Analysis Overview
SHA256
968f8af87654c5613001ae3ffaccfcd9f03842e451090374ccd30a886a405226
Threat Level: Known bad
The file 9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Deletes itself
Checks whether UAC is enabled
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 03:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 03:55
Reported
2024-06-03 03:58
Platform
win7-20240221-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\rr.exe | N/A |
| N/A | N/A | C:\ProgramData\playtomenu.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\ProgramData\playtomenu.exe | N/A |
| N/A | N/A | C:\ProgramData\playtomenu.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe"
C:\ProgramData\rr.exe
C:\ProgramData\rr.exe -y x -pFASJKLVFDAJKLCDSA434JKLFDS "C:\ProgramData\playtomenu.jpg" "C:\ProgramData\"
C:\ProgramData\playtomenu.exe
C:\ProgramData\playtomenu.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c delself.cmd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | d_1.largesder.com | udp |
| SG | 8.222.228.10:8888 | d_1.largesder.com | tcp |
| US | 8.8.8.8:53 | r.largesder.com | udp |
| SG | 8.222.228.10:8888 | r.largesder.com | tcp |
| US | 8.8.8.8:53 | playtomenu.largesder.com | udp |
| SG | 8.222.228.10:8888 | playtomenu.largesder.com | tcp |
| US | 8.8.8.8:53 | d3.largesder.com | udp |
| SG | 8.222.228.10:8888 | d3.largesder.com | tcp |
| SG | 8.222.228.10:8888 | d3.largesder.com | tcp |
Files
\ProgramData\rr.exe
| MD5 | f2ae502d448cfb81a5f40a9368d99b1a |
| SHA1 | f849be86e9e7ced0acd51a68f92992b8090d08a5 |
| SHA256 | 07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56 |
| SHA512 | 9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be |
C:\ProgramData\playtomenu.jpg
| MD5 | c2348c7e8ac7e2812f7967c126918b90 |
| SHA1 | 626bb46101ccf131d6981f338cd4b4edcf76ca31 |
| SHA256 | 40eeb9683bfd6ce4bf7e3bd836ff9beb2838a6afbd1ab9a149d9ec9c5f5d9a8f |
| SHA512 | 74270cda47170f3f92fc1688c3fbc2c8f6ecc1b2b2c45016f00e56989d0f256eab6b354fea253e2045b56952ef665805ab51611d54a53e3bd61ac8d558eede11 |
C:\ProgramData\playtomenu.exe
| MD5 | 684fdaae316e5f59baa6f69f5bc2526a |
| SHA1 | 958061cff425622da5bf931f7ffdd22a1f784763 |
| SHA256 | 17f875b64eedb6ed608cca84e3d9804c947e7200c294b3ff5f91568e35a0d2e8 |
| SHA512 | 7eca3352b7d4195c3f793db86ad9a98cdcbd2aff55e94cc1dccc754a8e84bf2eb9d13e991c672d08a162dbc01f9a9d7bcb873f1446147e77dbbdcecafcbd51c1 |
C:\Users\Admin\AppData\Local\Temp\delself.cmd
| MD5 | cf766626a5051d9485061fa254b45c76 |
| SHA1 | 7b854c5e4ce890e7b403056bee9ac2dc017b076f |
| SHA256 | a45dc47c56a943836dc828d40a14fb136cbc7883fd92da7f183c0b7ac06139d7 |
| SHA512 | ddee1ecb11819d76dd1bd263493ab954988b5e7e082607eb66086c0651817a1acfb99b7016a31db4094da55b6a40d3860808bfd47edb5bbca97295b899414547 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 03:55
Reported
2024-06-03 03:58
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\rr.exe | N/A |
| N/A | N/A | C:\ProgramData\playtomenu.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\ProgramData\playtomenu.exe | N/A |
| N/A | N/A | C:\ProgramData\playtomenu.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ab8a20efc529edc4e7c786c2278ee30_NeikiAnalytics.exe"
C:\ProgramData\rr.exe
C:\ProgramData\rr.exe -y x -pFASJKLVFDAJKLCDSA434JKLFDS "C:\ProgramData\playtomenu.jpg" "C:\ProgramData\"
C:\ProgramData\playtomenu.exe
C:\ProgramData\playtomenu.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c delself.cmd
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d_1.largesder.com | udp |
| SG | 8.222.228.10:8888 | d_1.largesder.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.largesder.com | udp |
| SG | 8.222.228.10:8888 | r.largesder.com | tcp |
| US | 8.8.8.8:53 | 10.228.222.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | playtomenu.largesder.com | udp |
| SG | 8.222.228.10:8888 | playtomenu.largesder.com | tcp |
| US | 8.8.8.8:53 | d3.largesder.com | udp |
| SG | 8.222.228.10:8888 | d3.largesder.com | tcp |
| SG | 8.222.228.10:8888 | d3.largesder.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
C:\ProgramData\rr.exe
| MD5 | f2ae502d448cfb81a5f40a9368d99b1a |
| SHA1 | f849be86e9e7ced0acd51a68f92992b8090d08a5 |
| SHA256 | 07ad4b984f288304003b080dd013784685181de4353a0b70a0247f96e535bd56 |
| SHA512 | 9f3aea471684e22bf9fc045ca0e47a8429fa0b13c188f9c7a51937efa8afcec976761b0c4c95aed7735096fcc2278bbd86b0ab581261a6aff6c694d7bb65e9be |
C:\ProgramData\playtomenu.jpg
| MD5 | c2348c7e8ac7e2812f7967c126918b90 |
| SHA1 | 626bb46101ccf131d6981f338cd4b4edcf76ca31 |
| SHA256 | 40eeb9683bfd6ce4bf7e3bd836ff9beb2838a6afbd1ab9a149d9ec9c5f5d9a8f |
| SHA512 | 74270cda47170f3f92fc1688c3fbc2c8f6ecc1b2b2c45016f00e56989d0f256eab6b354fea253e2045b56952ef665805ab51611d54a53e3bd61ac8d558eede11 |
C:\ProgramData\playtomenu.exe
| MD5 | 684fdaae316e5f59baa6f69f5bc2526a |
| SHA1 | 958061cff425622da5bf931f7ffdd22a1f784763 |
| SHA256 | 17f875b64eedb6ed608cca84e3d9804c947e7200c294b3ff5f91568e35a0d2e8 |
| SHA512 | 7eca3352b7d4195c3f793db86ad9a98cdcbd2aff55e94cc1dccc754a8e84bf2eb9d13e991c672d08a162dbc01f9a9d7bcb873f1446147e77dbbdcecafcbd51c1 |
C:\Users\Admin\AppData\Local\Temp\delself.cmd
| MD5 | cf766626a5051d9485061fa254b45c76 |
| SHA1 | 7b854c5e4ce890e7b403056bee9ac2dc017b076f |
| SHA256 | a45dc47c56a943836dc828d40a14fb136cbc7883fd92da7f183c0b7ac06139d7 |
| SHA512 | ddee1ecb11819d76dd1bd263493ab954988b5e7e082607eb66086c0651817a1acfb99b7016a31db4094da55b6a40d3860808bfd47edb5bbca97295b899414547 |