Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11/06/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe
-
Size
126KB
-
MD5
2269b25cfac36601d7883f1c3536ec20
-
SHA1
0b730ecc2a691f344e30e1e89a72e1897e28f50c
-
SHA256
5be1459cb89a7426a91707678653b5a593bd53b5eed0a6f4817668971af3847d
-
SHA512
80f169e6ef35a7f0c5407c54fb9521a3cfb8320960232a38334ddc191b00d7eac0d22e7e47749ca393b9be532524ca8a479fb476d28e495a9ed876d226849fdd
-
SSDEEP
3072:4EboFVlGAvwsgbpvYfMTc72L10fPsout6S:HBzsgbpvnTcyOPsoS6S
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2228 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1508 KVEIF.jpg -
Loads dropped DLL 4 IoCs
pid Process 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 2228 svchost.exe 1508 KVEIF.jpg 1920 svchost.exe -
resource yara_rule behavioral2/memory/232-12-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-25-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-29-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-33-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-32-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-31-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-27-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-22-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-15-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-23-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-19-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-17-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-9-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-5-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-13-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-3-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-7-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/232-2-0x0000000000590000-0x00000000005E5000-memory.dmp upx behavioral2/memory/2228-110-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-112-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-130-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-128-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-126-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-122-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-120-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-118-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-116-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-114-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-108-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-124-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-107-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-104-0x0000000003150000-0x00000000031A5000-memory.dmp upx behavioral2/memory/2228-103-0x0000000003150000-0x00000000031A5000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\kernel64.dll 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\kernel64.dll 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 232 set thread context of 2228 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 84 PID 1508 set thread context of 1920 1508 KVEIF.jpg 87 -
Drops file in Program Files directory 23 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD KVEIF.jpg File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\ok.txt 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFss1.ini 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\1D11D1B123.IMD svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini KVEIF.jpg File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFmain.ini 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs1.ini svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg svchost.exe File created C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIFs5.ini svchost.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\KVEIF.jpg 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\FKC.WYA 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\1D11D1B\$$.tmp svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\web\606C646364636479.tmp 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe File created C:\Windows\web\606C646364636479.tmp 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 2228 svchost.exe 1508 KVEIF.jpg 1508 KVEIF.jpg 1508 KVEIF.jpg 1508 KVEIF.jpg 1508 KVEIF.jpg 1508 KVEIF.jpg -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2228 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe Token: SeDebugPrivilege 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe Token: SeDebugPrivilege 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe Token: SeDebugPrivilege 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1508 KVEIF.jpg Token: SeDebugPrivilege 1508 KVEIF.jpg Token: SeDebugPrivilege 1508 KVEIF.jpg Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 