Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 05:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe
Resource
win7-20240215-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe
-
Size
760KB
-
MD5
35233a314deba2c4b9d932047fb909f0
-
SHA1
1afbb6871100ee6fc762db17a7a087139dd8b0c7
-
SHA256
3ae58e138e5053dcb25014f025d2eb9f94c0b9119f6e967ee7de6a974d846052
-
SHA512
ea8b7eac0c3a49e6c8d76f117ea6cd5553135a4430df690f75e51856d477eeea4d9483a97ac2daa5661d8e5dc4197f2abd4e6bfcdcc79a2b26807d3510df1a61
-
SSDEEP
12288:1/J/m71432pBsHMZ3tJnojSl27rLzqN8OUEeMT1TkcCDx4ZMr4Q0:1/A6GTVnojg2yNRXTkcCCZM8b
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2400 Logo1_.exe 692 35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\MicrosoftEdgeUpdateBroker.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\WindowsCamera.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\fmui.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\YourPhone.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\java.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe Logo1_.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\vDll.dll Logo1_.exe File created C:\Windows\Logo1_.exe 35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe 2400 Logo1_.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3492 wrote to memory of 2296 3492 35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe 83 PID 3492 wrote to memory of 2296 3492 35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe 83 PID 3492 wrote to memory of 2296 3492 35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe 83 PID 3492 wrote to memory of 2400 3492 35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe 84 PID 3492 wrote to memory of 2400 3492 35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe 84 PID 3492 wrote to memory of 2400 3492 35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe 84 PID 2400 wrote to memory of 1900 2400 Logo1_.exe 86 PID 2400 wrote to memory of 1900 2400 Logo1_.exe 86 PID 2400 wrote to memory of 1900 2400 Logo1_.exe 86 PID 1900 wrote to memory of 3620 1900 net.exe 88 PID 1900 wrote to memory of 3620 1900 net.exe 88 PID 1900 wrote to memory of 3620 1900 net.exe 88 PID 2296 wrote to memory of 692 2296 cmd.exe 89 PID 2296 wrote to memory of 692 2296 cmd.exe 89 PID 2296 wrote to memory of 692 2296 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4E3F.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\35233a314deba2c4b9d932047fb909f0_NeikiAnalytics.exe"3⤵
- Executes dropped EXE
PID:692
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:3620
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD5adbc65dcb22428fa2c9e7b4fee45cf5b
SHA1bda76de5e43492e46614bb5a3e5b519b7c514e89
SHA256e5f3305e688b82f4771cf1d9d10345190cabee3593e66c8263a81d2eb5ef9719
SHA512d5dd5611e0b9322ef7fed74a13ae51eb51b3fa0cf39beffc47cbea64f8f6db02116e13a98c1f27d479b38ddd8abaa001b5e00471a92d42d918d06bbeff9a02f5
-
Filesize
620B
MD5d7d0e1e16195585ded5ad04da0e3bad1
SHA1ef231d298e8838cac7181410e075d2f889f04319
SHA25607ffa9718736724ed848fb9ee96f0203cb14ddf171fec849245b9271a99aee14
SHA512d595a06a40bb7253fb020dfa43ede8b7d634fef7e631b92bac78ff8aac48ac060b8708a08ad13603ddaba6077945abe2591edfe18904a4834bd865c8bd1db6d4
-
Filesize
694KB
MD5b0de85a29c0c43921883f2572f24042e
SHA10d1b0c04072035a595a96b87a7d9016392eb0484
SHA25606d0b436d252a6913cf444c968f4d8575818edc9ea4b03d949e1e09be47baacb
SHA512095638e3a65ef8f0b26d1d568d9de27ea3ecc992063b316bb04990d3155a906ac4f93eb1d7d1ee9935321d77de309cd1be31931293cc96da57118dc1de8a55e8
-
Filesize
66KB
MD5d5ce6e9a0095d2407a515cbb43bc623f
SHA1365caa12850a5db53dd6226b45883021d6622da0
SHA25639eac222b016827c94ac668e61aec5169d36202cb5dc23e014a1cdf43d838834
SHA5124af761ecea5b6b4738ab5d0542410e7a78e3f4d57a4e9660d94d8fd7130111277610bd672bd85204b8ca42aed06c953d5fbd9f2be7e67e19a9ade1944d40e122