Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 19:26
Static task
static1
Behavioral task
behavioral1
Sample
4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe
-
Size
5.7MB
-
MD5
4de8076561c810fa155b9c8754d71780
-
SHA1
7f29d44366a762952fe3a190d701b3344ab9328c
-
SHA256
18825efdfdac5f2523c0a2624e002299dacfaa2faabd3c5e0f491d49ee3e4e63
-
SHA512
4f60462cb3f2fc7a17e0c6d9fe84f4134c390a9acf7ca0e5443fb82d70df758fc9afba68a4b3ec48d3ff76884cd5ca65b92794df4e28870c02d81c228592fef1
-
SSDEEP
98304:rMDtIXLr06AdfEThF35PzuifwiBzE1gZpueVpdrdNXiy7BZ3KPR0PBGW7ubQkGjK:NrmEdF3no11qppVppbiylZaPR+BCMK
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid Process 2644 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exepid Process 2576 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exe4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exepid Process 2644 cmd.exe 2576 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 2576 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe -
Processes:
resource yara_rule behavioral1/files/0x0007000000015f65-21.dat upx behavioral1/memory/2576-28-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2576-44-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid Process 2812 timeout.exe -
Processes:
4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exepid Process 2576 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exepid Process 2576 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 2576 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
4de8076561c810fa155b9c8754d71780_NeikiAnalytics.execmd.execmd.exedescription pid Process procid_target PID 2244 wrote to memory of 3040 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 3040 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 3040 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 3040 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 3040 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 3040 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 3040 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 28 PID 2244 wrote to memory of 2644 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 30 PID 2244 wrote to memory of 2644 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 30 PID 2244 wrote to memory of 2644 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 30 PID 2244 wrote to memory of 2644 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 30 PID 2244 wrote to memory of 2644 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 30 PID 2244 wrote to memory of 2644 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 30 PID 2244 wrote to memory of 2644 2244 4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe 30 PID 3040 wrote to memory of 2700 3040 cmd.exe 32 PID 3040 wrote to memory of 2700 3040 cmd.exe 32 PID 3040 wrote to memory of 2700 3040 cmd.exe 32 PID 3040 wrote to memory of 2700 3040 cmd.exe 32 PID 3040 wrote to memory of 2700 3040 cmd.exe 32 PID 3040 wrote to memory of 2700 3040 cmd.exe 32 PID 3040 wrote to memory of 2700 3040 cmd.exe 32 PID 2644 wrote to memory of 2640 2644 cmd.exe 33 PID 2644 wrote to memory of 2640 2644 cmd.exe 33 PID 2644 wrote to memory of 2640 2644 cmd.exe 33 PID 2644 wrote to memory of 2640 2644 cmd.exe 33 PID 2644 wrote to memory of 2640 2644 cmd.exe 33 PID 2644 wrote to memory of 2640 2644 cmd.exe 33 PID 2644 wrote to memory of 2640 2644 cmd.exe 33 PID 3040 wrote to memory of 2572 3040 cmd.exe 34 PID 3040 wrote to memory of 2572 3040 cmd.exe 34 PID 3040 wrote to memory of 2572 3040 cmd.exe 34 PID 3040 wrote to memory of 2572 3040 cmd.exe 34 PID 3040 wrote to memory of 2572 3040 cmd.exe 34 PID 3040 wrote to memory of 2572 3040 cmd.exe 34 PID 3040 wrote to memory of 2572 3040 cmd.exe 34 PID 2644 wrote to memory of 2576 2644 cmd.exe 35 PID 2644 wrote to memory of 2576 2644 cmd.exe 35 PID 2644 wrote to memory of 2576 2644 cmd.exe 35 PID 2644 wrote to memory of 2576 2644 cmd.exe 35 PID 2644 wrote to memory of 2576 2644 cmd.exe 35 PID 2644 wrote to memory of 2576 2644 cmd.exe 35 PID 2644 wrote to memory of 2576 2644 cmd.exe 35 PID 2644 wrote to memory of 2812 2644 cmd.exe 36 PID 2644 wrote to memory of 2812 2644 cmd.exe 36 PID 2644 wrote to memory of 2812 2644 cmd.exe 36 PID 2644 wrote to memory of 2812 2644 cmd.exe 36 PID 2644 wrote to memory of 2812 2644 cmd.exe 36 PID 2644 wrote to memory of 2812 2644 cmd.exe 36 PID 2644 wrote to memory of 2812 2644 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe202463192627402.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\schtasks.exeSchtasks.EXE /delete /tn "Maintenance" /f3⤵PID:2700
-
-
C:\Windows\SysWOW64\schtasks.exeSchtasks.EXE /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx202463192627402.xml"3⤵
- Creates scheduled task(s)
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\zb202463192627402.bat" "2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\chcp.comchcp 12513⤵PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4de8076561c810fa155b9c8754d71780_NeikiAnalytics.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2576
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
PID:2812
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
688B
MD5bbac5d6b1746afc65c363881b89845a7
SHA1374d987d2bc96ca3f415c5b8eb131a3216626aa7
SHA25689feaaa8f203e41905a2cab10f47c26ce67a943999d489df0959c6da4e38dd32
SHA512d73197bbb64380afacb035fdf4c9636c30f8656411ca2f65482404654bb51a99ee9002e53de810b2c57894c0f7acf7094b6a54ea40907e099b12379e84c9d974
-
Filesize
199B
MD505f085a568e0b53b6a482f7b953d1e9b
SHA1cd0f04e48fbe473ba31b1e5793b78c997a775652
SHA256415164b9013d30231030a80d8e2f9cab310d2ea2408accd32614cc3245202fb7
SHA51260f5a00bbd74d9b4383c98b7514c9cf7bf8d00feb51571af6ab9533164e5fff861362b491f56fd68dc1a26ab037d4bec7710a41f6d0add4fd2615257fbb8bade
-
Filesize
5.7MB
MD56cfbde390717f6aafadb84d4f644fc84
SHA1428cc8e16e7920c34bb7ad296674737fd58916b3
SHA25683f471e1c7f6c16da15e896aa181380ec849014c370042c028cea2b1b401d329
SHA5126302b5cf9b5b9c8654431ed5d7a9b71b37adb63ff659c5a05d4ea2b58566d59b06ff5a7b3c47ffbddd568c0b76adb698a78de68fe64c2c7a06719ba2c13dfcc5
-
Filesize
1KB
MD59f9b3932bf6f25db20b9f5144c22c1a8
SHA1fc0c9956b4effa3d0374493558144ca583e67651
SHA256c8e9414cc95d2420c797059a1ec9761e596cda0a8b1924fefa2a758e2940386e
SHA512ac3d3f5e00ed13c668f2c82210ec3585fcc1f4223be6e6ad4d5d1c9a56e1c3e4205601f57cd5dcf9812a238e214d7e9f55be6ac112b41153a71295b5985bcf1a