1093d454744c2fadb8f8744fdc03f9b8f70575deee13c162d7a5e76225c3c60f

General

Target

b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe
Size

118KB
MD5

b46a12991a9135f8cfeeb503aadaa850
SHA1

6ccd9d6ab1d3315c05f84091ead34d55f297943f
SHA256

1093d454744c2fadb8f8744fdc03f9b8f70575deee13c162d7a5e76225c3c60f
SHA512

77152f905bd6707aac42851c430909136de7b174bad76b70c5f1cc4fc3b4655a64a1c37bf085c226b99e4edabb22687297fa357c23a958830da1e7723a8f4957
SSDEEP

3072:qJO248B0EMlISxbHPwYV/wlmNie0ROfOlX:qTLSzISxMYV/9i1b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2776	winlgon.exe
2732	rgsvr32.exe

Loads dropped DLL 4 IoCs

pid	Process
2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe
2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe
2776	winlgon.exe
2776	winlgon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlgon.exe = "c:\\users\\admin\\appdata\\local\\temp\\winlgon.exe"	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2716	2444	WerFault.exe	27

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe
2776	winlgon.exe
2776	winlgon.exe
2776	winlgon.exe
2776	winlgon.exe
2776	winlgon.exe
2776	winlgon.exe
2732	rgsvr32.exe
2732	rgsvr32.exe
2732	rgsvr32.exe
2732	rgsvr32.exe
2776	winlgon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2776	2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 2776	2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 2776	2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 2776	2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	28
PID 2776 wrote to memory of 2732	2776	winlgon.exe	30
PID 2776 wrote to memory of 2732	2776	winlgon.exe	30
PID 2776 wrote to memory of 2732	2776	winlgon.exe	30
PID 2776 wrote to memory of 2732	2776	winlgon.exe	30
PID 2444 wrote to memory of 2716	2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	29
PID 2444 wrote to memory of 2716	2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	29
PID 2444 wrote to memory of 2716	2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	29
PID 2444 wrote to memory of 2716	2444	b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe	29

C:\Users\Admin\AppData\Local\Temp\b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b46a12991a9135f8cfeeb503aadaa850_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444
- \??\c:\users\admin\appdata\local\temp\winlgon.exe
  c:\users\admin\appdata\local\temp\winlgon.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\rgsvr32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 200
  2⤵
  - Program crash
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\winlgon.exe

Filesize
118KB

MD5
17edcf78d81bc0f63ec89bf3cefe25c3

SHA1
1d55053e3afdf5a916638a26009568069fdea57d

SHA256
d94a17aa5cfd129aef365c87d1a5da210f31266b59967f6d7053e15f5903147d

SHA512
4d52cbc8e01bc5c56b64d21978e6807a2fbe0bf05377b080bdb86e4b48243bc8c70fed80f7a83fb5f1a0874ad0321ebb702eed9c912d32a00c8bb7dd2a0843dc

Download Submit
\Users\Admin\AppData\Local\Temp\rgsvr32.exe

Filesize
32KB

MD5
a22518e8a73ec19da806817d825d8a9c

SHA1
6f99e1591e1ce68ac44cd760729b2aeb2cba3559

SHA256
1ab5d2ea45fbff4444eabb45a3a31538730ce56f2b9c041bcab958e3c69db97b

SHA512
8f56ea79eab4b2e1d6b81981a9cd4f9652821b1cf17337ff3abf5796654fef08859fe4fa186015507b00ac606eefade1541235fcc6202ebf5257a1311638511e

Download Submit
memory/2444-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2444-16-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/2444-28-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2444-29-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/2444-30-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/2776-31-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads