Analysis

  • max time kernel
    140s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/06/2024, 09:23

General

  • Target

    2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe

  • Size

    125KB

  • MD5

    2fe57c000d1920bc35b8aa0163a9e5f0

  • SHA1

    60870441ea2d3d1174e07a79c61b0045dbce006a

  • SHA256

    4f5de6cb9593a2ddd762da83476ec5d33d3b7641f02e87991e6826deb7faf2d3

  • SHA512

    f5e6d6c8ed35fa9aeb3a972db1979960b8aebf1d1f21d712d593bbb82278020254031c71c569e31edd6820c72a74bdf153aaa8403bd3433f18b8ddd49ea7886f

  • SSDEEP

    1536:RkAHDp/3yZhxjjaDswjvLzVCMnIqTMhTYLg5tqf70LJZmh82vP/6UT:j3sXj2sevLzVCM86+00LJZi1vP/6M

Score
8/10

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 6 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 12 IoCs
  • Modifies registry class 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      2⤵
        PID:1732
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\123.bat
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:712
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:1044
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:1952
        • C:\Windows\SysWOW64\reg.exe
          reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f
          3⤵
          • Sets file execution options in registry
          PID:640
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c assoc .txt = exefile
        2⤵
        • Modifies registry class
        PID:448
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
        2⤵
        • Modifies system executable filetype association
        • Modifies registry class
        PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
        2⤵
        • Modifies registry class
        PID:2156
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
        2⤵
        • Modifies registry class
        PID:3032
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\2fe57c000d1920bc35b8aa0163a9e5f0_NeikiAnalytics.exe
        2⤵
        • Modifies registry class
        PID:1088

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\123.bat

            Filesize

            443B

            MD5

            70170ba16a737a438223b88279dc6c85

            SHA1

            cc066efa0fca9bc9f44013660dea6b28ddfd6a24

            SHA256

            d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a

            SHA512

            37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

          • C:\Program Files\7-Zip\7zG.exe

            Filesize

            125KB

            MD5

            22678c524e9663590776186a458a821d

            SHA1

            7ca5f4e49f31b6248998fd508ceb0b4ce06fa93c

            SHA256

            b0b6ab1c9bfe550d48139e237380679a390b3450cca4f01908fe9a0b4f85020f

            SHA512

            2def121e168859bb1bf8c6b62208910da1d209aa862a29bc4d88dbad928d9504dd1f0980f033da2eee7ff77e48de2b040798dd748f2fa1714328797d93dba8a0

          • memory/2080-0-0x0000000000400000-0x000000000042D000-memory.dmp

            Filesize

            180KB

          • memory/2080-1086-0x0000000000400000-0x000000000042D000-memory.dmp

            Filesize

            180KB