Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 05:06
Behavioral task
behavioral1
Sample
30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe
-
Size
484KB
-
MD5
30830893416e1641dd96dc8f25b3bf00
-
SHA1
f6fe7fd17c145973dffcdec39c4183ff8211b106
-
SHA256
d095c5af558806269fd965df0e8f4c6e87ce71c6dc5d8519611e3d804fbd0572
-
SHA512
684f52387dce6f01bb6fe1b4bdbdd432e9e8fe69e74c16ec91d0fb223ec45008ed6e440583f111cbb9465a6c3cfd19e30ea7c01fa9cc87d9ad4e8f0a0d5eeaee
-
SSDEEP
6144:g5u5eG44AeJ2ssftlVN+zBfGrSWm+omDAgQsSygGG2IszBA3:Cu5eG4bsilNoGSJ+omDAdsWGLTVW
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 556 zboiz.exe -
Executes dropped EXE 2 IoCs
pid Process 556 zboiz.exe 4368 biinuhja.exe -
Loads dropped DLL 1 IoCs
pid Process 4368 biinuhja.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x00090000000233fa-2.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wfl = "c:\\Program Files\\eodgmhqzb\\biinuhja.exe \"c:\\Program Files\\eodgmhqzb\\biinuhja.dll\",WriteErrorLog" biinuhja.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\s: biinuhja.exe File opened (read-only) \??\t: biinuhja.exe File opened (read-only) \??\u: biinuhja.exe File opened (read-only) \??\b: biinuhja.exe File opened (read-only) \??\g: biinuhja.exe File opened (read-only) \??\h: biinuhja.exe File opened (read-only) \??\j: biinuhja.exe File opened (read-only) \??\o: biinuhja.exe File opened (read-only) \??\x: biinuhja.exe File opened (read-only) \??\a: biinuhja.exe File opened (read-only) \??\i: biinuhja.exe File opened (read-only) \??\n: biinuhja.exe File opened (read-only) \??\r: biinuhja.exe File opened (read-only) \??\z: biinuhja.exe File opened (read-only) \??\y: biinuhja.exe File opened (read-only) \??\l: biinuhja.exe File opened (read-only) \??\m: biinuhja.exe File opened (read-only) \??\p: biinuhja.exe File opened (read-only) \??\q: biinuhja.exe File opened (read-only) \??\v: biinuhja.exe File opened (read-only) \??\e: biinuhja.exe File opened (read-only) \??\k: biinuhja.exe File opened (read-only) \??\w: biinuhja.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 biinuhja.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification \??\c:\Program Files\eodgmhqzb zboiz.exe File created \??\c:\Program Files\eodgmhqzb\biinuhja.dll zboiz.exe File created \??\c:\Program Files\eodgmhqzb\biinuhja.exe zboiz.exe File opened for modification \??\c:\Program Files\eodgmhqzb\biinuhja.exe zboiz.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 biinuhja.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString biinuhja.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 888 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4368 biinuhja.exe 4368 biinuhja.exe 4368 biinuhja.exe 4368 biinuhja.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4368 biinuhja.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1336 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe 556 zboiz.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1336 wrote to memory of 4208 1336 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe 85 PID 1336 wrote to memory of 4208 1336 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe 85 PID 1336 wrote to memory of 4208 1336 30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe 85 PID 4208 wrote to memory of 888 4208 cmd.exe 87 PID 4208 wrote to memory of 888 4208 cmd.exe 87 PID 4208 wrote to memory of 888 4208 cmd.exe 87 PID 4208 wrote to memory of 556 4208 cmd.exe 89 PID 4208 wrote to memory of 556 4208 cmd.exe 89 PID 4208 wrote to memory of 556 4208 cmd.exe 89 PID 556 wrote to memory of 4368 556 zboiz.exe 90 PID 556 wrote to memory of 4368 556 zboiz.exe 90 PID 556 wrote to memory of 4368 556 zboiz.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\zboiz.exe "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\zboiz.exeC:\Users\Admin\AppData\Local\Temp\\zboiz.exe "C:\Users\Admin\AppData\Local\Temp\30830893416e1641dd96dc8f25b3bf00_NeikiAnalytics.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556 -
\??\c:\Program Files\eodgmhqzb\biinuhja.exe"c:\Program Files\eodgmhqzb\biinuhja.exe" "c:\Program Files\eodgmhqzb\biinuhja.dll",WriteErrorLog C:\Users\Admin\AppData\Local\Temp\zboiz.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181KB
MD5741edca379170c6e47223de22f2fbac2
SHA19df6bd02bbd93e718f0f613701d903c296bc160c
SHA256e1cfc8608db512596ca0fe65dabbe7bdbed7595f9e45953ab9d9397e78927b6c
SHA512e34010021a112527a34276f20d80407558ce258ac31a26940d683c38ad8c9f087b768f5bce93466f0b2e0e16a61595171213422569435122ef7e6ab5fbcd9ac7
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
484KB
MD52920d0ca53912a7852b7fa1208a3e30a
SHA15975287b2cdd0212332bc8b922f00e8c2adc62c3
SHA256ed241378f52ecbb35df5998e354e49e05281e7c2e502ffa6d05edd5236de8e48
SHA512fbe82c92482ee8bb508a31f0c1949e6611b158939098d113368b59e3d5e70bb7c2c16700576404d540333d68bc4eba258c0ef278fff941cfc4c33daf36289364