Analysis
-
max time kernel
15s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07/06/2024, 03:12
Static task
static1
Behavioral task
behavioral1
Sample
322e5a0f773010dfd2165cd3b00986c0_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
322e5a0f773010dfd2165cd3b00986c0_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
322e5a0f773010dfd2165cd3b00986c0_NeikiAnalytics.exe
-
Size
5.3MB
-
MD5
322e5a0f773010dfd2165cd3b00986c0
-
SHA1
e42b60b12ca5477920e447de087587eb9b3285fb
-
SHA256
cd0b5bf86e89959eaaa79ce2c1d30eb619a28850fdddab64bded9dfe7971fad2
-
SHA512
e101cda9f5a8fcf0e52489e385ffc88055fcc22792ebb6b7655b032f526d2002e52710ff1dd5a03b1f2b3a18e8b9ec0ee11f75ed431b308e37008186f90bc632
-
SSDEEP
98304:xRjPz9KDzUU8O5/B/LJ25E9SVh86sS3TRknQ3ss2MApp9meypA3cPDu7:xFKoU8O5/b2XViSjX310SeyGc7u7
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1716 powershell.exe 1988 powershell.exe -
Creates new service(s) 2 TTPs
-
resource yara_rule behavioral1/memory/1908-29-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-33-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-30-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-37-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-40-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-38-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-36-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-39-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-34-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-32-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-31-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-28-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/1908-41-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2040 sc.exe 2132 sc.exe 2464 sc.exe 2592 sc.exe 2684 sc.exe 320 sc.exe 2640 sc.exe 1356 sc.exe 624 sc.exe 2504 sc.exe 1676 sc.exe 1248 sc.exe 1456 sc.exe 2616 sc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1012 322e5a0f773010dfd2165cd3b00986c0_NeikiAnalytics.exe 1988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1988 powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\322e5a0f773010dfd2165cd3b00986c0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\322e5a0f773010dfd2165cd3b00986c0_NeikiAnalytics.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1012 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2716
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2072
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2504
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2640
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2616
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2592
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2464
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:2372
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:2404
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:2424
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:2776
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "JIOGRCSG"2⤵
- Launches sc.exe
PID:1456
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "JIOGRCSG" binpath= "C:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exe" start= "auto"2⤵
- Launches sc.exe
PID:624
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:1248
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "JIOGRCSG"2⤵
- Launches sc.exe
PID:1356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\322e5a0f773010dfd2165cd3b00986c0_NeikiAnalytics.exe"2⤵PID:348
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:1724
-
-
-
C:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exeC:\ProgramData\zvycwxhpsxqt\lutlgidagtja.exe1⤵PID:760
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:1716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1708
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1584
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:320
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2132
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1676
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2684
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2040
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵PID:2008
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵PID:1688
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵PID:2812
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵PID:2824
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2816
-
-
C:\Windows\system32\nslookup.exenslookup.exe2⤵PID:1908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD561deedc717642a4ebabebf48148a87de
SHA1520b69b8bc89f18bd03850b8d06c1189dc620b49
SHA256bb4f2cc510de970cad3cdc29380a8f0a66b7f5bb9c5594a3030d503cf6b4b85e
SHA5124826451987b73bd09dcfb578a1da342db7aee7f6cb0c2ae99e6b61089e2614c9be72d6971eda68697e007caa5fb1b4d9f638719d2dbb857ee90e77cb1e7c679a
-
Filesize
576KB
MD544d0f03dc262325b83399f69727869f3
SHA13edd13183d1ccfd2f46f6bc387a12fe09ae6329d
SHA256ad2cdc6fcfaef90ef0160215c6b652c48206cfa1e84fccd981966165f4299fcd
SHA51292b5190c17efdf5d6c4a920a2dec29e32186dc6c4a308a4604f0f8e0edba9ca0ea497e03397e668522072f3e9cfe6b71f2a420d4cf893c7d4cff305da2584ed3