Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 12:03
Static task
static1
Behavioral task
behavioral1
Sample
a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe
-
Size
126KB
-
MD5
a2bd0c02b2adf071bfb1d44096a35b30
-
SHA1
47cf82820061a38b613340807a442b88d9238ef2
-
SHA256
df6469992e7a082ab74f8eae1c235f25aac9fbee1ef549a30d0939a63c5ef80a
-
SHA512
634483948d71eecdba60406bee12294a0acf4cf2689c351ed6bac58e5b11ce45d27eb11f678f9a06250c67c6cf1ddec3e839d46cbe136eddbec5d8ad538e7b2f
-
SSDEEP
3072:NEboFVlGAvwsgbpvYfMTc72L10fPsout6S:SBzsgbpvnTcyOPsoS6S
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2692 wininit.exe -
Executes dropped EXE 1 IoCs
pid Process 1012 KVEIF.jpg -
Loads dropped DLL 4 IoCs
pid Process 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 2692 wininit.exe 1012 KVEIF.jpg 1628 svchost.exe -
resource yara_rule behavioral1/memory/2124-2-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-3-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-7-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-5-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-13-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-11-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-9-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-15-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-27-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-21-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-29-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-25-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-23-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-19-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-17-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-33-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-32-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2124-31-0x0000000000220000-0x0000000000275000-memory.dmp upx behavioral1/memory/2692-88-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-100-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-98-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-96-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-92-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-90-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-86-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-84-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-82-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-80-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-94-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-78-0x0000000000130000-0x0000000000185000-memory.dmp upx behavioral1/memory/2692-77-0x0000000000130000-0x0000000000185000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\kernel64.dll a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\kernel64.dll a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2124 set thread context of 2692 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 28 PID 1012 set thread context of 1628 1012 KVEIF.jpg 31 -
Drops file in Program Files directory 24 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFss1.ini a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\ok.txt a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg wininit.exe File created C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\$$.tmp wininit.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs1.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs1.ini wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD wininit.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\$$.tmp wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\web\606C646364636479.tmp a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File opened for modification C:\Windows\web\606C646364636479.tmp a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1012 KVEIF.jpg -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 1012 KVEIF.jpg 1012 KVEIF.jpg 1012 KVEIF.jpg 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 2692 wininit.exe 1628 svchost.exe 2692 wininit.exe 1628 svchost.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 2692 wininit.exe 1628 svchost.exe 2692 wininit.exe 1628 svchost.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 2692 wininit.exe 1628 svchost.exe 1628 svchost.exe 1628 svchost.exe 2692 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2692 wininit.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe Token: SeDebugPrivilege 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe Token: SeDebugPrivilege 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe Token: SeDebugPrivilege 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1012 KVEIF.jpg Token: SeDebugPrivilege 1012 KVEIF.jpg Token: SeDebugPrivilege 1012 KVEIF.jpg Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 2692 wininit.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 1628 svchost.exe Token: SeDebugPrivilege 2692 wininit.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2692 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 28 PID 2124 wrote to memory of 2692 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 28 PID 2124 wrote to memory of 2692 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 28 PID 2124 wrote to memory of 2692 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 28 PID 2124 wrote to memory of 2692 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 28 PID 2124 wrote to memory of 2692 2124 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 28 PID 2140 wrote to memory of 1012 2140 cmd.exe 30 PID 2140 wrote to memory of 1012 2140 cmd.exe 30 PID 2140 wrote to memory of 1012 2140 cmd.exe 30 PID 2140 wrote to memory of 1012 2140 cmd.exe 30 PID 1012 wrote to memory of 1628 1012 KVEIF.jpg 31 PID 1012 wrote to memory of 1628 1012 KVEIF.jpg 31 PID 1012 wrote to memory of 1628 1012 KVEIF.jpg 31 PID 1012 wrote to memory of 1628 1012 KVEIF.jpg 31 PID 1012 wrote to memory of 1628 1012 KVEIF.jpg 31 PID 1012 wrote to memory of 1628 1012 KVEIF.jpg 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\wininit.exeC:\Windows\System32\wininit.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 02⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\system32\cmd.execmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F5658401⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg"C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F5658402⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 03⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD5f697e0c5c1d34f00d1700d6d549d4811
SHA1f50a99377a7419185fc269bb4d12954ca42b8589
SHA2561eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202
-
Filesize
126KB
MD50ecadef2f398bd9e2098ae9d43c254f5
SHA1d6ecbebd170a2749843c8cb175ef5a6f34f57e6e
SHA256a03d7e126d268fe43ce379a317c7ddfb6a71544722c385c523836e2099962353
SHA512f3dde0f37beeaef48ccc8b41607d803b67a50f930a09eeaa2caea36971a3a471e55a94cdad941573fffd86f9a60703abec31420392e82bc48a9133d260f99ff9
-
Filesize
711B
MD5d0c40a30a848f67d3af538767d04f66d
SHA107a61656a63e1ce45f6aee178ee69673a97dba61
SHA25680e2a5f804a203137d28af84add8f08bfd6a21fdef628364692928dc9fbfefd5
SHA512c2d5987068f74b8e31ac1c6861b75e65dc97653206737ddea24cb7a741c5cb500431ffe2987e39e20a91b284b8b597033e25b2bd146a315ac0cb95bb630216f5
-
Filesize
22B
MD52056c975629bc764596c2ba68ab3c6da
SHA135e3da93ce68d24c687e8c972f8fa2b903be75b8
SHA2568485a6ec9ad79a1ed2331a428944711c4064f0c607017dae51c7e7f65fe70ff7
SHA512c4d4932e81956578e505ac454d964ccd1d7d123e8393d532db15ba42e456ceff8394baba021e8ae7ae2f9aef0e51840aecef12252cf9c6766e8b247eb08e86ae
-
Filesize
87B
MD54bcb288391556ba45a887ba5926390f8
SHA15c2341b12d5d761e53a1257ec46ea490ecbbc51c
SHA256352d9f15ec52e995a4ca93bbd40d2236e5ae6e395e16c0e7e37e5ecaf1009083
SHA51290d7a5f6b0d50b7f5a2f63e5b31ba2a0f97cdb016ee11dbac81bc8d155edb060355215dc93a02f910a88a5d92f3da8fe7874b5be82a1653f4ed788c44031dbca
-
Filesize
126KB
MD5aa416764f97d47882381aa1fcc98be37
SHA1157a898b2c5838de52c194a05379422298350f33
SHA256e69a54616bfa2d81a1ff632b42c2661013e4b97417a29d2fab9277f5041781f5
SHA5129e8a0cc390470940d139a3ad37ba314632ee4b0f0876a7602089783c7f13565bad886ec57c435706ba4062a13b1997635d61432e245097dd69d1b6ff2b001546
-
Filesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94