9018c9aee7ca42cebdd775599d71707848ec3db4eee7d3e60e7b871d15cdcc47

Analysis

max time kernel
80s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
Size

381KB
MD5

3aae5af860d2f47f0bc153f8fa450480
SHA1

cabb4f61af6ae426d42258b27c456ab1d2628d95
SHA256

9018c9aee7ca42cebdd775599d71707848ec3db4eee7d3e60e7b871d15cdcc47
SHA512

dd4c060a204ea49b6262cc646e6ebe8b627a957d8f5eaf42921746f25a2635e8871da26ead99bf14c83b7f36cffb6db349bc31931df146ed3cdf88fb246f04a8
SSDEEP

6144:XLZ/Jd7juqVo223CQjNY4T4G/+uOuKxvtpiO11y/ncfQiBIk:1/Jxj1KNXROuKh/GnQQiBIk

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1656	Logo1_.exe
3708	3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Win32Bridge.Server.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	Logo1_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5092	3708	WerFault.exe	89

Runs net.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe
1656	Logo1_.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 752	928	3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe	83
PID 928 wrote to memory of 752	928	3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe	83
PID 928 wrote to memory of 752	928	3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe	83
PID 928 wrote to memory of 1656	928	3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe	84
PID 928 wrote to memory of 1656	928	3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe	84
PID 928 wrote to memory of 1656	928	3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe	84
PID 1656 wrote to memory of 4660	1656	Logo1_.exe	86
PID 1656 wrote to memory of 4660	1656	Logo1_.exe	86
PID 1656 wrote to memory of 4660	1656	Logo1_.exe	86
PID 4660 wrote to memory of 1544	4660	net.exe	88
PID 4660 wrote to memory of 1544	4660	net.exe	88
PID 4660 wrote to memory of 1544	4660	net.exe	88
PID 752 wrote to memory of 3708	752	cmd.exe	89
PID 752 wrote to memory of 3708	752	cmd.exe	89
PID 752 wrote to memory of 3708	752	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3B73.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe"
    3⤵
    - Executes dropped EXE
    PID:3708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 828
      4⤵
      Program crash
      PID:5092
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3708 -ip 3708
1⤵
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe

Filesize
750KB

MD5
4d59d2b2ff92e3e3af89f89339396413

SHA1
6041749150b4ea8c98bb070163b352bca5a86699

SHA256
90f41d47f57fa5c36b5733c51e6bf2dfbb6e8eee3bc94ea66a1456002f754d04

SHA512
bddf8794f7f9737c7e13e741171899aae3b53e86477211e537e0774f0ab0bb9de5b92553e8d2166d58f28e2173735007166ee93aadbb2a204f42a03992d780a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3B73.bat

Filesize
620B

MD5
d95a22aef46a4a293495e469a7bd50da

SHA1
3748df97ff7b581328c6e6b45c9510bf42266d89

SHA256
66d21213be663b3c7ccbdddef6a3ac666838db455de4a3630bcf1eec77646121

SHA512
baa4bc812fd89d16f3e267f4db695d801b3769dcbbeb8c51670884d1e30a12e2b9f0b61f2abad3a2c4949927085f67b05f7baa0a9e689309042a1eb8c63551a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3aae5af860d2f47f0bc153f8fa450480_NeikiAnalytics.exe.exe

Filesize
315KB

MD5
ed9689986286c0a0d60b7e6bffcb92bb

SHA1
4dea29b5fd3e3df0c47c0f4350138d328b411143

SHA256
22d0773404852ce0895fc4d582674efc8e4a4f778136626280011ffc52bcc724

SHA512
5704069388bc3f4e4bcd0a6d9017e5cfec5bdca7b5152b0d0d069c069227c91700028a937f3dea78afca7ec07ed518a16aefa94b3bb96dd22085ffe119746895

Download Submit
C:\Windows\Logo1_.exe

Filesize
66KB

MD5
5909f0b5ede88d776e3a30ccd6284a91

SHA1
758db75ffd4ecfa1549e0b73b7c212af2936e758

SHA256
59dced98f33dd7e7853041852b61d5f591b7925e2ea58429b4154a9d6204585a

SHA512
b8ea963d25805e8fcb0e1ee6d05bb76b0fdae8486a2369b8181dc5a24b524f485e521fe121cde8f9bc650b9e6d2240ae6f41e7aa25cbfb895a9e8c736b6b1d08

Download Submit
memory/928-6-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-14-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-19-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-162-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-209-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-221-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3708-12-0x0000000000340000-0x0000000000392000-memory.dmp

Filesize
328KB

Download
memory/3708-11-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

Filesize
4KB

Download