08efc14d34b7ea2ce6c4e6576d996242131ef9e8d322af5ff93dbb3e230a3fb3 | Triage

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 00:23 UTC

Sharing

Report Analysis Logs

General

Target

1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Size

27KB
MD5

1059a2905c023e2dcefc1bcd1c75f0a0
SHA1

3414dcdef0ccfb7ff109fdd08f423f37dd1b25ac
SHA256

08efc14d34b7ea2ce6c4e6576d996242131ef9e8d322af5ff93dbb3e230a3fb3
SHA512

8589200c7ff3b0d062ba58edbb34be2e078955b4edb2e2e65a986a34dd9818c90b1583058c3791c4dc7375b9b9bef52ddffef6afe23036ded843d2279aa65471
SSDEEP

768:PVEHJqjHyGvwFylDpulVSQJrE/2QmlCYZUTl:PH2nylslwHCCLZ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2924	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

Modify Registry

Change Default File Association

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\¢«.exe	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\¢«.exe	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\notepad¢¬.exe	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\notepad¢¬.exe	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\rundll32.exe	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
File created	C:\Windows\system\rundll32.exe	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad.exe %1"	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "notepad¢¬ %1"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "¢« \"%1\" %*"	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSipv	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainUp = "1718151784"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainSetup = "1718151784"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\exefile\shell\open\command	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\txtfile\shell\open\command	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSipv\MainVer = "506"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2924	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
2924	rundll32.exe
2924	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2924	2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe	29
PID 2180 wrote to memory of 2924	2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe	29
PID 2180 wrote to memory of 2924	2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe	29
PID 2180 wrote to memory of 2924	2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe	29
PID 2180 wrote to memory of 2924	2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe	29
PID 2180 wrote to memory of 2924	2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe	29
PID 2180 wrote to memory of 2924	2180	1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1059a2905c023e2dcefc1bcd1c75f0a0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\system\rundll32.exe
  C:\Windows\system\rundll32.exe
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2924

Network

DNS

www.zigui.org

rundll32.exe

Remote address:

8.8.8.8:53

Request

www.zigui.org

IN A
DNS

www.zigui.org

rundll32.exe

Remote address:

8.8.8.8:53

Request

www.zigui.org

IN A
DNS

www.zigui.org

rundll32.exe

Remote address:

8.8.8.8:53

Request

www.zigui.org

IN A
DNS

www.zigui.org

rundll32.exe

Remote address:

8.8.8.8:53

Request

www.zigui.org

IN A
DNS

www.zigui.org

rundll32.exe

Remote address:

8.8.8.8:53

Request

www.zigui.org

IN A

No results found

8.8.8.8:53

www.zigui.org

dns

rundll32.exe

295 B
5

DNS Request

www.zigui.org

DNS Request

www.zigui.org

DNS Request

www.zigui.org

DNS Request

www.zigui.org

DNS Request

www.zigui.org

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Privilege Escalation

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\notepad¢¬.exe

Filesize
27KB

MD5
f05eb4d3ae61104234cdb32d69538942

SHA1
aeeabb25c48d5b5ae1be9c8a33c1c94030d7a1b1

SHA256
629f820736422075c824bd64f7409cdda7e6e8b0b63bd95d0cfe553873485365

SHA512
76680b76947905f0efbae716f5c8e6f0af87e9d88acbad804d862d0fc8a3e788807a3a85403295770525ffcb690253ce1ca7c3d7297158a561685f4c615667ae

Download Submit
\Windows\system\rundll32.exe

Filesize
30KB

MD5
98f25a059b52038f86fa273cc1961e79

SHA1
008532742f040423bf5800478738f9ed07094ab8

SHA256
f6cc49d174dd10f809e61817cc6698df7f9069d0dd444318a45c43b22acbcba3

SHA512
d4695ec22492ef412aab5fec7401b1ea179800df06726cf7e3c1c90b08ac5cef44369d92ad3671e9ebfeb9e584c2389629e36d98ca2999a57b032799fa033b22

Download Submit
memory/2180-22-0x00000000002F0000-0x00000000002F2000-memory.dmp

Filesize
8KB

Download
memory/2180-18-0x00000000002F0000-0x0000000000305000-memory.dmp

Filesize
84KB

Download
memory/2180-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2180-17-0x00000000002F0000-0x0000000000305000-memory.dmp

Filesize
84KB

Download
memory/2180-21-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-25-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-29-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-24-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-19-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-26-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-27-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-28-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-23-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-30-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-31-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-32-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-33-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-34-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-35-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2924-36-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download