057b297a06c6d51388359f7b78f504e839d90d296a66188a698869e801ddde20

General

Target

8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe
Size

1.1MB
MD5

8126db868be6fab264e7de95f27eb4e0
SHA1

1cad6c9456970c8b4e5a237d936ae212cecd9284
SHA256

057b297a06c6d51388359f7b78f504e839d90d296a66188a698869e801ddde20
SHA512

5933644b79d94447727f3938898f374168a9825a4d06dd5ada90ddd5e71f37cdf27c36cb8038854a9315600e57713245e9b00c31d8ef76622b92cea9c0fadad5
SSDEEP

24576:pAHnh+eWsN3skA4RV1Hom2KXMmHaE6FzdQ1DiblY25:wh+ZkldoPK8YaE65dQ1DiblJ

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2440 set thread context of 1884	2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe	28
PID 1884 set thread context of 1144	1884	svchost.exe	20
PID 1884 set thread context of 2404	1884	svchost.exe	31
PID 2404 set thread context of 1144	2404	convert.exe	20

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	convert.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1884	svchost.exe
1884	svchost.exe
1884	svchost.exe
1884	svchost.exe
1884	svchost.exe
1884	svchost.exe
1884	svchost.exe
1884	svchost.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe
2404	convert.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe
1884	svchost.exe
1144	Explorer.EXE
1144	Explorer.EXE
2404	convert.exe
2404	convert.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe
2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe
2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1884	2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe	28
PID 2440 wrote to memory of 1884	2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe	28
PID 2440 wrote to memory of 1884	2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe	28
PID 2440 wrote to memory of 1884	2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe	28
PID 2440 wrote to memory of 1884	2440	8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe	28
PID 1144 wrote to memory of 2404	1144	Explorer.EXE	31
PID 1144 wrote to memory of 2404	1144	Explorer.EXE	31
PID 1144 wrote to memory of 2404	1144	Explorer.EXE	31
PID 1144 wrote to memory of 2404	1144	Explorer.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\8126db868be6fab264e7de95f27eb4e0_NeikiAnalytics.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:1884
- C:\Windows\SysWOW64\convert.exe
  "C:\Windows\SysWOW64\convert.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\parachronistic

Filesize
265KB

MD5
444d369d29385c219ed7475a8f60ca33

SHA1
93795f912d94c7e200a2a3803051a6990912fd7d

SHA256
e879d486b4aa7deb786797fe1d9f9d88c8a42fc598c4d6438fb441739831a1d0

SHA512
8be6780969e826bf8e59bf71d1acb36ebfce9bc1faa69b2be3b45ff4fbd79624923ba53e4dc3283b8add817b96c6d006dd3bf05fb90f386da3a34fae00108b15

Download Submit
memory/1144-28-0x0000000008D70000-0x00000000095BD000-memory.dmp

Filesize
8.3MB

Download
memory/1144-20-0x0000000008D70000-0x00000000095BD000-memory.dmp

Filesize
8.3MB

Download
memory/1144-18-0x0000000002FA0000-0x00000000030A0000-memory.dmp

Filesize
1024KB

Download
memory/1884-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-24-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/1884-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-19-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/1884-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-12-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1884-14-0x0000000000A70000-0x0000000000D73000-memory.dmp

Filesize
3.0MB

Download
memory/1884-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2404-22-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2404-21-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2404-25-0x00000000024A0000-0x00000000027A3000-memory.dmp

Filesize
3.0MB

Download
memory/2404-26-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2404-27-0x00000000021D0000-0x0000000002271000-memory.dmp

Filesize
644KB

Download
memory/2404-29-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2440-11-0x00000000000B0000-0x00000000000B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing