478ce9d713b94900e8deef871499cac0bda4c7c75e31bae22186bed1a61dbc2b

Analysis

max time kernel
123s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Size

9.5MB
MD5

05421a3a7d61ef0172dfebaced7ae130
SHA1

2e770a098d720781e409379f118f26665b228312
SHA256

478ce9d713b94900e8deef871499cac0bda4c7c75e31bae22186bed1a61dbc2b
SHA512

34014d1b1688646392daf930c864bf3e4a45c974753a4cf1b0e29470402da3b9af8610789dd7add0358ea37420a96fdd47dc020684555a6d360a7e16549ebfa2
SSDEEP

196608:gMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mD4c2mDMmD2mDe2mDMO:3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IZKCKOTP = "W_X_C.bat"	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
2708	avscan.exe
2720	avscan.exe
2408	hosts.exe
2420	hosts.exe
2960	avscan.exe
2940	hosts.exe

Loads dropped DLL 5 IoCs

pid	Process
2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
2708	avscan.exe
2408	hosts.exe
2408	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
File created	\??\c:\windows\W_X_C.bat	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
File opened for modification	C:\Windows\hosts.exe	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
2100	REG.exe
1188	REG.exe
1752	REG.exe
1268	REG.exe
980	REG.exe
2028	REG.exe
1568	REG.exe
108	REG.exe
1172	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2708	avscan.exe
2408	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
2708	avscan.exe
2720	avscan.exe
2408	hosts.exe
2960	avscan.exe
2420	hosts.exe
2940	hosts.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2100	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	28
PID 2588 wrote to memory of 2100	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	28
PID 2588 wrote to memory of 2100	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	28
PID 2588 wrote to memory of 2100	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	28
PID 2588 wrote to memory of 2708	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	30
PID 2588 wrote to memory of 2708	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	30
PID 2588 wrote to memory of 2708	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	30
PID 2588 wrote to memory of 2708	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	30
PID 2708 wrote to memory of 2720	2708	avscan.exe	31
PID 2708 wrote to memory of 2720	2708	avscan.exe	31
PID 2708 wrote to memory of 2720	2708	avscan.exe	31
PID 2708 wrote to memory of 2720	2708	avscan.exe	31
PID 2708 wrote to memory of 2428	2708	avscan.exe	32
PID 2708 wrote to memory of 2428	2708	avscan.exe	32
PID 2708 wrote to memory of 2428	2708	avscan.exe	32
PID 2708 wrote to memory of 2428	2708	avscan.exe	32
PID 2588 wrote to memory of 2576	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	34
PID 2588 wrote to memory of 2576	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	34
PID 2588 wrote to memory of 2576	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	34
PID 2588 wrote to memory of 2576	2588	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	34
PID 2576 wrote to memory of 2420	2576	cmd.exe	37
PID 2576 wrote to memory of 2420	2576	cmd.exe	37
PID 2576 wrote to memory of 2420	2576	cmd.exe	37
PID 2576 wrote to memory of 2420	2576	cmd.exe	37
PID 2428 wrote to memory of 2408	2428	cmd.exe	36
PID 2428 wrote to memory of 2408	2428	cmd.exe	36
PID 2428 wrote to memory of 2408	2428	cmd.exe	36
PID 2428 wrote to memory of 2408	2428	cmd.exe	36
PID 2408 wrote to memory of 2960	2408	hosts.exe	38
PID 2408 wrote to memory of 2960	2408	hosts.exe	38
PID 2408 wrote to memory of 2960	2408	hosts.exe	38
PID 2408 wrote to memory of 2960	2408	hosts.exe	38
PID 2408 wrote to memory of 2260	2408	hosts.exe	39
PID 2408 wrote to memory of 2260	2408	hosts.exe	39
PID 2408 wrote to memory of 2260	2408	hosts.exe	39
PID 2408 wrote to memory of 2260	2408	hosts.exe	39
PID 2260 wrote to memory of 2940	2260	cmd.exe	41
PID 2260 wrote to memory of 2940	2260	cmd.exe	41
PID 2260 wrote to memory of 2940	2260	cmd.exe	41
PID 2260 wrote to memory of 2940	2260	cmd.exe	41
PID 2576 wrote to memory of 2684	2576	cmd.exe	43
PID 2576 wrote to memory of 2684	2576	cmd.exe	43
PID 2576 wrote to memory of 2684	2576	cmd.exe	43
PID 2576 wrote to memory of 2684	2576	cmd.exe	43
PID 2260 wrote to memory of 2748	2260	cmd.exe	44
PID 2260 wrote to memory of 2748	2260	cmd.exe	44
PID 2260 wrote to memory of 2748	2260	cmd.exe	44
PID 2260 wrote to memory of 2748	2260	cmd.exe	44
PID 2428 wrote to memory of 2764	2428	cmd.exe	42
PID 2428 wrote to memory of 2764	2428	cmd.exe	42
PID 2428 wrote to memory of 2764	2428	cmd.exe	42
PID 2428 wrote to memory of 2764	2428	cmd.exe	42
PID 2708 wrote to memory of 1188	2708	avscan.exe	45
PID 2708 wrote to memory of 1188	2708	avscan.exe	45
PID 2708 wrote to memory of 1188	2708	avscan.exe	45
PID 2708 wrote to memory of 1188	2708	avscan.exe	45
PID 2408 wrote to memory of 1568	2408	hosts.exe	47
PID 2408 wrote to memory of 1568	2408	hosts.exe	47
PID 2408 wrote to memory of 1568	2408	hosts.exe	47
PID 2408 wrote to memory of 1568	2408	hosts.exe	47
PID 2708 wrote to memory of 1752	2708	avscan.exe	51
PID 2708 wrote to memory of 1752	2708	avscan.exe	51
PID 2708 wrote to memory of 1752	2708	avscan.exe	51
PID 2708 wrote to memory of 1752	2708	avscan.exe	51

