478ce9d713b94900e8deef871499cac0bda4c7c75e31bae22186bed1a61dbc2b

Analysis

max time kernel
138s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Size

9.5MB
MD5

05421a3a7d61ef0172dfebaced7ae130
SHA1

2e770a098d720781e409379f118f26665b228312
SHA256

478ce9d713b94900e8deef871499cac0bda4c7c75e31bae22186bed1a61dbc2b
SHA512

34014d1b1688646392daf930c864bf3e4a45c974753a4cf1b0e29470402da3b9af8610789dd7add0358ea37420a96fdd47dc020684555a6d360a7e16549ebfa2
SSDEEP

196608:gMmD2mDe2mDMmD2mDc2mDMmD2mDe2mDMmD2mDc2mDMmD2mD4c2mDMmD2mDe2mDMO:3

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	avscan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hosts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hosts.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	avscan.exe

Adds policy Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OBJIYUIE = "W_X_C.bat"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
1168	avscan.exe
4236	avscan.exe
2232	hosts.exe
3224	hosts.exe
4500	avscan.exe
5108	hosts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	hosts.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\avscan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avscan.exe"	avscan.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\windows\W_X_C.vbs	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
File created	\??\c:\windows\W_X_C.bat	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
File opened for modification	C:\Windows\hosts.exe	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
File opened for modification	C:\Windows\hosts.exe	avscan.exe
File opened for modification	C:\Windows\hosts.exe	hosts.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
964	REG.exe
2272	REG.exe
3732	REG.exe
4352	REG.exe
1772	REG.exe
4592	REG.exe
4312	REG.exe
2760	REG.exe
3420	REG.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1168	avscan.exe
3224	hosts.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4840	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
1168	avscan.exe
4236	avscan.exe
2232	hosts.exe
3224	hosts.exe
4500	avscan.exe
5108	hosts.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 1772	4840	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	83
PID 4840 wrote to memory of 1772	4840	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	83
PID 4840 wrote to memory of 1772	4840	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	83
PID 4840 wrote to memory of 1168	4840	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	85
PID 4840 wrote to memory of 1168	4840	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	85
PID 4840 wrote to memory of 1168	4840	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	85
PID 1168 wrote to memory of 4236	1168	avscan.exe	87
PID 1168 wrote to memory of 4236	1168	avscan.exe	87
PID 1168 wrote to memory of 4236	1168	avscan.exe	87
PID 1168 wrote to memory of 2464	1168	avscan.exe	89
PID 1168 wrote to memory of 2464	1168	avscan.exe	89
PID 1168 wrote to memory of 2464	1168	avscan.exe	89
PID 4840 wrote to memory of 464	4840	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	90
PID 4840 wrote to memory of 464	4840	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	90
PID 4840 wrote to memory of 464	4840	05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe	90
PID 2464 wrote to memory of 3224	2464	cmd.exe	94
PID 2464 wrote to memory of 3224	2464	cmd.exe	94
PID 2464 wrote to memory of 3224	2464	cmd.exe	94
PID 464 wrote to memory of 2232	464	cmd.exe	93
PID 464 wrote to memory of 2232	464	cmd.exe	93
PID 464 wrote to memory of 2232	464	cmd.exe	93
PID 3224 wrote to memory of 4500	3224	hosts.exe	96
PID 3224 wrote to memory of 4500	3224	hosts.exe	96
PID 3224 wrote to memory of 4500	3224	hosts.exe	96
PID 2464 wrote to memory of 3188	2464	cmd.exe	97
PID 2464 wrote to memory of 3188	2464	cmd.exe	97
PID 2464 wrote to memory of 3188	2464	cmd.exe	97
PID 464 wrote to memory of 4548	464	cmd.exe	98
PID 464 wrote to memory of 4548	464	cmd.exe	98
PID 464 wrote to memory of 4548	464	cmd.exe	98
PID 3224 wrote to memory of 2332	3224	hosts.exe	99
PID 3224 wrote to memory of 2332	3224	hosts.exe	99
PID 3224 wrote to memory of 2332	3224	hosts.exe	99
PID 2332 wrote to memory of 5108	2332	cmd.exe	101
PID 2332 wrote to memory of 5108	2332	cmd.exe	101
PID 2332 wrote to memory of 5108	2332	cmd.exe	101
PID 2332 wrote to memory of 3264	2332	cmd.exe	104
PID 2332 wrote to memory of 3264	2332	cmd.exe	104
PID 2332 wrote to memory of 3264	2332	cmd.exe	104
PID 1168 wrote to memory of 964	1168	avscan.exe	116
PID 1168 wrote to memory of 964	1168	avscan.exe	116
PID 1168 wrote to memory of 964	1168	avscan.exe	116
PID 3224 wrote to memory of 2272	3224	hosts.exe	118
PID 3224 wrote to memory of 2272	3224	hosts.exe	118
PID 3224 wrote to memory of 2272	3224	hosts.exe	118
PID 1168 wrote to memory of 3420	1168	avscan.exe	121
PID 1168 wrote to memory of 3420	1168	avscan.exe	121
PID 1168 wrote to memory of 3420	1168	avscan.exe	121
PID 3224 wrote to memory of 3732	3224	hosts.exe	123
PID 3224 wrote to memory of 3732	3224	hosts.exe	123
PID 3224 wrote to memory of 3732	3224	hosts.exe	123
PID 1168 wrote to memory of 4592	1168	avscan.exe	126
PID 1168 wrote to memory of 4592	1168	avscan.exe	126
PID 1168 wrote to memory of 4592	1168	avscan.exe	126
PID 3224 wrote to memory of 4312	3224	hosts.exe	128
PID 3224 wrote to memory of 4312	3224	hosts.exe	128
PID 3224 wrote to memory of 4312	3224	hosts.exe	128
PID 1168 wrote to memory of 4352	1168	avscan.exe	132
PID 1168 wrote to memory of 4352	1168	avscan.exe	132
PID 1168 wrote to memory of 4352	1168	avscan.exe	132
PID 3224 wrote to memory of 2760	3224	hosts.exe	134
PID 3224 wrote to memory of 2760	3224	hosts.exe	134
PID 3224 wrote to memory of 2760	3224	hosts.exe	134