1920 svchost.exe Token: SeDebugPrivilege 2228 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 232 wrote to memory of 2228 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 84 PID 232 wrote to memory of 2228 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 84 PID 232 wrote to memory of 2228 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 84 PID 232 wrote to memory of 2228 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 84 PID 232 wrote to memory of 2228 232 2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe 84 PID 3724 wrote to memory of 1508 3724 cmd.exe 86 PID 3724 wrote to memory of 1508 3724 cmd.exe 86 PID 3724 wrote to memory of 1508 3724 cmd.exe 86 PID 1508 wrote to memory of 1920 1508 KVEIF.jpg 87 PID 1508 wrote to memory of 1920 1508 KVEIF.jpg 87 PID 1508 wrote to memory of 1920 1508 KVEIF.jpg 87 PID 1508 wrote to memory of 1920 1508 KVEIF.jpg 87 PID 1508 wrote to memory of 1920 1508 KVEIF.jpg 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2269b25cfac36601d7883f1c3536ec20_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -EMBEDDING 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 02⤵
- Deletes itself
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\system32\cmd.execmd.exe /c call "C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F5658401⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg"C:\Program Files\Common Files\Microsoft\1D11D1B\KVEIF.jpg" -3 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F5658402⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe -sys 423B5D51736E6673606C2147686D64725D426E6C6C6E6F2147686D64725D4C6862736E726E6775215269607364655D4C52486F676E5D304530304530435D474A422F565840 03⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD505018897e2ad295b6324b9bbd71bcd35
SHA1ffc28d6e23b63f322c0f1c24e521a9bb65dba330
SHA2562d43c455ccfb47f96fcc1e03b57a9e039fe9f1e1631991dd0851541a4c45922c
SHA5120a88eae844008aceb1e47669a3b1d8d6fa674cefe02e2a0a435921c37bce0d5254c254bed3820409710c782f2821e362c222803aa5ba1d077ceda4e3c7b7ea2c
-
Filesize
126KB
MD5bd93621194a0aaa76285066cf0d856b3
SHA1449ce542c3c2f8d93e91d926d0f17b4fc6498e05
SHA256cba88ab4a618c3444cb1a9bef70b9f6219df049a0b0d98a3c58ee58a1240f38f
SHA5129370cea2ba96fd29932f0274b630e3e0c9f310cd0312ed7d26d62275420158dbccfc51d0ba2a9e3d8a333a66269cfef0d92ae887a4a9a8f4ad3eacea6c537807
-
Filesize
22B
MD52056c975629bc764596c2ba68ab3c6da
SHA135e3da93ce68d24c687e8c972f8fa2b903be75b8
SHA2568485a6ec9ad79a1ed2331a428944711c4064f0c607017dae51c7e7f65fe70ff7
SHA512c4d4932e81956578e505ac454d964ccd1d7d123e8393d532db15ba42e456ceff8394baba021e8ae7ae2f9aef0e51840aecef12252cf9c6766e8b247eb08e86ae
-
Filesize
87B
MD51ee836a55c14e46ea1e0a75c52875d90
SHA1ce5feca843f7c3efd0997e99ff41b2e182a66566
SHA2564d8d08b98d3c324868b3459a807d64572666c114d84651daede007b0d561abee
SHA51251369c1a734f0d3cdf32d2d6424214f4e04bb12d3cf703e4dd97176b8aab51bb57c237776efb2b4e1d6c98caa7cc1accec4461de8a791a90c3d3e5cccae69c8b
-
Filesize
126KB
MD58c94e87782606997f08b1031644f7c14
SHA1a3e1419bf62dbac557fbf0cbb5ea81a5a390736c
SHA2567499a7b41eed3bffd46ffb61722173cb496f933a40a41f35dcca68025c7c97b3
SHA5126190ae598d0fd0fd46f947aea649a26e60a4c1527694cc09b9a3095b0407ca82704a94e336d4f506fbcb984ad72d4e6b053a5ac59920a159f35fa586415e669a
-
Filesize
1KB
MD5c804c651a3bc36e599bcecba92b03100
SHA1eeeda9bf66c4dbf38ca0c517be40ffa49aee177c
SHA2562d3c236ef650dcb0c36355ce8754d74a5aa1622a1aa0a3dfaa313cd6bf25e267
SHA512b6cc86f17f459bb4ecabc503b1ae52e77da76d4f616d267bad153b4f2e8d94d449cc1d9b6a50a49fa859d71678fbf8ad698770070c618523ef71b385444c5cd2
-
Filesize
1KB
MD583699f7219191e054ca6784721d4f935
SHA1b19428f7b4c0c5d9bdae93d57ddfab46121cd2d3
SHA25636d818e09cc931c79a4feea7691e347f01d0143d31e8d949a10b0662a4a151d1
SHA5121ee037e881d63a83a61a1354ab3299c8e3674a5a5adb7551b5db74104bd8a884d41b262265f7c9fa0c7d417004cd2e7efe75c625c0062d0711812f7244989237
-
Filesize
1KB
MD56d65868e4682271c711206ae15310e7f
SHA17455c6c26bb070fd8a1fe97a9578466b1896d254
SHA2564857526a301f7e80d18e4976fb12be47b5a21430492d842d01446193e8d5f1ba
SHA512d134d2c5879b3700e9fc7c6b4ff7719c2dfc9fdd8224f298a13d23da46c76c2d546ceb9db4d832d37f728cf9dfaefc2138cdd9adb4ab036a4b75e630f57b5746
-
Filesize
625KB
MD5eccf28d7e5ccec24119b88edd160f8f4
SHA198509587a3d37a20b56b50fd57f823a1691a034c
SHA256820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6
SHA512c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670
-
Filesize
108KB
MD5f697e0c5c1d34f00d1700d6d549d4811
SHA1f50a99377a7419185fc269bb4d12954ca42b8589
SHA2561eacebb614305a9806113545be7b23cf14ce7e761ccf634510a7f1c0cfb6cd16
SHA512d5f35672f208ebbe306beeb55dadde96aa330780e2ea84b45d3fa6af41369e357412d82978df74038f2d27dff4d06905fd0b4d852b0beef1bcfdd6a0849bc202