Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe
-
Size
240KB
-
MD5
9a3c9b72592eec04d0f74d14c29fbef0
-
SHA1
b90a996b7d03a8c9d8e35be2cb45423cdf241313
-
SHA256
847c93928b04278ad947d437135d511e7704aa9c04aac31c6cfba832206a4715
-
SHA512
9826570b05b3cddf263ec1cba374173612a5174cafd2a399ee287bb9de9f4edd4302677229c54b25abe488ee15540448a2e3e988a94b13a88d7cab7210a6b961
-
SSDEEP
6144:Kon5UtO7RQjX7XN1kd9JbSDviiopNDa/N08iY/k:M4xNUk
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zoewui.exe -
Executes dropped EXE 1 IoCs
pid Process 2196 zoewui.exe -
Loads dropped DLL 2 IoCs
pid Process 1008 9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe 1008 9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /T" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /e" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /Q" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /n" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /y" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /R" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /m" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /Y" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /C" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /O" 9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /H" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /q" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /L" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /G" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /h" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /Z" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /c" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /V" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /w" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /W" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /S" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /P" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /z" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /r" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /l" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /p" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /F" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /B" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /x" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /b" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /f" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /M" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /u" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /J" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /o" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /O" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /I" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /k" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /a" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /t" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /X" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /i" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /j" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /E" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /U" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /v" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /g" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /K" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /d" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /s" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /A" zoewui.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\zoewui = "C:\\Users\\Admin\\zoewui.exe /N" zoewui.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1008 9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe 2196 zoewui.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1008 9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe 2196 zoewui.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1008 wrote to memory of 2196 1008 9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe 28 PID 1008 wrote to memory of 2196 1008 9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe 28 PID 1008 wrote to memory of 2196 1008 9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe 28 PID 1008 wrote to memory of 2196 1008 9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9a3c9b72592eec04d0f74d14c29fbef0_NeikiAnalytics.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\zoewui.exe"C:\Users\Admin\zoewui.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2196
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5d363558c81a16c7bd025220c63f748c0
SHA1917249ad74f49200052d5d0d19fc2c8a0ee4cb98
SHA256913c94a2c08ae0d2b303352d7e85158e45a75d69d7ecd4a18885c5a2466be19b
SHA512df3d7d8885372e8588630f98b0e19040a1cc149542edc9d4f001423eac2bbb76dee2f704bcd4cd2fbf9c961868247736ac268e5f574b6cd9962db0b464ac9b03