exe"
    3⤵
    - Windows security bypass
    - Modifies Installed Components in the registry
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\anputen.exe
      --k33p
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\eacmoacop-atum.dll

Filesize
5KB

MD5
f37b21c00fd81bd93c89ce741a88f183

SHA1
b2796500597c68e2f5638e1101b46eaf32676c1c

SHA256
76cf016fd77cb5a06c6ed4674ddc2345e8390c010cf344491a6e742baf2c0fb0

SHA512
252fe66dea9a4b9aebc5fd2f24434719cb25159ba51549d9de407f44b6a2f7bce6e071be02c4f2ad6aef588c77f12c00ed415eb54f96dec1b077326e101ce0f4

Download Submit
C:\Windows\SysWOW64\udvugom-exum.exe

Filesize
74KB

MD5
ea6d84ba6eae349ebc41df04f02fe2c5

SHA1
2f24a394fa2b6a4eb9f779d6c786f91461b22e6e

SHA256
12a9be01c2877097b0a59af4c16bf7460742c9e8ec6ca0e63ce27077e8bff4d7

SHA512
3c92aa54ecc0be55b09864e2d001ef5d83e8f6a9f2e7ef3420dcea70d60bb83272bd025257a8e6f7a0975d3eb23358c2bc76358297bdd445e52bd07577c3f665

Download Submit
C:\Windows\SysWOW64\umboaroad-ucid.exe

Filesize
73KB

MD5
0b6d8a913f84108e1ff8cfd8519c9420

SHA1
deff9a8f20f6aaa9b54d7ac190c26528df45ba54

SHA256
30657c4e343740837854dc9037ef3ad64aff0e736a1c45ba249aba53886d91ac

SHA512
4789ed816ef2b081afb31cee2b3dcbe86ba6742223a45b368111b33d999cb2e6dac38832f1ff3287653099f50a36af78e434b150f730b6c44e30c28f4c0d5bf0

Download Submit
\Windows\SysWOW64\anputen.exe

Filesize
71KB

MD5
4e169fcb14b60351212df9543ab836dc

SHA1
d9119f58cda7417f202939cbf70d240ce45e32a1

SHA256
94eb9f7713ac8b75da73e4d3692314c70463116073fa4a247f9dc8aee1ca6373

SHA512
b27c4067866aaadcba7329417cee3b1762074b765a85b359f43490cf38e61bb315b5eb43e5f9d22e877d08b53bdcc90a8ef2dba9026310d319987bf79b694895

Download Submit
memory/1624-50-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2460-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2884-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download