Analysis
-
max time kernel
123s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/06/2024, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
-
Size
9.5MB
-
MD5
05421a3a7d61ef0172dfebaced7ae130
-
SHA1
2e770a098d720781e409379f118f26665b228312
-
SHA256
478ce9d713b94900e8deef871499cac0bda4c7c75e31bae22186bed1a61dbc2b
-
SHA512
34014d1b1688646392daf930c864bf3e4a45c974753a4cf1b0e29470402da3b9af8610789dd7add0358ea37420a96fdd47dc020684555a6d360a7e16549ebfa2
-
SSDEEP
196608:gMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mD4c2mDMmD2mDe2mDMO:3
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hosts.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" avscan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hosts.exe -
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat" WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 2708 avscan.exe 2720 avscan.exe 2408 hosts.exe 2420 hosts.exe 2960 avscan.exe 2940 hosts.exe -
Loads dropped DLL 5 IoCs
pid Process 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 2708 avscan.exe 2408 hosts.exe 2408 hosts.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" avscan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe" hosts.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\windows\W_X_C.vbs 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe File created \??\c:\windows\W_X_C.bat 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe File opened for modification C:\Windows\hosts.exe avscan.exe File opened for modification C:\Windows\hosts.exe hosts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 9 IoCs
pid Process 2100 REG.exe 1188 REG.exe 1752 REG.exe 1268 REG.exe 980 REG.exe 2028 REG.exe 1568 REG.exe 108 REG.exe 1172 REG.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2708 avscan.exe 2408 hosts.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 2708 avscan.exe 2720 avscan.exe 2408 hosts.exe 2960 avscan.exe 2420 hosts.exe 2940 hosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2100 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 28 PID 2588 wrote to memory of 2100 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 28 PID 2588 wrote to memory of 2100 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 28 PID 2588 wrote to memory of 2100 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 28 PID 2588 wrote to memory of 2708 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 30 PID 2588 wrote to memory of 2708 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 30 PID 2588 wrote to memory of 2708 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 30 PID 2588 wrote to memory of 2708 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 30 PID 2708 wrote to memory of 2720 2708 avscan.exe 31 PID 2708 wrote to memory of 2720 2708 avscan.exe 31 PID 2708 wrote to memory of 2720 2708 avscan.exe 31 PID 2708 wrote to memory of 2720 2708 avscan.exe 31 PID 2708 wrote to memory of 2428 2708 avscan.exe 32 PID 2708 wrote to memory of 2428 2708 avscan.exe 32 PID 2708 wrote to memory of 2428 2708 avscan.exe 32 PID 2708 wrote to memory of 2428 2708 avscan.exe 32 PID 2588 wrote to memory of 2576 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 34 PID 2588 wrote to memory of 2576 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 34 PID 2588 wrote to memory of 2576 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 34 PID 2588 wrote to memory of 2576 2588 05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe 34 PID 2576 wrote to memory of 2420 2576 cmd.exe 37 PID 2576 wrote to memory of 2420 2576 cmd.exe 37 PID 2576 wrote to memory of 2420 2576 cmd.exe 37 PID 2576 wrote to memory of 2420 2576 cmd.exe 37 PID 2428 wrote to memory of 2408 2428 cmd.exe 36 PID 2428 wrote to memory of 2408 2428 cmd.exe 36 PID 2428 wrote to memory of 2408 2428 cmd.exe 36 PID 2428 wrote to memory of 2408 2428 cmd.exe 36 PID 2408 wrote to memory of 2960 2408 hosts.exe 38 PID 2408 wrote to memory of 2960 2408 hosts.exe 38 PID 2408 wrote to memory of 2960 2408 hosts.exe 38 PID 2408 wrote to memory of 2960 2408 hosts.exe 38 PID 2408 wrote to memory of 2260 2408 hosts.exe 39 PID 2408 wrote to memory of 2260 2408 hosts.exe 39 PID 2408 wrote to memory of 2260 2408 hosts.exe 39 PID 2408 wrote to memory of 2260 2408 hosts.exe 39 PID 2260 wrote to memory of 2940 2260 cmd.exe 41 PID 2260 wrote to memory of 2940 2260 cmd.exe 41 PID 2260 wrote to memory of 2940 2260 cmd.exe 41 PID 2260 wrote to memory of 2940 2260 cmd.exe 41 PID 2576 wrote to memory of 2684 2576 cmd.exe 43 PID 2576 wrote to memory of 2684 2576 cmd.exe 43 PID 2576 wrote to memory of 2684 2576 cmd.exe 43 PID 2576 wrote to memory of 2684 2576 cmd.exe 43 PID 2260 wrote to memory of 2748 2260 cmd.exe 44 PID 2260 wrote to memory of 2748 2260 cmd.exe 44 PID 2260 wrote to memory of 2748 2260 cmd.exe 44 PID 2260 wrote to memory of 2748 2260 cmd.exe 44 PID 2428 wrote to memory of 2764 2428 cmd.exe 42 PID 2428 wrote to memory of 2764 2428 cmd.exe 42 PID 2428 wrote to memory of 2764 2428 cmd.exe 42 PID 2428 wrote to memory of 2764 2428 cmd.exe 42 PID 2708 wrote to memory of 1188 2708 avscan.exe 45 PID 2708 wrote to memory of 1188 2708 avscan.exe 45 PID 2708 wrote to memory of 1188 2708 avscan.exe 45 PID 2708 wrote to memory of 1188 2708 avscan.exe 45 PID 2408 wrote to memory of 1568 2408 hosts.exe 47 PID 2408 wrote to memory of 1568 2408 hosts.exe 47 PID 2408 wrote to memory of 1568 2408 hosts.exe 47 PID 2408 wrote to memory of 1568 2408 hosts.exe 47 PID 2708 wrote to memory of 1752 2708 avscan.exe 51 PID 2708 wrote to memory of 1752 2708 avscan.exe 51 PID 2708 wrote to memory of 1752 2708 avscan.exe 51 PID 2708 wrote to memory of 1752 2708 avscan.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f2⤵
- Modifies registry key
PID:2100
-
-
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\windows\hosts.exeC:\windows\hosts.exe4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\avscan.exeC:\Users\Admin\AppData\Local\Temp\avscan.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat5⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\windows\hosts.exeC:\windows\hosts.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"6⤵
- Adds policy Run key to start application
PID:2748
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1568
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:108
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:980
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:1172
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"4⤵
- Adds policy Run key to start application
PID:2764
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1188
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1752
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:1268
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f3⤵
- Modifies registry key
PID:2028
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c c:\windows\W_X_C.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\windows\hosts.exeC:\windows\hosts.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"3⤵
- Adds policy Run key to start application
PID:2684
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19.0MB
MD538bcb4ceeec1323df46204c4b745bf47
SHA1db5eeab2cfa504d53c91bf2ef4f48c3babf1dee7
SHA25628e0fee6b24dc983251a81032656ef9b13ccddd75d620c5651aab5602bb39cf4
SHA5123672e7d08e92bc4da6f4a63b4ee972bc6e82d5e09cc28736123bba06ea73ec7288962226e70d777135aa708c338aa6b1b1b3ce10531227d9819954f366873d77
-
Filesize
38.0MB
MD5444dfcfd1e517e15d4241961b46f154b
SHA1cb5981e858cce76342505d00c2fb42f5daa880bc
SHA256953f3dc1c0c2701fdad1b9c747743640309aa433cd4587b1383aeacb396c8dcf
SHA51214009b9872d615f436128033e9638be02d664284f8e8fcce4d81eb08ac73a8787d6629a29e5d4b9504b78fab0b52e2b8f6d30e45c65b3ef54b3ed075bee7e97e
-
Filesize
56.9MB
MD59e7ab4f21c8f20d21bd502ba98662c7f
SHA1750e5ccc30057c8988f696faa5a6dc08811b3d5a
SHA256bbe036fe2ba43f2bc1cbd67b1ff58ed5b6eb7e9ce64e6c1f466980a29b6edb61
SHA512371cb8f1b5b0c8c349fcfede26a0cee9d80f4cba81c912561553a3af8f099fb03587b32a6e40b2a3bdcc5619541a39de476bdbe0b23d8a3555773c45eda150a4
-
Filesize
195B
MD5953cf5c915c9c58501354c4826dea466
SHA12934232a159f5c3738212aa3ece4cdd45ba8cfe4
SHA256bbdb3fb588b1aca990fbc6355f577bdd40c60e69d9951142da5e8dc84e0b33ed
SHA51277472ee7f75bee37380d22c14e698b07240c0177b1b4850b72b5ee05136cf17ac3e391b26c6876bfed15049326cd0e2717d0f1de8c4fffba4cd83446218c3147
-
Filesize
9.5MB
MD57011ebab29a1d71a492d66506baa02bb
SHA1c25577c58457e9ec0e852eea66fb59a474e48f24
SHA2565b90d0d4f8e27e20c88558db68e9e1b72dbf2f68a076a171a3f7ef1577e480b3
SHA51263cf6c94731382236b344fa40bc5951d62e91db24e976369dd7bc004ddee975a8ab19b9815093176c585e1ff8c2df57f53c0a337d336c46f4f5d52855426fba4
-
Filesize
336B
MD54db9f8b6175722b62ececeeeba1ce307
SHA13b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SHA5121d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b
-
Filesize
9.5MB
MD5f8cebd0206b86cc7a431be05ae4f24c1
SHA1c9338d5fda22d75645cb4d5c2c4db3f3d078ac97
SHA256b62f8abff7b5004f872ba97cea7c145536ff3c710650f53d2b4e8bfbf5077ef3
SHA512281607fe8a5a37eeabd345ce743e52070f5ad7ce4ea10464484e4592c00a450cab52603da30ad2d1db95c5c7cd9ca19539c1bd5394b5516c953dbeee64ac11cc