Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 00:52
Static task
static1
Behavioral task
behavioral1
Sample
16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe
-
Size
160KB
-
MD5
16f33103486a44e3fbc984bb2e24d560
-
SHA1
b0bebc288b6d5f5fb18f1e1c3b1d0f89449bbd7b
-
SHA256
99343d229dd14c2bd040955c6984373fa4b8738233cc90e1d3a4ddf378257af7
-
SHA512
820375e42a684a3c416dbc7310c72fec55e1e08431c8c95ace80554c306eaa6237bb82dc7dc4a40610e05396348c585dfebadd070c543c610dbb865e4d8bf6c1
-
SSDEEP
3072:fKy5hExmTzwhr1/a84HesWgsIAzRvwa7vUlX1p6SS4uBoA/LVzxISnAOFZDwFU0I:fJ5hEgTzaA+sWgsIORRIlX1p6SSoKVua
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" puiloe.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe -
Executes dropped EXE 1 IoCs
pid Process 4908 puiloe.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /B" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /N" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /C" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /a" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /e" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /t" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /w" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /q" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /W" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /H" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /L" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /I" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /i" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /A" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /p" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /z" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /d" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /R" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /j" 16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /b" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /j" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /g" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /V" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /s" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /T" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /Q" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /F" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /m" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /l" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /E" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /h" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /Y" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /v" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /c" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /D" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /o" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /X" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /r" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /Z" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /k" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /f" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /S" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /n" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /x" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /G" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /U" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /O" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /P" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /J" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /M" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /y" puiloe.exe Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\puiloe = "C:\\Users\\Admin\\puiloe.exe /K" puiloe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4532 16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe 4532 16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe 4908 puiloe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4532 16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe 4908 puiloe.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4532 wrote to memory of 4908 4532 16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe 87 PID 4532 wrote to memory of 4908 4532 16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe 87 PID 4532 wrote to memory of 4908 4532 16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\16f33103486a44e3fbc984bb2e24d560_NeikiAnalytics.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\puiloe.exe"C:\Users\Admin\puiloe.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD5222f730582b03df9649f8e8635e19266
SHA187a26237cd014d7c80c920b7a4df6b49570cefd7
SHA2562052e6cef634d8711eef0158a15220daf38a83697232c8b7806fceb65635e5fd
SHA512cb75a9719a7409a1798cb252e905011a953150254a491889da49994b10d304a25167d9c15eaaf21ebee10be9a35441c50b9df2df4872bd876ab6ab11630e53d9