Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 07:02
Behavioral task
behavioral1
Sample
3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe
-
Size
328KB
-
MD5
3b5968e499242eb63ba8d82eebd0b9d0
-
SHA1
a7363081c8214b62f7eefe37705d3c700ad8e46c
-
SHA256
8fbe6b8faf87ba5df0fe4f5d6e5d6eceb666a31ca24af1b22dd383e4e128e991
-
SHA512
49ad73b8297a86fc19d90c0caa1db5c40843fe40ee31b4e9a3a88fd1a600e840472adeaa4996fb646f6b9ffd1dc286e7f04884d4f33edbdd829fa00f7934b362
-
SSDEEP
6144:JVBqzX2x/XsQ1YA53/vkNI+uuu7iDgbzzWoOd1KLcdn:BqzX2xfdY6/cNKlD+o61KUn
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2188 euknivlv.exe -
Executes dropped EXE 2 IoCs
pid Process 2188 euknivlv.exe 2604 bvdrf.exe -
Loads dropped DLL 7 IoCs
pid Process 2108 cmd.exe 2108 cmd.exe 2188 euknivlv.exe 2604 bvdrf.exe 2604 bvdrf.exe 2604 bvdrf.exe 2604 bvdrf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000a00000001466c-1.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HTML = "c:\\Program Files\\byhtg\\bvdrf.exe \"c:\\Program Files\\byhtg\\bvdrf.dll\",PraseHTML" bvdrf.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\y: bvdrf.exe File opened (read-only) \??\a: bvdrf.exe File opened (read-only) \??\h: bvdrf.exe File opened (read-only) \??\k: bvdrf.exe File opened (read-only) \??\o: bvdrf.exe File opened (read-only) \??\t: bvdrf.exe File opened (read-only) \??\v: bvdrf.exe File opened (read-only) \??\x: bvdrf.exe File opened (read-only) \??\g: bvdrf.exe File opened (read-only) \??\p: bvdrf.exe File opened (read-only) \??\r: bvdrf.exe File opened (read-only) \??\s: bvdrf.exe File opened (read-only) \??\u: bvdrf.exe File opened (read-only) \??\n: bvdrf.exe File opened (read-only) \??\w: bvdrf.exe File opened (read-only) \??\z: bvdrf.exe File opened (read-only) \??\b: bvdrf.exe File opened (read-only) \??\e: bvdrf.exe File opened (read-only) \??\i: bvdrf.exe File opened (read-only) \??\j: bvdrf.exe File opened (read-only) \??\l: bvdrf.exe File opened (read-only) \??\m: bvdrf.exe File opened (read-only) \??\q: bvdrf.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 bvdrf.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created \??\c:\Program Files\byhtg\bvdrf.dll euknivlv.exe File created \??\c:\Program Files\byhtg\bvdrf.exe euknivlv.exe File opened for modification \??\c:\Program Files\byhtg\bvdrf.exe euknivlv.exe File opened for modification \??\c:\Program Files\byhtg euknivlv.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bvdrf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bvdrf.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2268 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2604 bvdrf.exe 2604 bvdrf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2604 bvdrf.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1136 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe 2188 euknivlv.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1136 wrote to memory of 2108 1136 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe 28 PID 1136 wrote to memory of 2108 1136 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe 28 PID 1136 wrote to memory of 2108 1136 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe 28 PID 1136 wrote to memory of 2108 1136 3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe 28 PID 2108 wrote to memory of 2268 2108 cmd.exe 30 PID 2108 wrote to memory of 2268 2108 cmd.exe 30 PID 2108 wrote to memory of 2268 2108 cmd.exe 30 PID 2108 wrote to memory of 2268 2108 cmd.exe 30 PID 2108 wrote to memory of 2188 2108 cmd.exe 31 PID 2108 wrote to memory of 2188 2108 cmd.exe 31 PID 2108 wrote to memory of 2188 2108 cmd.exe 31 PID 2108 wrote to memory of 2188 2108 cmd.exe 31 PID 2188 wrote to memory of 2604 2188 euknivlv.exe 32 PID 2188 wrote to memory of 2604 2188 euknivlv.exe 32 PID 2188 wrote to memory of 2604 2188 euknivlv.exe 32 PID 2188 wrote to memory of 2604 2188 euknivlv.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\euknivlv.exe "C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:2268
-
-
C:\Users\Admin\AppData\Local\Temp\euknivlv.exeC:\Users\Admin\AppData\Local\Temp\\euknivlv.exe "C:\Users\Admin\AppData\Local\Temp\3b5968e499242eb63ba8d82eebd0b9d0_NeikiAnalytics.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
\??\c:\Program Files\byhtg\bvdrf.exe"c:\Program Files\byhtg\bvdrf.exe" "c:\Program Files\byhtg\bvdrf.dll",PraseHTML C:\Users\Admin\AppData\Local\Temp\euknivlv.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
149KB
MD5819702dcb8f8c3877c5299c3550e4933
SHA152bcdc04e16b49138835ee478a1657176aaa49b9
SHA2567eab8bab97bb8735d4091de759e3bde4a2de7828a4df85950ba2a1cee96b80cb
SHA5126f48c939569ed7b9ac77a05134f0bb544ded7292eb6585849de92c0829b98de4fd7ca4ce1ab2eb7e26602d401f6f5892b57f235ec3878bbe718558abaa809c3f
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
328KB
MD553ac7bd61f78d34d65a2d58566f51682
SHA160ecfa9fcaab9b651990995b7dde5980f4544028
SHA25628764c2d95e4db93852a13e8754d102be4caa6d4aa2b139d7d5f6ed0a9b244ee
SHA512227093110139a0ca08933fec973d653de30c4e27fa21f3a8d0594b158a7b6822aea2228107771ca65b10bb6f7dee737964a9bdb7cf76af5e47c128ba4a8c40d7