Analysis
-
max time kernel
138s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 22:56
Static task
static1
Behavioral task
behavioral1
Sample
4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe
-
Size
671KB
-
MD5
4ae35cf5659f5773a2b2df3598b7e5f0
-
SHA1
a3c2d2705539728a5fd1546595523f0a1a30f4a8
-
SHA256
9a11af76d1326b25f640965ec310498ba70df5e9634d3a73b82ddf5884d79fb0
-
SHA512
54e978129e797aea7c37e0e79af69c02c41196bddff1b2aa504732ae23079b285ef4e55e2d32bc8eb077acb885896e25ef4f0da482c650e888934d0ceba68253
-
SSDEEP
12288:FaTrPDOdFQKYEq496AQuFbO2k+Q1ebrtfhbxj5zIJD0u:F+OdjYEv9hQufkLcrUJD0u
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3796 wmpscfgs.exe 4468 wmpscfgs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe" 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created \??\c:\program files (x86)\common files\java\java update\jusched.exe 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe File created \??\c:\program files (x86)\adobe\acrotray .exe 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe File created \??\c:\program files (x86)\adobe\acrotray.exe 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe File created \??\c:\program files (x86)\internet explorer\wmpscfgs.exe 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4664 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 4664 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 3796 wmpscfgs.exe 3796 wmpscfgs.exe 3796 wmpscfgs.exe 3796 wmpscfgs.exe 4468 wmpscfgs.exe 4468 wmpscfgs.exe 4468 wmpscfgs.exe 4468 wmpscfgs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4664 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe Token: SeDebugPrivilege 3796 wmpscfgs.exe Token: SeDebugPrivilege 4468 wmpscfgs.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4664 wrote to memory of 3796 4664 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 92 PID 4664 wrote to memory of 3796 4664 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 92 PID 4664 wrote to memory of 3796 4664 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 92 PID 4664 wrote to memory of 4468 4664 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 93 PID 4664 wrote to memory of 4468 4664 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 93 PID 4664 wrote to memory of 4468 4664 4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4ae35cf5659f5773a2b2df3598b7e5f0_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664 -
\??\c:\users\admin\appdata\local\temp\wmpscfgs.exec:\users\admin\appdata\local\temp\\wmpscfgs.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796
-
-
C:\Program Files (x86)\Internet Explorer\wmpscfgs.exeC:\Program Files (x86)\Internet Explorer\wmpscfgs.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
684KB
MD550c3d08bdfd2ffde79f1d0123da2cfc3
SHA1b5bd2c1ea319cc6bdf85ac9ec354ee4626d0877b
SHA25631c4d2fb9dd3fbfdf8fb1780d081eccbe4881884ab61250982501a3b2d60f6f9
SHA512f8691d718b36853fbe5a43dc38ed071f68fb39d18da970214429302ddd3d1a22ce26d53c5da121ddcec00179a9cec3fef6ae52a9045e373c67ecb902cfe37565
-
Filesize
677KB
MD57870717bdd5e43ad241860aeab51dc4c
SHA199635681ee0c7e6141dfd3da23e0fef7dce0f829
SHA256c96eea804f4d4fbb1cd15c36bb6932e70b29058df0d577a6fd08e664fa051e31
SHA512045563433268fbd3c1bd29d215279b84ae2481d86f4870d954b9cec1879e937bb2f5628b71f6f673eed529412b8d8632c0275298dc0d9f7ecf04e06d5086b580