C:\Users\Admin\AppData\Local\Temp\05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05421a3a7d61ef0172dfebaced7ae130_NeikiAnalytics.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\SysWOW64\REG.exe
  REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
  2⤵
  - Modifies registry key
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\avscan.exe
  C:\Users\Admin\AppData\Local\Temp\avscan.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\avscan.exe
    C:\Users\Admin\AppData\Local\Temp\avscan.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\windows\hosts.exe
      C:\windows\hosts.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Users\Admin\AppData\Local\Temp\avscan.exe
        
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
        5⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\windows\hosts.exe
        
        C:\windows\hosts.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5108
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        6⤵
        Adds policy Run key to start application
        
        PID:3264
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2272
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:3732
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:4312
    - - C:\Windows\SysWOW64\REG.exe
        
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        5⤵
        Modifies registry key
        
        PID:2760
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
      4⤵
      Adds policy Run key to start application
      PID:3188
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:964
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:3420
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4592
- - C:\Windows\SysWOW64\REG.exe
    REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
    3⤵
    - Modifies registry key
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\windows\W_X_C.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\windows\hosts.exe
    C:\windows\hosts.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2232
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
    3⤵
    - Adds policy Run key to start application
    PID:4548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avscan.exe

Filesize
9.5MB

MD5
f8cebd0206b86cc7a431be05ae4f24c1

SHA1
c9338d5fda22d75645cb4d5c2c4db3f3d078ac97

SHA256
b62f8abff7b5004f872ba97cea7c145536ff3c710650f53d2b4e8bfbf5077ef3

SHA512
281607fe8a5a37eeabd345ce743e52070f5ad7ce4ea10464484e4592c00a450cab52603da30ad2d1db95c5c7cd9ca19539c1bd5394b5516c953dbeee64ac11cc

Download Submit
C:\Windows\W_X_C.vbs

Filesize
195B

MD5
1b97fc0bf80f44c04514817b1c7449e7

SHA1
1b32070bd87946ce42e7c3e49a47e282b2622852

SHA256
e756c1e489a198dd4dd1536efb045f4a14054e7902931f6af0cf13343f60cb4c

SHA512
be89f25cf5ba8635dda55c20c249233c68a488d9a76f73f4a259dc994c26938b58a57b67f16d6ce477213b27f19bdc3ca6e43443925fa218f58418e128eb7fc2

Download Submit
C:\Windows\hosts.exe

Filesize
9.5MB

MD5
7011ebab29a1d71a492d66506baa02bb

SHA1
c25577c58457e9ec0e852eea66fb59a474e48f24

SHA256
5b90d0d4f8e27e20c88558db68e9e1b72dbf2f68a076a171a3f7ef1577e480b3

SHA512
63cf6c94731382236b344fa40bc5951d62e91db24e976369dd7bc004ddee975a8ab19b9815093176c585e1ff8c2df57f53c0a337d336c46f4f5d52855426fba4

Download Submit
\??\c:\windows\W_X_C.bat

Filesize
336B

MD5
4db9f8b6175722b62ececeeeba1ce307

SHA1
3b3ba8414706e72a6fa19e884a97b87609e11e47

SHA256
d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

SHA512
1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads