Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/06/2024, 22:08
Static task
static1
Behavioral task
behavioral1
Sample
1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe
-
Size
131KB
-
MD5
1d1cd634b25c84b1a74a50e4bc3769d0
-
SHA1
93736e996840d358011fa89ed7d946a4d772b121
-
SHA256
55b85639624459549a2488e4c0c98626c24b034e9f89c2ad5b52ba7c68b5ee7e
-
SHA512
becb8ee354b18aff83236009bb61f18cd9235303ef901b26e51944fd166a56b476ef4137c0b6926fc8bf4bc69d7a29d2ff8bed0519ee2a4c3ec87dc978f49108
-
SSDEEP
3072:TEboFVlGAvwsgbpvYfMTc72L10fPsout6nn:QBzsgbpvnTcyOPsoS6nn
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2792 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1636 KVEIF.jpg -
Loads dropped DLL 4 IoCs
pid Process 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 2792 svchost.exe 1636 KVEIF.jpg 2752 wininit.exe -
resource yara_rule behavioral1/memory/2372-5-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-2-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-3-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-13-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-11-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-9-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-7-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-16-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-29-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-27-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-25-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-23-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-21-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-19-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-17-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-31-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-33-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2372-32-0x0000000001C80000-0x0000000001CD5000-memory.dmp upx behavioral1/memory/2792-85-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-89-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-101-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-100-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-97-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-95-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-94-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-91-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-87-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-83-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-81-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-79-0x0000000000180000-0x00000000001D5000-memory.dmp upx behavioral1/memory/2792-78-0x0000000000180000-0x00000000001D5000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\kernel64.dll 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\kernel64.dll 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2372 set thread context of 2792 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 28 PID 1636 set thread context of 2752 1636 KVEIF.jpg 31 -
Drops file in Program Files directory 24 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFss1.ini 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs1.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs1.ini wininit.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\$$.tmp svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\ok.txt 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg wininit.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\$$.tmp svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\web\606C646364636479.tmp 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe File opened for modification C:\Windows\web\606C646364636479.tmp 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1636 KVEIF.jpg -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 1636 KVEIF.jpg 1636 KVEIF.jpg 1636 KVEIF.jpg 2752 wininit.exe 2752 wininit.exe 2752 wininit.exe 2752 wininit.exe 2752 wininit.exe 2752 wininit.exe 2752 wininit.exe 2792 svchost.exe 2752 wininit.exe 2792 svchost.exe 2752 wininit.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2752 wininit.exe 2752 wininit.exe 2752 wininit.exe 2792 svchost.exe 2752 wininit.exe 2792 svchost.exe 2752 wininit.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2792 svchost.exe 2752 wininit.exe 2752 wininit.exe 2752 wininit.exe 2792 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2792 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe Token: SeDebugPrivilege 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe Token: SeDebugPrivilege 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe Token: SeDebugPrivilege 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe Token: SeDebugPrivilege 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 1636 KVEIF.jpg Token: SeDebugPrivilege 1636 KVEIF.jpg Token: SeDebugPrivilege 1636 KVEIF.jpg Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2792 svchost.exe Token: SeDebugPrivilege 2752 wininit.exe Token: SeDebugPrivilege 2752 wininit.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2792 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 28 PID 2372 wrote to memory of 2792 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 28 PID 2372 wrote to memory of 2792 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 28 PID 2372 wrote to memory of 2792 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 28 PID 2372 wrote to memory of 2792 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 28 PID 2372 wrote to memory of 2792 2372 1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe 28 PID 1980 wrote to memory of 1636 1980 cmd.exe 30 PID 1980 wrote to memory of 1636 1980 cmd.exe 30 PID 1980 wrote to memory of 1636 1980 cmd.exe 30 PID 1980 wrote to memory of 1636 1980 cmd.exe 30 PID 1636 wrote to memory of 2752 1636 KVEIF.jpg 31 PID 1636 wrote to memory of 2752 1636 KVEIF.jpg 31 PID 1636 wrote to memory of 2752 1636 KVEIF.jpg 31 PID 1636 wrote to memory of 2752 1636 KVEIF.jpg 31 PID 1636 wrote to memory of 2752 1636 KVEIF.jpg 31 PID 1636 wrote to memory of 2752 1636 KVEIF.jpg 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\1d1cd634b25c84b1a74a50e4bc3769d0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 02⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\system32\cmd.execmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F5658401⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg"C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F5658402⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\wininit.exeC:\Windows\System32\wininit.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 03⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
131KB
MD5f2c01524c9a6e57e8a24d1ca29a4371a
SHA1fc5d56128057eb2815afecb61dd4b21f8be803d4
SHA2566b8df77b1d17d05fea3dd1b74a9c9f7b7d229e0da1529c8645a3111d0e879543
SHA512f14a8cf535f5f90acc5dcdc6ac3ef60e75d19ba71879d3a4dc9e816556491ebf5fcd98c51235500c45c52433c8b7ab0f54d1e090e3003e7f88f762821d1bfde6
-
Filesize
108KB
MD5f697e0c5c1d34f00d1700d6d549d4811
SHA1f50a99377a7419185fc269bb4d12954ca42b8589
SHA2561eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202
-
Filesize
711B
MD55b85700764c7f8ed2db3d99aba090ff3
SHA189521db8d1abb29e082628efdd23c547fa54ef44
SHA256ade5e3636e8684f5845c18666a04a6b22d7a0f2631ea268a1aec910857c42e24
SHA51200600e12dc1067eba53760eedfc4f408e88053a87462d55f01478887a9b4095138d471cc186684f0c14f4c2559da978e0ef3f78341910ecf1ca8caac9f67a642
-
Filesize
22B
MD5a4ef93de80711124d4b7e080ccf42edb
SHA1f4530f5e6d362781fa6dfa4982d25f3ad15dbf99
SHA2569a09d2a2b23760cbc02ab362728b30783f943d90beebbdbd03c4e8b288492d24
SHA512707c5a1a84a1cd490e3e0109c30b32724a69d27021653265bbd838065458e1eea20b470f145612f9ea5486711c47a59dcb515f9625829e63689a89af75901fa2
-
Filesize
87B
MD5210b2e0534748b2d3eb039c0cbfe6085
SHA1a4207dad717b078bee96a374368918cad614fc53
SHA256060da3d03be3dbf45836c359a4923057311c9b0b76fa0b433e9d9b5d3cb8b1ca
SHA512fe2ea1f203d58fbf7eec9acc6f7dcb662b3263674d81076fcbb88e95c909f4597d0884ec47c849e21e9fbb700c52e3f9256da9500c9d6b5543b3af681b6ddd7c
-
Filesize
131KB
MD529b418d3afc1ee4fc1fa2ac315c13f0b
SHA1cc6724a388aa477cf434ff45662e743a88e0265b
SHA25620fc73a45b72f3863aa138bd83b743c49d861c5f3f92f14739c7983050346736
SHA512d6b7eaa4e9f36c43ab988c3d17d07cac0809d2803574691c025e60ad9e943d13002b985279a59168f4d027edb2e848ea61ba4c4e799a9687ff3c54a9578b6470
-
Filesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94