b443084a080b8af1283ad93a493eb5cf29d4ad00913be3d71165f51b9d9501b6

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Size

288KB
MD5

02a111a60ac937beff32d2b4efe496f0
SHA1

7936a8bcb5c3eddba9195e893a65542e7cf35660
SHA256

b443084a080b8af1283ad93a493eb5cf29d4ad00913be3d71165f51b9d9501b6
SHA512

2f1b3358e75488ff1393b06d129ed23e1f636085d3c43ca898203b50e718b09efa01c2d4b791c9cc18ee4a5aa2e36c7537108877c565c2d1bfd73d8a7eaabdc8
SSDEEP

6144:HQ+Tyfx4NF67Sbq2nW82X45gc3BaLZVS0mOoC8zbzDie:HQMyfmNFHfnWfhLZVHmOog

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2568	lsassys.exe
2536	lsassys.exe

Loads dropped DLL 4 IoCs

pid	Process
2012	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
2012	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
2012	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
2568	lsassys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\shell	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\shell\open\command\IsolatedCommand = "\"%1\" %*"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\lsassys.exe\" /START \"%1\" %*"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SysWOW_amd64\\lsassys.exe\" /START \"%1\" %*"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open\command	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\DefaultIcon\ = "%1"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\shell\runas	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\DefaultIcon\ = "%1"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\Content-Type = "application/x-msdownload"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\shell\runas\command	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\shell\runas\command\IsolatedCommand = "\"%1\" %*"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\ = "halnt"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas\command	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\shell\open	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\runas	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\ = "Application"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\DefaultIcon	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\DefaultIcon	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\shell\open\command	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\halnt\shell\runas\command\ = "\"%1\" %*"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.exe\shell\open	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2568	lsassys.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2568	2012	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2568	2012	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2568	2012	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe	28
PID 2012 wrote to memory of 2568	2012	02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe	28
PID 2568 wrote to memory of 2536	2568	lsassys.exe	29
PID 2568 wrote to memory of 2536	2568	lsassys.exe	29
PID 2568 wrote to memory of 2536	2568	lsassys.exe	29
PID 2568 wrote to memory of 2536	2568	lsassys.exe	29

C:\Users\Admin\AppData\Local\Temp\02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\02a111a60ac937beff32d2b4efe496f0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\lsassys.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\lsassys.exe" /START "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\lsassys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\lsassys.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\lsassys.exe"
    3⤵
    - Executes dropped EXE
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SysWOW_amd64\lsassys.exe

Filesize
288KB

MD5
9d3589981d71ef2330872de6d9fb3a56

SHA1
794a5a006696e9426f882c5eb8d52489f66f7e3b

SHA256
9c1d80a26766d2229ebcfd218e867568e12c80c5a358104f3e0dbb43316866f2

SHA512
2f4dab8abd5046163834ff0840071310e80ae528bf81c8fc5234c7d75fe1edc7e93904b0ff5ded90a9311e44c2e2d9371d84c5fd13c083447c17d93cd7a90433

Download Submit