c27f198a3d300e84efb511e412d7c5454bd4747f8fd064d1cc6d04e287fd6294

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
Size

29KB
MD5

3f4dad24bd40827af8ad5f35585cd990
SHA1

a1ec306d8be4540fe23686edc651bcb9059ce42a
SHA256

c27f198a3d300e84efb511e412d7c5454bd4747f8fd064d1cc6d04e287fd6294
SHA512

de3eaf235cc970bee5aac59efd896273ed74795213297515560ac6ee9c8e9e2e48f3acf99d4dd8c58c59fb219de9b53e2e040bd881b1c703aff895174d035044
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/7x:AEwVs+0jNDY1qi/qd

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1828	services.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3000-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/files/0x0037000000015c9b-6.dat	upx
behavioral1/memory/1828-11-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3000-17-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1828-18-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1828-23-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1828-30-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3000-31-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1828-32-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1828-37-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/files/0x0008000000015cf5-47.dat	upx
behavioral1/memory/3000-57-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1828-58-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3000-59-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1828-60-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3000-64-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1828-65-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1828-70-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3000-71-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1828-72-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1828-77-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1828-433-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/3000-432-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/3000-463-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral1/memory/1828-464-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral1/memory/1828-468-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
File opened for modification	C:\Windows\java.exe	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
File created	C:\Windows\java.exe	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1828	3000	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1828	3000	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1828	3000	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe	28
PID 3000 wrote to memory of 1828	3000	3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f4dad24bd40827af8ad5f35585cd990_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c5e9dfccfd9686ebc1b24f81e77a3d4

SHA1
e2b2f62d639d32e164e76df080818abf968db442

SHA256
7ebf7cb45aadc297d5fd8f028744fcacca6067045f2ed987fdc391c011c01fef

SHA512
aba0d3fde7bffcb568268513252eb2fa31d70fba7da9ce187582dc241ce91695961792eec2b07501d0cc9904e5bf04cf1fd9e57297d767842274d92edb5d3a7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcb3df24ca0e6d780ff449b608aadfc6

SHA1
3ab35c48d03f99fa088b57edb2fcb28bdf79aef5

SHA256
8594b8c5bb80f986e2a17b8901157ac1c9e993afed120894b8056c171656d258

SHA512
570f46f752c65996922b758aa2bc8a151bcb177f2e6005d2bf85df47a12d8013e069953b59da780aecefba1cb4bf3b8cf8a8b6d321d1bea2923e37f95d307b59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
130204afb4fe308a34a2fd4a90168119

SHA1
fbfc0033e4e44e86dae36ad8728f12f5ee5a4525

SHA256
10ba4f470849b3c6780511bc0b47695451b893868b7cbfef78da735cbb195cbd

SHA512
2c74daaa066d8fd661fcf9c0c26486054fd33497b0f844d5262adea600a886c98ef61e153a1a9f1a8a030ed98ca6bd07a8e0d4eaa604da6c8f7837a7fef35b51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a404f6e1f90882b94804c46a680be26d

SHA1
c51420d8bcda1d5fff730f06141dad25ed26a3ed

SHA256
888b11d0bf72173086f7aea5b73cd267824eac09549179d16e4272e366d48b89

SHA512
afe028491746c9f44165142dc43bcb13aac678b8bb1b042f2e6103823518dcb2b9bb62ac3f87dc8be220d3887f5bb28f9c61b4f0f85726458277eca4e035bd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB04.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEBB1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEBE5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpECF0.tmp

Filesize
29KB

MD5
4213b8568c19f9a1e519941e083aa883

SHA1
ba0e9c8880759e9bb4d59c7f3a1693b7614ebd5c

SHA256
5fe2c7b56e86d46f93511d69d65c34847c9eb8571cdbd466e48fe3651adf1eb7

SHA512
6cb694b75ff69ad05ef16093e80879b3251844e998e257940df813a25888265bf4ebcaad9d8c91ac84b0c4d018033f721d649eabf6057132ce92d2be1829aecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
b6e05922968206c81be1ba3d19061d1c

SHA1
baf8912fc690de5a3ff9620e0dedcba95e6e95d0

SHA256
6db9a426b0ac2eaf13764584ad3dd2a36417e6d98dd04060afaff9f26f725aad

SHA512
f8acbc65be8bbdcd7beb684caf6c0a3dcb34ece5940e912c1ac9c05a5a7faab2bb37f508115459c637a9e617bbf8ded6b3a20a12db95bfaa7243d272487cf408

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
2a51ba79c2d0e81df30433479e4cf2d8

SHA1
83e6cf91483c4024145c7642bb7dd4ae5ee7d0ed

SHA256
671f27c5361444deb8b7048ae450af92a3bc5480b859ef5a238fd69f50a0ad5b

SHA512
d2b326388bb2f660cfdd9e1de801482734c9e73296badf0945540d93815712b2df612cfe2d1eb474824055d0a7495a3cc20d29dfbc8442a91a5bd880742e2709

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
98d224f6391b79f60f0f29301cd83265

SHA1
bc888ea6187bd9198fe0a159ae72c614da5ded59

SHA256
f7a860e5455eb0b95f1d2e71ec6ba3bbca82fb6887ac10524bb30fbda8c6d673

SHA512
e01e1e346f6c3a1c6c06e7692aae46ab4d9ecf90d39a3bc2ea55f9bd4ed1699edcbe9536c6a05a434f54344d5c275a807d114bba8b63929ab473e1bcabe5d00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
352B

MD5
3dc7444ae63e615dc99237384e6c8fa3

SHA1
61080818d1e7d4cb035ab39d50c1c07e66c22fac

SHA256
18634334219469c006c38b1288ee6169f57d3c173291a4c0c447cec64c9974d3

SHA512
29b2ce88470bef1ac102290265f7519383ad0265bdf702ab082646f27a5d7c2650ae1d4a5afacdcb31a6360783e14b98a884f9ee0d3cf57ffe91219484784a79

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1828-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-32-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-468-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-464-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-433-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-23-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-65-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-18-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1828-30-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3000-31-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3000-25-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3000-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3000-71-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3000-17-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3000-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3000-64-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3000-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3000-432-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3000-463-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3000-59-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3000-57-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/3000-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads