Malware Analysis Report

2024-08-06 14:47

Sample ID 240615-29n19ssgll
Target c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe
SHA256 752cd626a9f3e937dbfc5d0f51615df342517a44ea5ae382931e44b1e583d042
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

752cd626a9f3e937dbfc5d0f51615df342517a44ea5ae382931e44b1e583d042

Threat Level: Known bad

The file c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 23:17

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 23:17

Reported

2024-06-15 23:19

Platform

win7-20240221-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\WinSAT\igfxEM.exe N/A
N/A N/A C:\Users\Admin\WinSAT\igfxEM.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\WinSAT\igfxEM.exe N/A
N/A N/A C:\Users\Admin\WinSAT\igfxEM.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1712 set thread context of 2272 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1260 set thread context of 2280 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2712 set thread context of 1944 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1712 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2272 wrote to memory of 2632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2632 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 2612 wrote to memory of 1260 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\WinSAT\igfxEM.exe
PID 2612 wrote to memory of 1260 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\WinSAT\igfxEM.exe
PID 2612 wrote to memory of 1260 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\WinSAT\igfxEM.exe
PID 2612 wrote to memory of 1260 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\WinSAT\igfxEM.exe
PID 1260 wrote to memory of 2280 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1260 wrote to memory of 2280 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1260 wrote to memory of 2280 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1260 wrote to memory of 2280 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1260 wrote to memory of 2280 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1260 wrote to memory of 2280 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1260 wrote to memory of 2280 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1260 wrote to memory of 2280 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1260 wrote to memory of 2280 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1260 wrote to memory of 2708 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 1260 wrote to memory of 2708 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 1260 wrote to memory of 2708 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 1260 wrote to memory of 2708 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 2612 wrote to memory of 2712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\WinSAT\igfxEM.exe
PID 2612 wrote to memory of 2712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\WinSAT\igfxEM.exe
PID 2612 wrote to memory of 2712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\WinSAT\igfxEM.exe
PID 2612 wrote to memory of 2712 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\WinSAT\igfxEM.exe
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2712 wrote to memory of 1944 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2712 wrote to memory of 308 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 308 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 308 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 308 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1A16.tmp"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn azroles /tr "C:\Users\Admin\WinSAT\igfxEM.exe" /sc minute /mo 1 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {2A2E21C0-E0E2-4745-AF54-CD9F2496DEAF} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\WinSAT\igfxEM.exe

C:\Users\Admin\WinSAT\igfxEM.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn azroles /tr "C:\Users\Admin\WinSAT\igfxEM.exe" /sc minute /mo 1 /F

C:\Users\Admin\WinSAT\igfxEM.exe

C:\Users\Admin\WinSAT\igfxEM.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn azroles /tr "C:\Users\Admin\WinSAT\igfxEM.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp
US 8.8.8.8:53 bnow.duckdns.org udp
US 192.169.69.26:4156 bnow.duckdns.org tcp

Files

memory/1712-0-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2272-1-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2272-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2272-9-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2272-8-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2272-2-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2272-10-0x00000000741C2000-0x00000000741C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1A16.tmp

MD5 c6f0625bf4c1cdfb699980c9243d3b22
SHA1 43de1fe580576935516327f17b5da0c656c72851
SHA256 8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA512 9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

memory/2272-15-0x00000000741C0000-0x000000007476B000-memory.dmp

memory/2272-19-0x00000000741C2000-0x00000000741C4000-memory.dmp

memory/2272-20-0x00000000741C0000-0x000000007476B000-memory.dmp

C:\Users\Admin\WinSAT\igfxEM.exe

MD5 114ad6f77c3d291cfe8c2d46f7a4ee5e
SHA1 4e4d0e7bb922cadcd39c0820bd0293a4a01d2fff
SHA256 bf6b0e02968afc5cab435db2cf9855a927068d89449bd40c3bdcc3b2c3e2bac8
SHA512 d7c5fe0367dc9698e2971cc64b204db642233b4e46b636c823e70b03afc7857a2fb2f1d33d034014bb4a28f3e78650e44133f52601edaa33581a5d297591dd7c

C:\Users\Admin\azroles.lnk

MD5 000ecb8e0fd30111e5407661de38850f
SHA1 01b98e2649156aee219799c87a45911a38204853
SHA256 f3767405dac3cb30f918316c40b9b88d1e00595ceda0b33a75956b0a15a8e523
SHA512 6c4eaa9b51400bb5b9f71a2d6d00a64d8ee97ad0c6f389147bdedc2857bf26c8693fab96ab1b19485a3395097bafe9ee4e22cdf6db5113ea113e7a9917622480