C:\Users\Admin\AppData\Local\Temp\05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\windows\W_X_C.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\windows\W_X_C.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2940
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:2748
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1568
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:108
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:980
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:1172
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:2764
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1188
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1752
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:1268
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\windows\W_X_C.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2420
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
19.0MB

MD5
38bcb4ceeec1323df46204c4b745bf47

SHA1
db5eeab2cfa504d53c91bf2ef4f48c3babf1dee7

SHA256
28e0fee6b24dc983251a81032656ef9b13ccddd75d620c5651aab5602bb39cf4

SHA512
3672e7d08e92bc4da6f4a63b4ee972bc6e82d5e09cc28736123bba06ea73ec7288962226e70d777135aa708c338aa6b1b1b3ce10531227d9819954f366873d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
38.0MB

MD5
444dfcfd1e517e15d4241961b46f154b

SHA1
cb5981e858cce76342505d00c2fb42f5daa880bc

SHA256
953f3dc1c0c2701fdad1b9c747743640309aa433cd4587b1383aeacb396c8dcf

SHA512
14009b9872d615f436128033e9638be02d664284f8e8fcce4d81eb08ac73a8787d6629a29e5d4b9504b78fab0b52e2b8f6d30e45c65b3ef54b3ed075bee7e97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
56.9MB

MD5
9e7ab4f21c8f20d21bd502ba98662c7f

SHA1
750e5ccc30057c8988f696faa5a6dc08811b3d5a

SHA256
bbe036fe2ba43f2bc1cbd67b1ff58ed5b6eb7e9ce64e6c1f466980a29b6edb61

SHA512
371cb8f1b5b0c8c349fcfede26a0cee9d80f4cba81c912561553a3af8f099fb03587b32a6e40b2a3bdcc5619541a39de476bdbe0b23d8a3555773c45eda150a4

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
953cf5c915c9c58501354c4826dea466

SHA1
2934232a159f5c3738212aa3ece4cdd45ba8cfe4

SHA256
bbdb3fb588b1aca990fbc6355f577bdd40c60e69d9951142da5e8dc84e0b33ed

SHA512
77472ee7f75bee37380d22c14e698b07240c0177b1b4850b72b5ee05136cf17ac3e391b26c6876bfed15049326cd0e2717d0f1de8c4fffba4cd83446218c3147

Download Submit
C:\Windows\hosts.exe

Filesize
9.5MB

MD5
7011ebab29a1d71a492d66506baa02bb

SHA1
c25577c58457e9ec0e852eea66fb59a474e48f24

SHA256
5b90d0d4f8e27e20c88558db68e9e1b72dbf2f68a076a171a3f7ef1577e480b3

SHA512
63cf6c94731382236b344fa40bc5951d62e91db24e976369dd7bc004ddee975a8ab19b9815093176c585e1ff8c2df57f53c0a337d336c46f4f5d52855426fba4

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit
\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
9.5MB

MD5
f8cebd0206b86cc7a431be05ae4f24c1

SHA1
c9338d5fda22d75645cb4d5c2c4db3f3d078ac97

SHA256
b62f8abff7b5004f872ba97cea7c145536ff3c710650f53d2b4e8bfbf5077ef3

SHA512
281607fe8a5a37eeabd345ce743e52070f5ad7ce4ea10464484e4592c00a450cab52603da30ad2d1db95c5c7cd9ca19539c1bd5394b5516c953dbeee64ac11cc

Download Submit
memory/2420-37-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2420-36-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2940-74-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2940-73-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads