Analysis
-
max time kernel
142s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 22:56
Static task
static1
Behavioral task
behavioral1
Sample
4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe
-
Size
671KB
-
MD5
4ae35cf5659f5773a2b2df3598b7e5f0
-
SHA1
a3c2d2705539728a5fd1546595523f0a1a30f4a8
-
SHA256
9a11af76d1326b25f640965ec310498ba70df5e9634d3a73b82ddf5884d79fb0
-
SHA512
54e978129e797aea7c37e0e79af69c02c41196bddff1b2aa504732ae23079b285ef4e55e2d32bc8eb077acb885896e25ef4f0da482c650e888934d0ceba68253
-
SSDEEP
12288:FaTrPDOdFQKYEq496AQuFbO2k+Q1ebrtfhbxj5zIJD0u:F+OdjYEv9hQufkLcrUJD0u
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1628 wmpscfgs.exe 2000 wmpscfgs.exe -
Loads dropped DLL 4 IoCs
pid Process 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created \??\c:\program files (x86)\microsoft office\office14\bcssync.exe 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe File created \??\c:\program files (x86)\adobe\acrotray .exe 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe File created \??\c:\program files (x86)\adobe\acrotray.exe 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1672 wrote to memory of 1628 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 30 PID 1672 wrote to memory of 1628 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 30 PID 1672 wrote to memory of 1628 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 30 PID 1672 wrote to memory of 1628 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 30 PID 1672 wrote to memory of 2000 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 31 PID 1672 wrote to memory of 2000 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 31 PID 1672 wrote to memory of 2000 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 31 PID 1672 wrote to memory of 2000 1672 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
\??\c:\users\admin\appdata\local\temp\wmpscfgs.exec:\users\admin\appdata\local\temp\\wmpscfgs.exe2⤵
- Executes dropped EXE
PID:1628
-
-
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exeC:\Program Files (x86)\Internet Explorer\wmpscfgs.exe2⤵
- Executes dropped EXE
PID:2000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
673KB
MD545cc92e10721f6e03bea4edeac60797a
SHA146e22457fa811c61e44691b652e257c2c004f43a
SHA256746ab758adaf9551664f818b14c923df6a1e4543f1f4f6659710030821f98151
SHA512c2ebcc9b40c28141acbf0a41f3b2991609aea535f5fc4499c873b7993cba03cc348da1454d7457622eed938a4d63a84e7068237497b2ba79fa58e6592b5c3ec9
-
Filesize
681KB
MD56ec95becfa5592086fa1b672a485ba4f
SHA120d348078b3663ce8c6b57577725d958afc2e019
SHA2567da4592d9f66df85f63e7517b370c2e8f38c69f16655a20572c135b12c11cbe6
SHA512b1e69df0c29492c39fee1b4a298b44a1cabf5626808a64c5df47f00c1319fbf2897762e13659ec1a7b04efb323cd13b4964d8742d7a3a2427f7e3190ff3dc74a