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 23:17

Reported

2024-06-15 23:19

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\WinSAT\igfxEM.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\WinSAT\igfxEM.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\WinSAT\igfxEM.exe N/A
N/A N/A C:\Users\Admin\WinSAT\igfxEM.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3220 set thread context of 1572 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 812 set thread context of 1236 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 5020 set thread context of 3368 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3220 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3220 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3220 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3220 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3220 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1572 wrote to memory of 4496 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1572 wrote to memory of 4496 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1572 wrote to memory of 4496 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 3220 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 3220 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 3220 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe C:\Windows\SysWOW64\schtasks.exe
PID 812 wrote to memory of 1236 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 812 wrote to memory of 1236 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 812 wrote to memory of 1236 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 812 wrote to memory of 1236 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 812 wrote to memory of 1236 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 812 wrote to memory of 2304 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 812 wrote to memory of 2304 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 812 wrote to memory of 2304 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 3368 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 5020 wrote to memory of 3368 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 5020 wrote to memory of 3368 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 5020 wrote to memory of 3368 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 5020 wrote to memory of 3368 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 5020 wrote to memory of 1592 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 1592 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 1592 N/A C:\Users\Admin\WinSAT\igfxEM.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c1d783218c08ec713b483b0e51da0140_NeikiAnalytics.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5237.tmp"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn azroles /tr "C:\Users\Admin\WinSAT\igfxEM.exe" /sc minute /mo 1 /F

C:\Users\Admin\WinSAT\igfxEM.exe

C:\Users\Admin\WinSAT\igfxEM.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn azroles /tr "C:\Users\Admin\WinSAT\igfxEM.exe" /sc minute /mo 1 /F

C:\Users\Admin\WinSAT\igfxEM.exe

C:\Users\Admin\WinSAT\igfxEM.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn azroles /tr "C:\Users\Admin\WinSAT\igfxEM.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 bnow.duckdns.org udp
US 8.8.4.4:53 bnow.duckdns.org udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 bnow.duckdns.org udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 bnow.duckdns.org udp
US 8.8.4.4:53 bnow.duckdns.org udp
US 8.8.8.8:53 bnow.duckdns.org udp
US 8.8.8.8:53 bnow.duckdns.org udp
US 8.8.4.4:53 bnow.duckdns.org udp
US 8.8.8.8:53 bnow.duckdns.org udp
US 8.8.8.8:53 bnow.duckdns.org udp
US 8.8.4.4:53 bnow.duckdns.org udp
US 8.8.8.8:53 bnow.duckdns.org udp
US 8.8.8.8:53 bnow.duckdns.org udp

Files

memory/3220-0-0x0000000002800000-0x0000000002801000-memory.dmp

memory/1572-2-0x00000000001A0000-0x00000000001D8000-memory.dmp

memory/1572-6-0x00000000739A2000-0x00000000739A3000-memory.dmp

memory/1572-7-0x00000000739A0000-0x0000000073F51000-memory.dmp

memory/1572-8-0x00000000739A0000-0x0000000073F51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5237.tmp

MD5 c6f0625bf4c1cdfb699980c9243d3b22
SHA1 43de1fe580576935516327f17b5da0c656c72851
SHA256 8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA512 9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

memory/1572-16-0x00000000739A2000-0x00000000739A3000-memory.dmp

memory/1572-17-0x00000000739A0000-0x0000000073F51000-memory.dmp

C:\Users\Admin\WinSAT\igfxEM.exe

MD5 28b376648d12d1a7db253b69b2818a89
SHA1 34fff82ed3f46f4c87194705f072bf43c65c2770
SHA256 6b9a9a66b78b1dcaaf4c0df898a459ca9e7f17dd6a2be15d37d7c37e2dc9e153
SHA512 e5ca9e8711bb0727129fe31bccc186c8a04bcb1b1946edebf400b27ef8a746f1361ae883aa6cf7ac9510a877bbd6523157970f262fe1897b5777a1f3477a448a

memory/1236-20-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\azroles.lnk

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

MD5 5b4789d01bb4d7483b71e1a35bce6a8b
SHA1 de083f2131c9a763c0d1810c97a38732146cffbf
SHA256 e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512 357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede