Analysis
-
max time kernel
147s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 05:06
Behavioral task
behavioral1
Sample
30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe
-
Size
484KB
-
MD5
30830893416e1641dd96dc8f25b3bf00
-
SHA1
f6fe7fd17c145973dffcdec39c4183ff8211b106
-
SHA256
d095c5af558806269fd965df0e8f4c6e87ce71c6dc5d8519611e3d804fbd0572
-
SHA512
684f52387dce6f01bb6fe1b4bdbdd432e9e8fe69e74c16ec91d0fb223ec45008ed6e440583f111cbb9465a6c3cfd19e30ea7c01fa9cc87d9ad4e8f0a0d5eeaee
-
SSDEEP
6144:g5u5eG44AeJ2ssftlVN+zBfGrSWm+omDAgQsSygGG2IszBA3:Cu5eG4bsilNoGSJ+omDAdsWGLTVW
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 3036 shwyw.exe -
Executes dropped EXE 2 IoCs
pid Process 3036 shwyw.exe 2160 etgydspe.exe -
Loads dropped DLL 7 IoCs
pid Process 2052 cmd.exe 2052 cmd.exe 3036 shwyw.exe 2160 etgydspe.exe 2160 etgydspe.exe 2160 etgydspe.exe 2160 etgydspe.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0009000000016a29-2.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfl = "c:\\Program Files\\fmnng\\etgydspe.exe \"c:\\Program Files\\fmnng\\etgydspe.dll\",WriteErrorLog" etgydspe.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\t: etgydspe.exe File opened (read-only) \??\w: etgydspe.exe File opened (read-only) \??\x: etgydspe.exe File opened (read-only) \??\k: etgydspe.exe File opened (read-only) \??\m: etgydspe.exe File opened (read-only) \??\n: etgydspe.exe File opened (read-only) \??\l: etgydspe.exe File opened (read-only) \??\q: etgydspe.exe File opened (read-only) \??\r: etgydspe.exe File opened (read-only) \??\s: etgydspe.exe File opened (read-only) \??\u: etgydspe.exe File opened (read-only) \??\a: etgydspe.exe File opened (read-only) \??\e: etgydspe.exe File opened (read-only) \??\h: etgydspe.exe File opened (read-only) \??\v: etgydspe.exe File opened (read-only) \??\z: etgydspe.exe File opened (read-only) \??\g: etgydspe.exe File opened (read-only) \??\o: etgydspe.exe File opened (read-only) \??\y: etgydspe.exe File opened (read-only) \??\p: etgydspe.exe File opened (read-only) \??\b: etgydspe.exe File opened (read-only) \??\i: etgydspe.exe File opened (read-only) \??\j: etgydspe.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 etgydspe.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\fmnng shwyw.exe File created \??\c:\Program Files\fmnng\etgydspe.dll shwyw.exe File created \??\c:\Program Files\fmnng\etgydspe.exe shwyw.exe File opened for modification \??\c:\Program Files\fmnng\etgydspe.exe shwyw.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 etgydspe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString etgydspe.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3016 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2160 etgydspe.exe 2160 etgydspe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2160 etgydspe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1752 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe 3036 shwyw.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2052 1752 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe 28 PID 1752 wrote to memory of 2052 1752 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe 28 PID 1752 wrote to memory of 2052 1752 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe 28 PID 1752 wrote to memory of 2052 1752 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe 28 PID 2052 wrote to memory of 3016 2052 cmd.exe 30 PID 2052 wrote to memory of 3016 2052 cmd.exe 30 PID 2052 wrote to memory of 3016 2052 cmd.exe 30 PID 2052 wrote to memory of 3016 2052 cmd.exe 30 PID 2052 wrote to memory of 3036 2052 cmd.exe 31 PID 2052 wrote to memory of 3036 2052 cmd.exe 31 PID 2052 wrote to memory of 3036 2052 cmd.exe 31 PID 2052 wrote to memory of 3036 2052 cmd.exe 31 PID 3036 wrote to memory of 2160 3036 shwyw.exe 32 PID 3036 wrote to memory of 2160 3036 shwyw.exe 32 PID 3036 wrote to memory of 2160 3036 shwyw.exe 32 PID 3036 wrote to memory of 2160 3036 shwyw.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\shwyw.exe "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:3016
-
-
C:\Users\Admin\AppData\Local\Temp\shwyw.exeC:\Users\Admin\AppData\Local\Temp\\shwyw.exe "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036 -
\??\c:\Program Files\fmnng\etgydspe.exe"c:\Program Files\fmnng\etgydspe.exe" "c:\Program Files\fmnng\etgydspe.dll",WriteErrorLog C:\Users\Admin\AppData\Local\Temp\shwyw.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
484KB
MD563d33665a3bbf1e2a1a231d5574d69d8
SHA15092a4aeb8cbd5eb112560f69ad93bcb731bd0cb
SHA2566bfd094b815c370c63ee93af4f90a1b673947f7c75af9c5f9881f164a081315f
SHA5123b7f550b2d2b48614a9cf82fd8489c54a96c0185b0eb289e18eaa60da4b3d0fd6532d6f0e711566e761289d66d62fe7c7a7a6c8e543c76f6a97725c70a93d643
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
181KB
MD509d1b0fb0962df8ff8e20fa2912a6702
SHA1d0aebab2e0e502367013df50c05657892a478bc6
SHA25621dbab9d1a07c41a034a6eec8237cf45e220eed4367328996eb7206c651a12a1
SHA5125735c42425fd4053acd98ae4df216ce1604fb11b7060b40abdb7b8e7397d60cf793da8a9138386f80cd9e0522dbbc17bfb58d2baf5722ae29b8be157f91e6256