Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 12:03
Static task
static1
Behavioral task
behavioral1
Sample
a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe
-
Size
126KB
-
MD5
a2bd0c02b2adf071bfb1d44096a35b30
-
SHA1
47cf82820061a38b613340807a442b88d9238ef2
-
SHA256
df6469992e7a082ab74f8eae1c235f25aac9fbee1ef549a30d0939a63c5ef80a
-
SHA512
634483948d71eecdba60406bee12294a0acf4cf2689c351ed6bac58e5b11ce45d27eb11f678f9a06250c67c6cf1ddec3e839d46cbe136eddbec5d8ad538e7b2f
-
SSDEEP
3072:NEboFVlGAvwsgbpvYfMTc72L10fPsout6S:SBzsgbpvnTcyOPsoS6S
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4940 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1956 KVEIF.jpg -
Loads dropped DLL 4 IoCs
pid Process 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 4940 svchost.exe 1956 KVEIF.jpg 2472 svchost.exe -
resource yara_rule behavioral2/memory/644-11-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-5-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-33-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-32-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-31-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-29-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-27-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-25-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-23-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-21-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-19-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-18-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-15-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-13-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-3-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-2-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-9-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/644-7-0x0000000000990000-0x00000000009E5000-memory.dmp upx behavioral2/memory/4940-103-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-112-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-114-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-110-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-108-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-107-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-104-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-130-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-128-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-126-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-124-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-122-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-120-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-118-0x0000000003200000-0x0000000003255000-memory.dmp upx behavioral2/memory/4940-116-0x0000000003200000-0x0000000003255000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\kernel64.dll a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\kernel64.dll a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 644 set thread context of 4940 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 83 PID 1956 set thread context of 2472 1956 KVEIF.jpg 88 -
Drops file in Program Files directory 23 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs1.ini svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD svchost.exe File created C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFss1.ini a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFmain.ini a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\1D11D1C123.IMD svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\$$.tmp svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\ok.txt a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\FKC.WYA a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1C\KVEIFs5.ini KVEIF.jpg -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\web\606C646364636479.tmp a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe File opened for modification C:\Windows\web\606C646364636479.tmp a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 4940 svchost.exe 1956 KVEIF.jpg 1956 KVEIF.jpg 1956 KVEIF.jpg 1956 KVEIF.jpg 1956 KVEIF.jpg 1956 KVEIF.jpg -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4940 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe Token: SeDebugPrivilege 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe Token: SeDebugPrivilege 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe Token: SeDebugPrivilege 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 1956 KVEIF.jpg Token: SeDebugPrivilege 1956 KVEIF.jpg Token: SeDebugPrivilege 1956 KVEIF.jpg Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 2472 svchost.exe Token: SeDebugPrivilege 4940 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 644 wrote to memory of 4940 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 83 PID 644 wrote to memory of 4940 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 83 PID 644 wrote to memory of 4940 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 83 PID 644 wrote to memory of 4940 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 83 PID 644 wrote to memory of 4940 644 a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe 83 PID 3476 wrote to memory of 1956 3476 cmd.exe 87 PID 3476 wrote to memory of 1956 3476 cmd.exe 87 PID 3476 wrote to memory of 1956 3476 cmd.exe 87 PID 1956 wrote to memory of 2472 1956 KVEIF.jpg 88 PID 1956 wrote to memory of 2472 1956 KVEIF.jpg 88 PID 1956 wrote to memory of 2472 1956 KVEIF.jpg 88 PID 1956 wrote to memory of 2472 1956 KVEIF.jpg 88 PID 1956 wrote to memory of 2472 1956 KVEIF.jpg 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\a2bd0c02b2adf071bfb1d44096a35b30_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 02⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Windows\system32\cmd.execmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F5658401⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg"C:\Program Files\Common Files\Microsoft\1D11D1C\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F5658402⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530425D474A422F565840 03⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD5d36c4612e33fa35c6bce71942ce2056e
SHA198cd74cfdbfcd9117ae7359ab159635c40cc199c
SHA256f08195a059b4c7f5b06de10eb6e4b94d6bd16a58c4a30427b05b91afdf535538
SHA5120a62bdde5ed1e09529eed348d455b693a13f099184a7f56f2978ae06a0dc3629e60cbecb7e30030d958caea1447743877959781f0b557f7894397fac32974fb4
-
Filesize
126KB
MD590c65e776b538fc7bdfe3a68066a1b52
SHA12127ed04116ca8c84766854f89dee75a27830bfd
SHA256359456419c4a286b64ad3186f86090025d05f1ddd0d7676055ec674df3d0bea0
SHA5127e59e78b02215fd7b353ec8bf3669e012c9661c4141d452930e97f48e077b8eb4a5793b2b6f850f3dc27593bd654af9d024defc1c7e297ba0641023e4e1b6b52
-
Filesize
22B
MD52056c975629bc764596c2ba68ab3c6da
SHA135e3da93ce68d24c687e8c972f8fa2b903be75b8
SHA2568485a6ec9ad79a1ed2331a428944711c4064f0c607017dae51c7e7f65fe70ff7
SHA512c4d4932e81956578e505ac454d964ccd1d7d123e8393d532db15ba42e456ceff8394baba021e8ae7ae2f9aef0e51840aecef12252cf9c6766e8b247eb08e86ae
-
Filesize
87B
MD54bcb288391556ba45a887ba5926390f8
SHA15c2341b12d5d761e53a1257ec46ea490ecbbc51c
SHA256352d9f15ec52e995a4ca93bbd40d2236e5ae6e395e16c0e7e37e5ecaf1009083
SHA51290d7a5f6b0d50b7f5a2f63e5b31ba2a0f97cdb016ee11dbac81bc8d155edb060355215dc93a02f910a88a5d92f3da8fe7874b5be82a1653f4ed788c44031dbca
-
Filesize
126KB
MD5b9b1e142365bc476abc99c34f81e3880
SHA144aa1ed2df4198cda538de0e56e01f1c496a8866
SHA2562291c22b47c3720a8e16344be3f23e88d8f69ba28393eec02bca30719f795ce7
SHA5129f4cde59463e06ed1506a89dac1cd85fb28c104e41b065a77acf36c4c82ca9c22a4d0d30ead17d4b182efc147671f0ab2039b16777800010f531c611f6806cb2
-
Filesize
663B
MD5424add55797255227d3c386af612e933
SHA1c28465b56733bd50c47871a6f6516763e9b68ad8
SHA2565ede7e2aa6b3d37dea582bb2832ac6d2dec7a59a8fa00f84c23e70821ac0570b
SHA512664aecb9fb8074b4fa2915729e54194d7ba66adfdbcc7dc9aa9f6595e7f518fdb8e77f964ef58528a66d4e7eeb95ecc593b7fe5310fcd8b5ea2bb039483362db
-
Filesize
1KB
MD519aca18ab379f927e272a5b9d30bd287
SHA19c91c8e0a30bc4f40596c952b2ae8e22f510b8f8
SHA256e852e6c79ab9ced44a28323210f74f4175ecbc5bf3a5256397b27412fa8bccbc
SHA5128ebd3f2b6570b9b60e2bbdce50770e3eb6f8716a3d8ade1efb4f7401af2d698531457544de7090ac1ce1cb49e752d0a1222d5d0d7a1224bae3d04c38fb81d4d0
-
Filesize
625KB
MD5eccf28d7e5ccec24119b88edd160f8f4
SHA198509587a3d37a20b56b50fd57f823a1691a034c
SHA256820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670
-
Filesize
108KB
MD5f697e0c5c1d34f00d1700d6d549d4811
SHA1f50a99377a7419185fc269bb4d12954ca42b8589
SHA2561eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202